Lawsuit Filed on Behalf of Consumers in Data Breach Case

A California law firm has filed a class-action lawsuit against Fidelity National Information Services (FIS) and one of its subsidiaries over an incident involving the potential compromise of personal data belonging to 8.5 million consumers.

The lawsuit was filed last week in federal court for the Central District of California. It does not seek specific damages, but it accused FIS and Certegy Check Services, the subsidiary involved in the breach, of negligence, invasion of privacy and breach of implied contract.

The complaint, filed on behalf of 8.5 million consumers, by the San Francisco-based law firm of Girard Gibbs, charged both companies with failure to implement and maintain adequate security measures for protecting confidential financial information belonging to consumers. The suit also alleged that the companies failed to properly monitor and supervise the activities of employees entrusted with consumer data.

A spokesman for FIS and Certegy did not immediately respond to a call for comment.

Jacksonville, Fla.-based FIS is a large transaction processor and outsourcing provider to the financial services sector. It is not affiliated with the better-known Fidelity Investments. Certegy provides check verification services for many major retailers. The breach in question was disclosed by FIS in July and involved a Certegy senior database administrator who illegally accessed and downloaded millions of consumer records and sold them to data brokers.

Initially, FIS said about 2.3 million records may have been compromised by the database administrator’s actions. However, in filings with the U.S. Securities and Exchange Commission about two weeks later, FIS increased that number to as many as 8.5 million records that may have been compromised.

According to the company, the data appeared to have been misappropriated purely for use in marketing purposes and not for identity theft or other types of fraud.

The case was initially brought by a Los Angeles-based resident, Theodore Borreson, “who, prior to the public announcement by Certegy and FIS of the data breach, started noticing an influx of direct marketing and promotional offers as well as phone calls to his home,” a statement announcing the suit from Girard Gibbs noted.

“Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner,” said Eric Gibbs, one of the attorneys at the law firm, in the statement. “The failure by these companies to make the internal data breach immediately known exposed consumers to direct marketing campaigns and the risk of unauthorized use of their bank accounts and identity theft.”

Legal experts have long been warning companies that they could become targets of such lawsuits in data breach incidents. Even so, few cases have been filed in data breach incidents and fewer still have been won by consumers. In the past, legal experts have said the plaintiffs in such cases usually have a hard time establishing and proving a direct link between a disclosed data breach and identity theft or other forms of fraud.

— Jaikumar Vijayan, Computerworld (US online)