Theft Of Employee Data From Third-Party Vendor Exposes Employer And Vendor To Privacy Class Action

Author:Ms Cynthia Larose
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

A recently-filed class action lawsuit asserts claims against the Winn-Dixie supermarket chain and a third-party vendor, Purchasing Power, LLC, in connection with the alleged theft of employee data provided to Purchasing Power in order to administer a discount purchasing program offered to Winn-Dixie employees.  The claims advanced against Winn-Dixie and Purchasing Power highlight the potential risks associated with sharing employee or customer data with third party vendors, and underscore the need for companies to ensure that the data security practices of third-party vendors are consistent with those of the companies themselves.  The complaint also demonstrates how failure to make prompt disclosure of data breaches to affected individuals can increase the risk of class action litigation.

According to the complaint in Burrows v. Purchasing Power, LLC, Case No. 1:12-cv-22800 (S.D. Fla.), Winn-Dixie either transferred or permitted Purchasing Power to access personally identifiable information ("PII") of Winn-Dixie employees for the purpose of making a discount purchasing program available to Winn-Dixie's employees.  The complaint alleges that Winn-Dixie notified employees on January 27, 2012 that Winn-Dixie employee data had been inappropriately accessed by an employee of Purchasing Power.  The notice further stated that Winn-Dixie first learned of the data theft in October 2011.  According to the complaint, Winn-Dixie did not explain the reason for its delay in providing notice, and Purchasing Power has never, at any time, provided notice of the breach to Winn-Dixie employees.

One unique aspect of Burrows that distinguishes it from the typical privacy class action is an allegation that the named plaintiff suffered actual injury by reason of a data breach.  Specifically, plaintiff alleges that the Internal Revenue Service refused to accept his 2011 federal income tax return, stating that a return had already been filed in his name.  Plaintiff claims that someone who had access to the PII stolen from Purchasing Power filed the return, thereby depriving plaintiff of an anticipated refund.  He seeks damages associated with the lost refund, in addition to other damages associated with the risk of further misuse of his PII.

The complaint asserts claims for negligence, violation of the federal Stored Communications Act, 18 U.S.C. § 2702, violation of the Florida Unfair and Deceptive Trade Practices Act, and breach of the common law right to privacy. ...

To continue reading