On May 29, 2020, New York-based consulting firm Deloitte Consulting, LLP (“Deloitte”) was served with class claims in federal court in the Southern District of New York, alleging that the company failed to take reasonable and adequate measures to secure the personally identifiable information (“PII”) of online unemployment applicants.
In the complaint, named plaintiff Melissa Alexander describes how in the wake of the mass unemployment due to the COVID-19 pandemic, Deloitte was contracted by various state agencies, including the Ohio Department of Job and Family Services, the Illinois Department of Employment Security and the Colorado Department of Labor and Employment, to help states administer the federal Pandemic Unemployment Assistance (“PUA”) program. Deloitte was responsible for designing, building and maintaining web-based portals through which applicants apply for unemployment benefits and communicate with state officials. The plaintiff argues that despite being aware of the U.S. Federal Trade Commission’s guidelines for protecting PII, on May 11, 2020, Deloitte activated its cloud-based PUA portal with the knowledge that it lacked the appropriate safeguards to protect applicants’ PII.
Just days after the system went live, states began to acknowledge that they were experiencing issues with the software. On May 16, 2020, Illinois announced that there had been a so-called “glitch” in Deloitte’s programing which made “some private information publicly available.” In Illinois, around 44,000 people applied for unemployment benefits on the first day that the platform was available. Shortly after Illinois announced that it was having issues protecting applicants PII, Colorado announced on May 19, 2020 that it also had had a “limited and intermittent data access issue.”
According to the claims, the data breach that occurred in Colorado resulted in the system allowing applicants to access private correspondence between the state and other applicants. This information included sensitive PII and social security numbers. The plaintiff alleges that around 72,000 Colorado applicants were affected by the breach. Similarly, the plaintiff’s home state of Ohio announced that it too had experienced issues trying to maintain applicants’ privacy on the defendant’s platform. Plaintiff alleges that on May 20, 2020, she received an email from the Ohio Department of Job and Family Services which stated that on May 15, 2020, Deloitte had become aware that other applicants were able to view the name, social security number and street address of other applicants using the system. In Ohio, it is reported that around 130,000 unemployment applicants were affected by Deloitte’s failure to protect PII.
Due to Deloitte’s actions, the plaintiff claims that class members must now spend a substantial amount of time and expense monitoring their accounts to identify fraudulent or suspicious activity, cancelling and reissuing credit cards and purchasing credit monitoring and identity theft prevention services. The plaintiff seeks to represent a class made up of all persons residing in the U.S. whose PII was compromised as a result of the breach of the defendant’s PUA system. The suit brings causes of action for negligence, beach of implied contract and unjust enrichment.
The case is: Alexander v. Deloitte Consulting LLP, case number 1:20-cv-04129, in the U.S. District Court for the Southern District of New York.
Counsel Financial provides working capital credit lines exclusively for the plaintiffs' bar in all states except California, where credit lines are issued by California Attorney Lending.