Chase Discovered in February a Data Breach Dating to 2021, Alleges Class Action
J.P. Morgan Chase failed to properly secure the personally identifiable information (PII) of its clients’ employees in a data breach that occurred in 2021 but wasn’t discovered until February of this year, alleged a class action Friday (docket 1:24-cv-03438) in U.S. District Court for Southern New York.
The breach occurred Aug. 26, 2021, and was discovered Feb. 26, said a data breach notification on the Maine Attorney General’s website. Some 452,000 individuals were affected, said the site.
Benjamin Valentine, a resident of Massapequa Park, New York, received a notice dated April 18 informing him and other breach victims that Chase learned of a “software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see, including yours." The three users were employed by Chase customers or their agents, it said, and ran a “limited number of reports between Aug. 26, 2021 and Feb. 23, 2024,” with information including name, address, Social Security number, payment and deduction amounts, plus bank routing and account numbers for people who had set up direct deposits, the complaint said.
The notice letter didn’t include the root cause of the data breach, the vulnerabilities exploited or “the remedial measures undertaken to ensure such a breach does not occur again,” the complaint said. Those details still haven’t been explained or clarified to Valentine or class members, it said. Chase failed to specify whether it undertook efforts to contact class members whose data was accessed and acquired in the breach, whether any of them suffered misuse of their data, whether Chase was interested in hearing about any misuse of data, or whether it had set up a means of reporting misuse, the complaint said.
The financial services company didn’t use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining for Valentine and class members, such as encrypting or deleting it when it was no longer needed, said the complaint. As a result, Valentine and class members face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” the complaint said. The class will continue to incur such damages “in addition to any fraudulent use of their PII,” it said.
Chase’s notice letter had two full pages of additional steps class members could take to help protect themselves, such as placing fraud alerts and security freezes on their accounts “and contacting government agencies,” said the complaint. The defendant offered two years of Experian IdentityWorks identity theft protection service.
As a result of the data breach, Valentine suffered invasion of privacy; theft of his PII; loss or diminished value of his PII; lost time and opportunity costs associated with trying to mitigate consequences; lost opportunity costs; statutory and nominal damages; and continued and increased risk to his PII. His PII remains “unencrypted and available for unauthorized third parties to access and abuse,” backed up in Chase’s possession, and “subject to further unauthorized disclosures” as long as the defendant fails to take measures to protect it, alleged the complaint.
Valentine asserts claims of negligence, breach of third-party beneficiary contract, unjust enrichment, and violation of the New York Deceptive Trade Practices Act. He requests orders requiring Chase to protect his and class members’ interests; to maintain a comprehensive information security program; and to create firewalls and controls. He seeks actual, nominal, consequential and punitive damages; attorneys’ fees and costs; plus prejudgment interest.