US law firm accused of waiting more than a year to inform affected parties about data breach

Los Angeles-based law firm Hill, Farrer & Burrill was slapped with a data breach class action over allegations it detected a data breach in March 2022 but waited over a year to inform affected individuals their personal information had been leaked.

Plaintiff and former Charter Communications employee Michelle Booker’s personally identifiable information was leaked after it was allegedly disclosed by Charter to Hill Farrer, following Booker’s suit against Charter for wrongful termination.

The Employee Justice Legal Group filed the class action Sept. 14 in California Superior Court for Los Angeles County.

Booker alleges that the data breach was a result of Hill Farrer’s inadequately protected computer network, and that it was completely preventable.

According to the complaint, Hill Farrer determined that cybercriminals gained unauthorized access to its systems between March 14 and March 18, 2022. The hackers are alleged to have accessed and stole sensitive personal information, including names, dates of birth, Social Security numbers, and medical treatment information of Booker and other victims.

Booker claims she was notified of the breach on Sept. 5, 2023, over a year after it was discovered that an unauthorized user had gained access to the firm’s electronic systems. The letter informed her that her name, date of birth, Social Security number, and medical treatment information was stored in a system that had been accessed by hackers.

According to the complaint, the Los Angeles firm’s lack of urgency to inform victims that their information had been leaked allowed cyber criminals “free reign to surveil and defraud their unsuspecting victims.”

The suit brings claims for negligence, negligence per se, breach of fiduciary duties, breach of confidence, breach of implied contract, and invasion of privacy on behalf of Booker and other class members.

Since the breach, Booker claims she has received an increase in spam phone calls, including calls from callers who had specific pieces of personal information.

The firm’s failure to protect the personal information of the victims allowed cybercriminals to “steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals,” claims Booker.

The complaint alleges that this failure has caused Booker and the class to suffer damages, including the imminent risk of identity theft and fraud, as well as a flood of spam telephone class from unknown persons.

These risks have also allegedly caused Booker and other victims to incur out-of-pocket costs for a variety of things, including purchasing credit monitoring services, credit freezes, credit reports, or other protective measure to deter and detect identify theft, according to the complaint.

Booker seeks actual damages, statutory damages, punitive damages, attorney fees and costs, and injunctive relief, including significant improvements to the firm’s data security systems, future annual audits, and long-term credit monitoring services.