Accounting Firm Bansley & Kiener Hit with Class Action Over 2020 Ransomware Attack [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

Bansley & Kiener, L.L.P. faces a proposed class action that alleges the accounting and advisory firm failed to safeguard the sensitive client information in its care from unauthorized access and then waited a year before notifying state attorneys general and those affected by the data breach. 

The 44-page lawsuit says the Bansley & Kiener data breach, which is believed to have occurred between August 20 and December 1, 2020, involved the sensitive information of more than 274,000 individuals for whom the firm managed payroll, health insurance and pension plans. Information exposed in the incident, which the suit says Bansley discovered on December 10, 2020, includes unencrypted and unredacted names; dates of birth; Social Security, driver’s license, passport, tax ID, military ID, financial account and payment card numbers; and personal health information, the complaint claims. 

Although the breach is believed to have taken place sometime in the second half of 2020, Bansley unreasonably notified state attorneys general and many who were affected by the incident via letter on December 3, 2021, the case says. In its notice, Bansley, the complaint says, relayed only that its network had fallen victim to an “unauthorized person” and that the incident “resulted in the encryption” of certain network systems. “Encryption of systems” is typically a defining characteristic of a ransomware attack, the suit says. 

“As a result of this delayed response, Plaintiff and Class Members were unaware that their [personally identifiable information] had been compromised, and that they were, and continue to be, at significant risk to identity theft and various other forms of personal, social, and financial harm,” the case reads. 

Worse, Bansley, rather than provide ransomware attack victims with more timely notice that their data had been compromised or make in-house upgrades to its computer security, “simply resumed its normal business operations” after initially discovering the incident, the lawsuit alleges. Roughly five months after the attack had occurred, Bansley learned that consumers’ information was “exfiltrated” from its network, the lawsuit claims, and it was only then that the firm retained help from cybersecurity professionals to investigate the incident, the suit says. 

No mention was made in its data breach notice letters as to why Bansley waited more than six months from the time its own investigation determined that personal information was accessed to notify consumers, the case stresses. 

The lawsuit alleges the Bansley & Kiener data breach stemmed from the firm’s “negligent and/or careless acts and omissions” in safeguarding sensitive client information. The lawsuit also chides Bansley for allegedly failing to effectively monitor its network for security vulnerabilities.

“Bansley’s conduct amounts to negligence and violates federal and state statutes,” the case contends. 

Victims of the ransomware attack have been damaged by way of the lost or diminished value of their personal information; out-of-pocket expenses associated with the prevention, detection and resolution of identity theft, tax fraud or other unauthorized uses of their data; and time spent trying to mitigate any consequences of the data breach, the lawsuit says. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.