Accountancy Company Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The certified public accounting company in Chicago, IN, Bansley & Kiener LLP, is looking at a class-action lawsuit in relation to a data breach that was reported to federal regulators this December 2021.

The breach happened in the second half of 2020. The investigation suggested that hackers gained access to its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener found out about the breach on December 10, 2020, when attackers used ransomware to encrypt files. Bansley & Kiener revealed in its breach notification letters that on May 24, 2021, the hackers had exfiltrated information from its systems prior to encrypting data files.

Bansley & Kiener manages health insurance, payroll, and pension plans for its customers. In total, the sensitive information of 274,000 people was breached, including names, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, tax IDs, military IDs, financial account data, payment card numbers, medical data, and complaint reports.

Although the attack was identified in December 2020, Bansley & Kiener issued the notification letters only on December 2021 to affected persons and notified the state attorneys general and the HHS’ Office for Civil Rights about the breach, 6 months after the confirmation of the theft of sensitive data.

Mason Lietz & Klinger LLP filed the lawsuit in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. According to the lawsuit, Bansley & Kiener was unable to protect the sensitive information of its clients and didn’t provide timely, sufficient, and accurate notice of the data breach to persons whose sensitive information was stolen.

Based on the lawsuit, Bansley & Kiener without need deferred the sending of notifications regarding the data breach, even if the people whose data was stolen were placed at substantial danger of identity theft and various other types of personal, social, and financial ruin. When the notifications were provided, they did not completely explain the nature of the breach. They did not state that this was a ransomware attack and called the incident as an unauthorized person acquiring access to its network that led to the file encryption.

The legal action additionally takes up the data breach response. After knowing about the attack, files were restored from backups and regular business operations were started again, and it was solely when it was found out that information was exfiltrated from its systems, 5 months following the attack, that cybersecurity specialists were hired to investigate the breach.

The lawsuit claims Bansley & Kiener experienced a data breach because of “negligent and/or careless acts and omissions” associated with the securing of sensitive data, and did not keep track of its systems for security issues. The lawsuit states victims of the breach have sustained out-of-pocket expenditures associated with the prevention, discovery, and resolution of identity theft and/or unauthorized use of their information, have spent time attempting to offset the results of the data breach, and have suffered from the lost or reduced value of their personal data.

The lawsuit wants actual, nominal, and consequential damages, punitive compensation, injunctive relief, legal charges, as well as a jury trial.