Tom James Company Responsible for 2022 Data Breach, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges negligence on the part of Tom James Company is to blame for a 2022 data breach that has potentially impacted thousands of current and former employees.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 54-page lawsuit, the Tennessee-based clothing retailer discovered in August 2022 that it had fallen victim to a ransomware attack during which an unauthorized actor gained access to files containing the private information of current and former employees, including their full names and Social Security numbers.

Despite promises that it has “internal technical and organisational measures in place” to protect against “unauthorised disclosure or access” of employees’ data, the lawsuit alleges that Tom James made itself vulnerable to the attack by maintaining information on its computer network “in a dangerous condition.”

“Defendant had obligations created by contract, state and federal law, common law, and industry standards to keep Plaintiff’s and Class Members’ [personally identifiable information] confidential and to protect it from unauthorized access and disclosure,” the case reads.

The plaintiff, an Alabama resident who worked for the defendant between 1990 and 2011, claims that cybercriminals have disseminated his stolen information on the dark web because Tom James failed to implement reasonable cybersecurity measures, such as properly encrypting sensitive data.

“Had the information been properly encrypted,” the filing says, “the data thieves would have exfiltrated only unintelligible data.”

Like other victims, the man now faces a “heightened and imminent” risk of identity theft and fraudulent charges that will likely persist for years to come, the case says.

Per the complaint, Tom James left affected individuals in the dark for five months before notifying them of the incident on February 17, 2023.

However, the company has yet to inform victims of pertinent details surrounding the cyberattack, including “the date(s) of the Data Breach, date(s) that Defendant detected the Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, why it took over five months to inform impacted individuals after Defendant first detected the Data Breach, and the remedial measures undertaken to ensure such a breach does not occur again,” the suit states.

Moreover, the complaint argues that the defendants’ offer of 24 months of credit and identity monitoring services is “wholly inadequate” given that victims now face years of constant surveillance of their financial accounts and personal records.

The lawsuit seeks to cover anyone whose personally identifiable information was maintained on Tom James Company’s computer systems that were compromised in the data breach and who was sent a notice letter from the company.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.