Facts

Artech, LCC is a workforce solutions company committed to providing staffing services and consulting solutions in the IT staffing industry. Beginning on January 5, 2020 and lasting until January 8, 2020, unauthorized third parties gained access to Artech's information systems (the cyber security event) with the apparent intent of conducting a ransomware attack. Within 6 hours after the cyber security event was detected by Artech IT personnel, all Artech information systems were shut down, and critical systems were rebuilt from uncorrupted backup data. When Artech shut down their system, unauthorized third parties were no longer able to access the system. The systems that were affected by the cyber security event included files with personal information belonging to former Artech employees. Forensic analysis revealed that the files were not opened or accessed. However, the files were still accessible to the unauthorized third parties during the cyber security event. Brigid Poling and Dwight Jenkins subsequently brought a class action against Artech.

PLAINTIFFS' CONTENTONS: Plaintiffs brought the following claims: negligence; invasion of privacy; unjust enrichment; breach of fiduciary duty; breach of confidence; breach of implied contract; breach of the implied covenant of good faith and fair dealing; violations of California's Unfair Competition Law; violations of California's Consumer Privacy Act; and a request for injunctive and declaratory relief to secure plaintiffs' data and fix defendant's data security vulnerabilities. Plaintiffs contended that as a direct and proximate result of the cyber security event, plaintiffs were placed in an imminent, immediate, substantial, and continuing increased risk of harm from fraud and identity theft. Plaintiffs asserted that defendant knew or should have known that it had inadequate computer systems and data security practices to safeguard plaintiffs' personal information, and that defendant knew or should have known that hackers were attempting to access computer systems, such as defendant's. Plaintiffs contended that defendant had a duty to provide fair and adequate computer systems and data security practices to safeguard plaintiffs' personal information and breached that duty by failing to provide such systems to plaintiffs. Plaintiffs argued that the cyber security event constitutes an intentional interference with plaintiffs' interest in privacy. Plaintiffs asserted that plaintiffs have a legitimate and reasonable expectation of privacy with respect to their personal files and were accordingly entitled to the protection of this information against disclosure to and acquisition by unauthorized third parties. Plaintiffs contended that defendants entered into implied contracts in which defendant agreed to comply with its statutory and common law duties and industry standards to protect their person information. Plaintiffs alleged that defendants breached this implied covenant when it engaged in acts and/or omissions, such as omitting, suppressing, and concealing the material fact of the inadequacy of the privacy and security protections for plaintiffs, and when defendant failed to give plaintiffs timely notice of the cyber security event.

DEFENDANT'S CONTENTIONS: Defendant denied all contentions.

Injuries

As a result of the cyber security event, plaintiffs claimed that they suffered actual identity theft; unauthorized access, acquisition, appropriation, disclosure, encumbrance, exfiltration, release, theft, use, and/ or viewing of plaintiffs' personal information; and the continued risk to plaintiffs' information, among others.

Result

The case settled. As part of the settlement, plaintiffs will have the option to request access or extension to credit monitoring and identity protection services. Plaintiffs who do not submit evidence that they experienced identity theft or other fraud or misuse of their personal information fairly traceable to the cyber security event shall be entitled to receive compensation for lost time up to 3 hours at the rate of $26.67 per hour (not to exceed $80) after submitting other certain documents. Plaintiffs who show that they have suffered injuries as a result of identity theft or other fraud or misuse of their personal information fairly traceable to the cyber security event shall be entitled to out-of-pocket-losses of up to $10,000. Defendant is also required to implement certain business practices designed to maintain defendant's security posture, and to provide protections against threats now and in the future, specifically with respect to current and former employee and job applicant personal information.