Communications Litigation Today was a Warren News publication.
Unions 'Particularly Vulnerable'

Unite Here Member Sues for Negligence After October Data Breach Compromises PII

Nearly 800,000 class members suffered theft of their personally identifiable information (PII) and invasion of privacy in a data breach at New York-based labor union Unite Here, alleged a class action Wednesday (docket 1:24-cv-01904) in U.S. District Court for Southern New York in Manhattan.

The Oct. 20 data breach was a direct result of Unite Here’s “failure to implement adequate and reasonable cyber-security procedures and protocols” necessary to protect its members’ PII “from a foreseeable and preventable cyberattack,” the complaint said. Unite began notifying victims about the breach on Feb. 23, the complaint said; compromised information included names and Social Security numbers.

Class members and plaintiff Tamiko Conway, of Detroit, experienced an increase in spam calls, texts or emails since the October data breach, the complaint said. Conway had fraudulent charges of $242 to her Chime credit card in October and another $100 to the account in February, it said.

The plaintiff and class members, current and former Unite members, were required to provide PII to the union as part of being members, the complaint said. Information held by Unite at the time of the breach included their unencrypted PII, it said.

Unite made representations to Conway and class members that their PII would be kept “kept safe, confidential, that the privacy of that information would be maintained,” and that Unite “would delete any sensitive information after it was no longer required to maintain it,” the complaint said. Its website says it has security measures in place “to protect the loss, misuse and alteration of the information under our control” and that it uses Secure Socket Layer encryption to protect information users submit on online forms.

Cybersecurity experts “routinely identify labor unions in possession of PII as being particularly vulnerable to cyberattacks because of the value of the PII which they collect and maintain,” said the complaint. Unite failed to follow certain industry best practices in dealing with sensitive PII, such as installing malware detection software; monitoring and limiting network ports; protecting web browsers and email management systems; setting up network systems such as firewalls, switches, and routers; monitoring and protecting physical security systems; and training staff, said the complaint.

As a result of the breach, Conway has suffered invasion of privacy; theft or diminished value of her PII; lost time and opportunity costs associated with trying to mitigate effects of the breach; loss of benefit of the bargain; statutory and nominal damages; and continued risk to her PII, which remains unencrypted and available for unauthorized third parties to access and abuse, said the complaint.

Conway asserts claims of negligence, breach of implied contract and confidence, unjust enrichment and violation of the New York Deceptive Trade Practices Act. She seeks orders enjoining Unite from engaging in the wrongful conduct described; requiring it to encrypt data collected and to delete and destroy the PII of plaintiff and class members; and requiring it to implement a comprehensive information security program. She seeks awards of actual, compensatory, statutory, nominal and punitive damages; pre- and post-judgment interest and attorneys’ fees and costs.