Kathryn M. Rattigan of Robinson & Cole writes:
Artech Information Systems settled a data breach class action this week for an incident that occurred in January 2020. Artech will pay up to $10,000 to each individual affected by the breach, based on a tiered payment system.
Artech, a staffing company specializing in placement for IT staff and project services, was the victim of a ransomware attack in January 2020 that resulted in unauthorized access to confidential information concerning about 30,000 current and former employees. During the attack, the hackers opened and downloaded thousands of employee files that contained employees’ names, addresses, telephone numbers, Social Security numbers, and dates of birth. The unauthorized access occurred over a three-day period, but upon discovery, Artech was able to mitigate the attack within six hours . However, Artech did not notify its employees of the incident until several months after resolving the breach.
The class alleged that Artech failed to protect their personal information through reasonable cyber security measures and failed to make prompt notification to its employees. The class further alleged that Artech’s failures increased their risk for identity theft and fraud.
Read more at The National Law Review.
For additional background on this incident, which was a REvil incident that got posted on their leak site, see earlier coverage on this site. When all is said and done, there was nothing particularly unusual about the breach or the incident response — including the lack of timely notification, although double extortion ransomware attacks that involved leaking data on the dark web were still fairly new at that point. So will this settlement encourage more lawsuits of this kind?
And could the lawsuit have been avoided had the entity notified its employees sooner and offered them two years of mitigation services?