Communications Litigation Today was a Warren News publication.
'Concrete Injury'

LoanDepot Breach Victims 'No Longer Have Control' of Their Personal Data: Suit

April 4, 2024 by Rebecca Day|Top News

LoanDepot’s “lack of oversight” of its security controls and implementation of enhanced security measures "only after” a January data breach are “inexcusable,” said a class action Tuesday (docket 4:24-cv-00239) in U.S. District Court for Western Missouri in Kansas City.

Christopher Hunter, a Kansas City resident, received a breach notice from the mortgage lender dated Feb. 23, saying an unauthorized third party accessed its systems Jan. 4-Jan. 6 and his personally identifiable information (PII) may have been accessed, said the complaint. Compromised information may have affected Hunter’s name; address; email address; financial account, Social Security and phone numbers; and date of birth, said the complaint.

Despite “dire warnings” about the impact of data breaches on Americans, companies “still fail to make the necessary investments to implement important and adequate security measures to protect their customers’ and employees’ data,” the complaint said. Yet, the company required them to provide PII when applying for a mortgage, “and failed to protect it,” it said. LoanDepot’s obligation to secure customers’ PII using “reasonable and appropriate” data security safeguards “was part of the bargain” between Hunter and the company, it said.

As a result of the company’s failure to secure customers’ PII, their “unencrypted PII has been exposed to unauthorized third parties,” and they “are at much higher risk of identity theft and cybercrimes of all kinds,” the complaint said.

Data breach victims’ stolen PII is “already being sold on the dark web,” constituting a concrete injury to Hunter and the class, who “no longer have control over their PII” because it's "now in the hands of third-party cybercriminals." Their “substantial and imminent risk of identity theft has been recognized by numerous courts as a concrete injury sufficient to establish standing,” said the complaint.

Hunter's and class members’ harms include reimbursement of losses associated with identity theft and fraud, out-of-pocket costs incurred to mitigate the risk of future harm, compensation for time and effort spent responding to the breach, costs of extending credit monitoring services and identity theft insurance, beyond the two years loanDepot is offering victims, it said.

Hunter brings claims of breach of implied contract, negligence, invasion of privacy by public disclosure of private facts, breach of fiduciary duty of confidentiality, negligent training and supervision, breach of covenant of good faith and fair dealing, and violations of Missouri’s Merchandising Practices Act.

Hunter seeks orders requiring loanDepot to engage third-party security auditors and internet security staff to conduct testing, including simulated attacks on its systems to “promptly correct and problems or issues detected”; to segment data by creating firewalls and access controls; to securely delete and destroy data not necessary for provision of its services; and internal training and education on how to contain and respond to a data breach, it said.

Hunter seeks actual damages, an order enjoining in the unlawful practices described, attorneys’ fees and costs, and pre- and post-judgment interest. LoanDepot declined to comment due to pending litigation, a spokesperson emailed Wednesday.