DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate

Posted on December 23, 2021 by Dissent

Jean E. Tomasco of Robinson & Cole writes about a breach involving an accounting firm that is a business associate to a number of covered entities. This month, the firm, Bansley & Kierner, issued a notice and started notifying individuals and HHS. But the time frame for discovery and notification has resulted in a potential class action lawsuit.

On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.

In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate.

But even then, notifications were not immediately forthcoming, with the firm making required notifications in November and this month, almost a year after the incident.

Read more at National Law Review.

As Bansley & Kierner explained it in their recent notice:

On December 10, 2020, B&K identified a data security incident that resulted in the encryption of certain systems within our environment. B&K addressed the incident, made upgrades to certain aspects of our computer security, restored the impacted systems from recent backups, and resumed normal operation.  We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment. On May 24, 2021, we were made aware that certain information had been exfiltrated from our environment by an unauthorized person. We immediately launched an investigation, and a cyber security firm was engaged to assist.

The complaint is, of course, unproven allegations, and the accounting firm is certainly not the only firm to not make timely notifications following a ransomware attack or other attack. And they are certainly not the only firm to discover that PII or PHI was exfiltrated after they had thought it hadn’t been.  Who made the initial determination that no PII or PHI was accessed? Someone in-house or forensic experts?  And should they have notified state attorneys general promptly in August when investigation revealed personal information was involved, even if they were unable at that point to indicate who was impacted and how?

There’s nothing particularly unusual about this incident, but it does raise questions. Of course, those questions may never be litigated if the plaintiffs do not survive a likely motion to dismiss for lack of standing. Has anyone experienced actual concrete injury from this breach? There is a lot we do not yet know.

Related posts:

  • Updates on three class action lawsuits involving patient data
Category: Commentaries and AnalysesHealth DataHIPAAMalwareU.S.

Post navigation

← N.J. volunteer EMS agency says patient data was breached
Pain and Suffering for a Data Breach? German Court Issues First Decision of Its Kind in Europe. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.