Law360 (June 1, 2020, 3:14 PM EDT) -- Deloitte Consulting LLP has been hit with a proposed class action in New York federal court accusing the company of dropping the ball on securing personally identifiable information for those applying for benefits under the federal Pandemic Unemployment Assistance program.
According to the Friday complaint, Deloitte contracted with state governments, including Colorado, Illinois and Ohio, to create web-based portals to help administer the Pandemic Unemployment Assistance, or PUA, program, which is meant to assist certain workers usually ineligible for unemployment benefits.
However, when the company's cloud-based PUA portal went live in May, it didn't have the "appropriate safeguards" for protecting applicants' personally identifiable information, or PII, the suit said. Melissa Alexander, the Ohio resident behind the proposed class action, brought claims against Deloitte for negligence, breach of contract and unjust enrichment.
"Because of defendant's failure to exercise due care, members of the public were able to access unemployment applicants' PII, including Social Security numbers," the complaint said. "As a result, plaintiff and the class members have been injured through the loss of control of their PII, the need to take appropriate steps to mitigate their injury and the heightened and imminent risk of identity theft or fraud."
A reported 130,000 people in Ohio and and 72,000 people in Colorado were affected, according to the suit. And although the exact number of individuals affected in Illinois hasn't been disclosed, 44,000 applied for benefits through the state's portal the first day it was open, and the number of applicants since then is "likely substantially higher," the complaint said.
Alexander, who is looking to represent a nationwide class of PUA applicants whose data was compromised, as well as a class of Ohio residents, said they will have to spend "substantial amounts of time and expense" trying to mitigate the fallout of the data breach.
"As a direct and proximate result of defendant's inadequate data security practices — in particular, making communications through the PUA portal, including applicants' PII, publicly available to other applicants — plaintiff and the class members have sustained a concrete injury," the suit said.
The complaint noted that Deloitte is providing 12 months of free credit monitoring for all the PUA applicants in the three states. The suit seeks, among other things, compensatory damages and equitable disgorgement and restitution.
Counsel for Alexander and a representative for Deloitte didn't immediately respond to requests for comment Monday.
Alexander is represented by Katherine M. Aizpuru and Hassan A. Zavareei of Tycko & Zavareei LLP, Melissa S. Weiner and Joseph C. Bourne of Pearson Simon & Warshaw LLP and Jeff Ostrow and Jonathan M. Streisfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.
Counsel information for Deloitte wasn't immediately available Monday.
The case is Alexander v. Deloitte Consulting LLP, case number 1:20-cv-04129, in the U.S. District Court for the Southern District of New York.
--Editing by Stephen Berg.
For a reprint of this article, please contact email@example.com.