American Bar Association Hit With Data Breach Class Action Alleging 'Knowing Violation' of Security Standards
The complaint alleges that the ABA's knowing violation of its obligations to abide by best practices and industry standards in protecting customers’ personal information resulted in giving the hacker access to the personal and financial information of up to 1.4 million ABA members.
On Thursday, April 20, the American Bar Association (ABA) notified its members of a March 6, 2023, data breach that resulted in an unauthorized third party gaining access on March 17 to certain usernames and hashed and salted passwords.
The next day, Troy Law PLLC, a New York-based employment firm, filed a class action complaint against the ABA for damages resulting from the breach, alleging that the ABA “allowed widespread and systematic theft” of member information, and that its “actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal identifying information.”
The April 21, 2023, class action complaint, filed in the United States District Court for the Eastern District of New York, was brought by named plaintiff Tiffany Troy. It alleges that “the March 17, 2023, breach gave the hacker access to the personal and financial information of up to 1.4 million ABA members.”
“The Breach was caused and enabled by Defendant’s knowing violation of its obligations to abide by best practices and industry standards in protecting customers’ personal information,” the compliant states. “Defendant grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Breach.”
The complaint alleges that the breach exposed both personal and financial information of the affected members, and that “the hackers continue to use the information they obtained as a result of Defendant’s inadequate security to exploit and injure Class members across the United States.” The complaint does not specify how the illegally acquired information allegedly has been or continues to be used. In its initial email notifying members of the data breach, the ABA stated that it had received no reports that anyone’s information had been misused.
The complaint further alleges that the ABA was untimely in alerting members to the breach: “Defendant failed to uncover and disclose the extent of the Breach and notify its affected customers of the Breach in a timely manner. Defendant failed to take other reasonable steps to clearly and conspicuously inform its customers of the nature and extent of the Breach. Furthermore, by failing to provide adequate notice, Defendant prevented Class members from protecting themselves from the Breach.”
Among other things, the plaintiff contends that the ABA members affected by the data breach were injured in the form of “opportunity cost and value of time” associated with monitoring financial and bank accounts following the breach, and costs of obtaining replacement credit and debit cards.
The plaintiff seeks relief in the form of actual, punitive and statutory damages, at least three years’ worth of credit-monitoring fees, attorney’s fees, litigation costs, and pre- and post-judgment interest.
Legaltech News reached out to the ABA for a response. “We do not comment on pending/ongoing litigation,” a spokesperson said in an email.
Regarding the breach itself, the spokesperson noted that “the bad actor obtained only user names and encoded (salted and hashed) passwords—not other personal information and no financial data.”