Communications Litigation Today was a Warren News publication.
‘Safeguards’ Lacking

BofA, NCB Allegedly Waited 2 Months Before Notifying Data Breach Victims

NCB Management Services, which buys credit-card debt from Bank of America and other financial institutions, sent notices to nearly 500,000 individuals March 24, informing them that their personally identifiable information (PII) was exposed to bad actors in a data breach it said it first learned about Feb. 1, alleged plaintiff Kylie Meyer’s class action Thursday (docket 2:23-cv-01340) in U.S. District Court for Eastern Pennsylvania in Philadelphia.

The lawsuit alleges BofA “negligently sold and transferred” Meyer’s and class members’ past-due accounts to NCB “without ensuring that NCB had adequate security safeguards in place” to prevent and protect against the data breach “and other cybersecurity risks.” Through that transfer of data and information to NCB, BofA “facilitated” the data breach, it said. Despite learning of the data breach Feb. 1, defendants NCB and BofA “waited nearly two months before finally notifying impacted individuals” that their “highly sensitive” PII had been “compromised,” it said.

NCB and BofA “owed a duty” to Meyer, a Rhinebeck, New York, resident and the class members “to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their PII against unauthorized access and disclosure,” said the complaint. The defendants “breached that duty” by failing “to implement and maintain reasonable security procedures and practices to protect individuals’ PII from unauthorized access and disclosure,” it said. The class action “seeks to remedy these failings and their consequences,” it said.

Nine days after NCB claims to have learned about the data breach, but weeks before Meyer was informed about it, Meyer discovered a fraudulent transaction on one of her credit card accounts that she believes was traceable to the PII that was hacked, said the complaint. As a “direct and proximate result” of the defendants’ failure to safeguard her PII, Meyer had to spend considerable time disputing the fraudulent transaction, it said.

Both defendants “advertise and market their services to consumers as being secure and safe,” said the complaint. Yet both actually “lacked adequate practices, policies, procedures, security, and other safeguards” to be sure the PII “was protected from cybersecurity threats,” it said. The defendants knew, or should have known, that its customers’ PII “was a target for malicious actors,” it said.

Theft of PII “has grave and lasting consequences for victims,” and it’s a “serious” crime, said the complaint. “The FTC warns consumers that identity thieves use PII to exhaust financial accounts, start new utility accounts, and incur charges and credit in a person’s name,” it said. Theft of social security numbers “creates a particularly alarming situation for victims because those numbers cannot easily be replaced,” it said. Theft of SSNs in combination with other PII “is akin to having a master key to the gates of fraudulent activity,” it said.

The lawsuit seeks recovery of actual and statutory damages, plus punitive and monetary damages “to the maximum extent allowable.” BofA and NCB didn’t comment.