A potential class action lawsuit filed in federal court in Florida made me aware of a data breach that I don’t recall seeing in the media.
Patrick A. Burrows has filed the lawsuit against Purchasing Power, LLC and Winn-Dixie.
According to the complaint, Winn-Dixie shares employee data with Purchasing Power, LLC to administer an employee benefits program. In October 2011, the latter became aware that an employee had stolen employees’ personal information, including names, dates of birth, Social Security numbers, and salary information. Some of the employees whose data were stolen had reportedly had their data sent to Purchasing Power regardless of whether they were enrolled in the program or not. Winn-Dixie allegedly did not inform employees of the breach until January 27, 2012, with no explanation offered as to the delay in notification.
Burrows, a former employee, claims that negligent security and failure to notify timely resulted in the fraudulent filing of a tax return in his name and he suffered harm because he could not obtain his legitimate tax refund.
The complaint alleges negligence, violation of the Stored Communications Act (SCA), violations of Florida’s unfair and deceptive trade practices law, and invasion of privacy.
Winn-Dixie did not respond to a request made yesterday for a response to the lawsuit.
Apparently I’m not the only one to elevate an eyebrow over the SCA claim. Cynthia Larose and Kevin McGinty of Mintz Levin comment:
The complaint in Burrows has some evident flaws. The Stored Communications Act only applies to conduct by entities such as Internet service providers that are engaged in the “provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2). Neither the defendants nor the conduct alleged facially meet this requirement.
Read their full commentary on JD Supra.