A class action filed in federal court alleges personally identifying information was accessed during the data breach of a web-portal intended to handle unemployment applications related to the COVID-19 pandemic.
Attorney Tiffany Yiatras of Consumer Protection Legal in St. Louis filed a class action complaint June 8 on behalf of plaintiff Briana Julius in the U.S. District Court for the Southern District of Illinois against Deloitte Consulting LLP.
The class is also represented by Francis “Casey” Flynn Jr. of St. Louis.
Julius alleges Deloitte failed to properly secure and safeguard personally identifying information. As a result of the data breach, her bank notified her of fraudulent charges on her bank account that she did not make.
According to the complaint, the federal government established the Pandemic Unemployment Assistance (PUA) program pursuant to the Coronavirus Aid Care and Economic Security (CARES) Act. The program expanded unemployment insurance eligibility for people impacted by the COVID-19 pandemic. These claims are distinct from regular unemployment claims and required a new system.
The suit states that Deloitte launched a system to handle the claims on May 11, “knowing at the time that safeguarding unemployment applicants’ [personally identifying information] is of critizal importance due to the serious harm flowing from a compromise of that data, particularly when it involves private financial information like an applicant’s social security number.”
On May 15, Yiatras wrote that Illinois State Representative Terri Bryant sent Gov. J.B. Pritzker a letter informing him that a constituent had accessed a spreadsheet on the Illinois Department of Employment Security (IDES) portal that contained personal information for thousands of unemployment applicants.
Then the Colorado Department of Labor and Employment (CDLE) and Ohio Department of Job and Family Services (ODJFS) also confirmed that Deloitte’s system had allowed third-party access to applicants’ personal information.
Julius became aware that her information was exposed to the public on May 21 when she received correspondence from Deloitte confirming the breach.
“An analysis found that one PUA claimant was able to inadvertently access personal information of a limited number of other PUA claimants when logged into the system last week. That same claimant reported the issue and within an hour, it was corrected to prevent any future unauthorized access,” the correspondence stated.
“Immediately upon learning of this issue, Deloitte Consulting LLP (Deloitte), the vendor who built and maintains the PUA portal for IDES, began an investigation and stopped any further unauthorized access of claimants’ personal information.
“Based upon that investigation, there is no indication that your personal information was improperly used or is likely to be misused,” it continued.
The plaintiff was offered one year of free credit monitoring through Experian’s IdentityWorks.
Yiatras wrote that Julius “expended time and suffered loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the future consequences of the Data Breach including investigating the information compromised and how best to ensure plaintiff is protected from potential identity theft and fraud, which efforts are continuous and ongoing.”
The proposed class is described as anyone nationwide whose personally identifiable information was compromised as a result of the data breach.
The suit also includes a specific Illinois subclass.
The plaintiffs seek an order declaring Deloitte’s conduct unlawful, requiring them to develop security protocol, and requiring Deloitte to disclose any future data breaches in a timely and accurate manner. They also seek unspecified compensatory damages, restitution, statutory damages, punitive damages and attorneys’ fees.
U.S. District Court for the Southern District of Illinois case number 3:20-cv-542