Data Breach Suit: Public Sector Software Firm Was 'Reckless' With PII
Public sector software company Tyler Technologies maintained and used the plaintiff's and class members’ personally identifiable information (PII) in a “reckless manner,” a negligence complaint filed Thursday (docket 2:24-cv-00425) in U.S. District Court for Eastern Texas in Marshall alleged.
In the course of the relationship between Tyler and the D.C. Department of Insurance, Securities and Banking (DISB), Wanda Casey of Newalla, Oklahoma, and class members provided Tyler with their PII through DISB. The information included their full names, contact information, email addresses, dates of birth, Social Security numbers and taxpayer identification numbers, the complaint said. That information was compromised in a March 23 data breach, it added.
In collecting PII from Casey and the class members, Tyler “promised to provide confidentiality and adequate security," the complaint alleged.
Tyler began sending data breach victims notice of the incident on May 30, the complaint said. The defendant informed them that an unauthorized third party gained access to “an isolated segment of our private cloud-hosting environment” that contained “limited” data of its STAR clients. The company took the system offline and began investigating with outside experts. It determined the unauthorized third party had “limited access to a portion of our environment and used that access to view and obtain some files on March 23,” it said.
In subsequent updates on its website, Tyler confirmed the threat actor, LockBit, encrypted its system, acquired Casey’s and class members’ PII and published it on the dark web, the complaint said. The published information included data maintained on Tyler’s STAR system from the DISB, SEC, Delaware banking institutions, “and much more,” it said.
Tyler’s notice letter omitted details of the breach's root cause, vulnerabilities exploited, the discovery date and the remedial measures undertaken to ensure a breach would not reoccur, the complaint said. The omitted facts affected Casey and class members’ ability to mitigate harms, the complaint said.
The defendant didn't use "reasonable security procedures and practices appropriate to the nature of the sensitive information" it was maintaining for clients, the complaint alleges. For example, it failed to encrypt the information or delete it when it was no longer needed, it said. Tyler also failed to meet its “obligations" under the FTC Act, contract and common law and industry standards to protect the PII "from unauthorized access and disclosure,” it said.
The data breach caused Casey “fear, anxiety, and stress.” Tyler's not fully informing Casey of key breach details compounded her fear, anxiety and stress, the complaint alleged. As a result of the breach, the plaintiff must spend “considerable time and money ... to try to mitigate and address harms caused,” it said. She is at present and future risk of identity theft and fraud “for years to come," it added.
In addition to negligence and negligence per se, Casey asserts claims of breach of implied contract and unjust enrichment. She requests orders prohibiting the defendant from engaging in the wrongful conduct alleged and requiring it to encrypt all data collected, to delete her and class members’ PII, to provide expenses associated with the prevention and recovery from identity theft and tax fraud, and to implement a comprehensive information security program.
The plaintiff seeks awards of actual, nominal, statutory, consequential and punitive damages; attorneys’ fees and legal costs; and prejudgment interest. The company doesn't comment on pending litigation, a spokesperson emailed Friday.