Skip Links

Data breach generates class action lawsuit

By Layer 8 on Tue, 08/21/07 - 11:52am.

The fallout from Certegy Check Services (CCS) data breach has reached the courts.  A class-action lawsuit has been filed by a California law firm against Fidelity National Information Services, accusing it and its CCS subsidiary of negligence, invasion of privacy and breach of implied contract, on behalf of the 8.5 million customers whose sensitive information was sold to direct marketers by a former employee of the check verification service. The complaint alleges that Certegy, a wholly-owned subsidiary of Jacksonville, Fla.-based Fidelity National Information Services (FIS), did not institute adequate security controls to prevent the breach. The suit does not specify damages. William Sullivan, the former Certegy senior-level database administrator alleged to be responsible for the theft. Sullivan is named in the legal complaint as one of the defendants, as is a Largo, Fla.-based company he reportedly owns, S&S Computer Services. There have been reports of identity theft and illegal purchases made with some of these records, experts say. According to the law firm handling the suit, Girard Gibbs LLP,  the case was brought by a Los Angeles, California resident who, prior to the public announcement by Certegy and FIS of the data breach, started noticing an influx of direct marketing and promotional offers as well as phone calls to his home. After subsequently receiving a letter from Certegy informing him that his personal data may have been compromised by one of its employees, the plaintiff engaged a credit monitoring service. Certegy and FIS merged in January of 2006. Certegy provides check-verification services to major U.S. retailers such as Wal-Mart, Sears, Bed Bath & Beyond and Amazon.com. Due to the nature of the services provided by Certegy and FIS, and their undisclosed role in financial transactions, consumers do not choose to use the services of these companies but rather are forced to do so, a release from Girard Gibbs stated. In July Certegy detailed the theft which entailed records, which include names, addresses, telephone numbers as well as bank-account and credit-card information. The former database administrator allegedly sold this data for an undisclosed amount to a data broker, Certegy Check Services said. FIS initially said about 2.3 million records may have been compromised, but in filings with the SEC about two weeks later, the company increased that number to as many as 8.5 million. Certegy said the theft came to light when one of Certegy’s check-processing customers alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer’s customers of direct telephone solicitations and mail-marketing materials.  Certegy said it launched an investigation with the help of the U.S. Secret Service, which contacted the marketing companies to question them in order to trace the source of the data. Data breaches have maddeningly become commonplace. Some 85% of 700 C-level executives, managers and IT security officers revealed they had experienced a data breach event, and about half of those admitted they had no incident response plan in place. Among the most common causes for the breach incidents were lost or stolen equipment such as laptops, PDAs and memory sticks. The second largest contributing factor involved negligent employees, temporary employees or contractors.  The survey, titled "The Business Impact of Data Breach," revealed the "pervasive problem" plaguing IT security officers in midsize to large U.S. businesses in all industries, researchers say. Scott & Scott, a law and technology services firm, commissioned the survey. The survey also shows that most companies are required to report the incident to subjects whose information was lost or stolen. Nearly 100% were required to give such notifications under state statutes, and some 60% were required to notify victims under federal privacy acts such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. About 37% of respondents said they sent blanket notifications to potential victims, rather than precise details. And the cost of such breaches can be astronomical.  In a filing with the Securities & Exchange Commission recently, TJX Companies stated its estimated cost for the computer intrusions it disclosed earlier this year has now reached a total of $118 million. In an earlier SEC filing TJX Companies, the clothing retailer with store chains that include T.J. Maxx, had tallied the cost of the network break-ins it disclosed back in January to be about $20 million, though it noted that figure could go higher. The computer intrusions that TJX references are ones in which 47.5 million credit and debit-card numbers were stolen in 2005 and another 130,000 this year by hackers, who have yet to be caught. Some experts have said they consider TJX to be the biggest-known victim of data theft due to the sheer volume of compromised customer data.