Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.