Epiq Systems Inc., a legal services provider, is facing a federal lawsuit in California alleging it is at fault for malware and ransomware attacks that exposed data in violation of the state’s landmark privacy law.
“Epiq’s negligent and careless acts and omissions and the failure to protect consumers’ data” led to the theft of information, including a Social Security number, plaintiff Benjamin Karter alleged in a complaint filed Wednesday in the U.S. District Court for the Central District of California.
“Epiq has failed to satisfy its duty under the California Consumer Privacy Act,” according to the complaint, which was originally filed in state court.
The CCPA’s private right of action to sue over data breaches has led to the plaintiffs bar filing lawsuits following breaches. Damages under the law can reach up to $750 per consumer, per incident.
Attackers hit Epiq’s networks with malware and ransomware in February that led to the exfiltration of data, including “nonencrypted and nonredacted personal information,” according to the complaint. Karter’s Social Security number was on Epiq’s system because of a class action settlement the company administered.
Karter claims the cyberattacks were successful in part because Epiq used old versions of Microsoft Corp.'s Windows operating system. He alleges Epiq failed to use “up-to-date security procedures” that could have prevented an attack.
As a result of the data security incidents, Karter and other class members “face a lifetime risk of identity theft,” according to the complaint.
Cause of Action: Violations of the California Consumer Privacy Act.
Relief: Class certification; order declaring CCPA violations; injunctive relief; statutory damages; punitive damages; and attorneys fees and costs.
Potential Class Size: “The exact numbers of Class members is unknown,” but Epiq has data “for thousands of customers,” according to the complaint.
Response: “We can state with confidence, based upon our own investigation as well as a complete forensic investigation and verification by our third party consultant, Mandiant, that all allegations, including the allegation of any data exfiltration and including that of Mr. Karter’s, during the event in February 2020 are baseless and without merit,” said Catherine Ostheimer, vice president of marketing at Epiq.
Attorneys: Mitchell Silberberg and Knupp LLP represent Epiq. The Aftergood Law Firm and Woodrow & Peluso LLC represent Karter.
The case is Karter v. Epiq Sys., Inc., C.D. Cal., No. 20-cv-01385, notice of removal 7/29/20