If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate
Jean E. Tomasco of Robinson & Cole writes about a breach involving an accounting firm that is a business associate to a number of covered entities. This month, the firm, Bansley & Kierner, issued a notice and started notifying individuals and HHS. But the time frame for discovery and notification has resulted in a potential class action lawsuit.
On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.
In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate.
But even then, notifications were not immediately forthcoming, with the firm making required notifications in November and this month, almost a year after the incident.
Read more at National Law Review.
As Bansley & Kierner explained it in their recent notice:
On December 10, 2020, B&K identified a data security incident that resulted in the encryption of certain systems within our environment. B&K addressed the incident, made upgrades to certain aspects of our computer security, restored the impacted systems from recent backups, and resumed normal operation. We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment. On May 24, 2021, we were made aware that certain information had been exfiltrated from our environment by an unauthorized person. We immediately launched an investigation, and a cyber security firm was engaged to assist.
The complaint is, of course, unproven allegations, and the accounting firm is certainly not the only firm to not make timely notifications following a ransomware attack or other attack. And they are certainly not the only firm to discover that PII or PHI was exfiltrated after they had thought it hadn’t been. Who made the initial determination that no PII or PHI was accessed? Someone in-house or forensic experts? And should they have notified state attorneys general promptly in August when investigation revealed personal information was involved, even if they were unable at that point to indicate who was impacted and how?
There’s nothing particularly unusual about this incident, but it does raise questions. Of course, those questions may never be litigated if the plaintiffs do not survive a likely motion to dismiss for lack of standing. Has anyone experienced actual concrete injury from this breach? There is a lot we do not yet know.