Communications Litigation Today was a Warren News publication.
‘Concrete Injury in Fact’

Data Breach Exposed PII of 5,000 Current, Former Advantis Employees: Class Action

The sensitive personal information that Kristianne Scott and her class members entrusted to defendant Advantis Global, an IT staffing agency, was compromised and unlawfully accessed in a recent cyberattack and data breach that exposed the records of current and former employees, Scott’s class action alleged Friday (docket 3:24-cv-00795) in U.S. District Court for Northern California in San Francisco.

Scott's and putative class members' personally identifiable information (PII) included names and social security numbers and “was targeted and exfiltrated by cybercriminals and remains in the hands of those cybercriminals,” said the complaint. The Grand Rapids, Michigan, resident and her roughly 5,000 class members suffered “concrete injury in fact,” including invasion of privacy, theft of their PII and “lost time and opportunity costs associated with attempting to mitigate the actual consequences” of the data breach, it said.

The PII “remains unencrypted and available for unauthorized third parties to access and abuse,” said the complaint. It remains “backed up” in Advantis’ possession “and is subject to further unauthorized disclosures” so long as Advantis “fails to undertake appropriate and adequate measures to protect the PII,” it said.

The data breach was a direct result of Advantis’ “failure to implement” adequate and reasonable cybersecurity procedures and protocols” necessary to protect its victims from a “foreseeable and preventable” cyberattack, said the complaint. Advantis maintained the PII “in a reckless manner,” it said. The PII was maintained on Advantis’ computer network “in a condition vulnerable to cyberattacks,” it said.

The “mechanism” of the cyberattack and potential for improper disclosure of PII “was a known risk" to the company, and thus, it was “on notice that failing to take steps necessary to secure the PII from those risks left that property in a dangerous condition,” said the complaint.

Advantis “disregarded the rights” of Scott and the class members by “intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” said the complaint. It also failed to disclose that it lacked “adequately robust” computer systems and security practices to safeguard the PII, it said. It also failed to provide Scott and the class members “prompt and accurate notice” of the data breach, it said.

Armed with the PII accessed in the data breach, thieves “have already engaged in identity theft and fraud,” and in the future can “commit a variety of crimes,” said the complaint. As a result of the data breach, Scott “anticipates spending considerable time and money on an ongoing basis to try to mitigate and address harms” caused by the incident, it said.