A Pennsylvania law firm is facing a proposed class action over their alleged failure to password protect a database of personal data.

As reported by ClassAction.org, the 44-page case filed by Jerome Raniell on April 14 says that Spear Wilderman, P.C., a union-side labor law firm, discovered on May 7, 2021 that an unauthorized party had infiltrated its systems. However, the firm waited until November 16, 2022 to notify affected individuals that their information had been stolen, over 18 months after the cyberattack was purportedly discovered by the firm.

The breach was reported to at least four state governments, including Maine, New Hampshire, Delaware and Massachusetts. The Maine report (available here) appears to confirm the 18-month gap between discovery and reporting of the breach.

The lawsuit states that those who were impacted by the cyberattack—current and former clients and certain parties or witnesses to legal matters in which the firm was involved—had the following information, and potentially more, exposed during the breach:

• Names.
• Addresses.
• Dates of birth.
• Employment positions.
• Pay amounts.
• Driver’s license numbers.
• Social Security numbers.
• Account numbers.
• Credit card numbers.
• Routing numbers.
• Account balances and/or
• Account statuses.

According to the lawsuit, cybercriminals were able to “easily” access the data due to Spear Wilderman’s alleged failure to password protect a database of personal data.

The complaint alleges that victims’ unencrypted information has already been listed for sale on the dark web, exposing them to a “substantial and imminent” risk of identity theft and fraud. The plaintiff, a Pennsylvania resident, says that money was fraudulently withdrawn from his bank account using his name, Social Security number and account information nearly two years after the data breach occurred.

Per the suit, the law firm knew or should have known that it had a legal duty to properly safeguard consumers’ data from unauthorized access yet nevertheless failed to implement so much as “basic” cybersecurity measures that could have prevented the cyberattack, such as password protection, encryption or multifactor authentication.

It will be interesting to see what happens with this case. If the firm’s alleged failure to password protect the database is confirmed, the potential reputational damage could be worse than any monetary damage the firm ultimately pays.

So, what do you think? Does it surprise you that a firm is alleged to have failed to even password protect a database within their network? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.