Trade Law Daily is a Warren News publication.
'Heightened Scrutiny'

Suit Says Credit Monitoring Firm, Not Defendant Alerted Plaintiff of Data Breach

Kevin Sinitski received notification from his credit monitoring company that his personally identifiable information (PII) was involved in a V12Software data breach. The Feb. 15 notice from Credit Wise informed Sinitski of an incident he was unaware of, his class action alleged Thursday (docket 5:24-cv-02171) in U.S. District Court for Northern California in San Jose.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

The Mary D, Pennsylvania, resident entered his PII for car-related services in a program that runs on V12Software. V12 is a software provider for car dealers. He provided his “highly personal” information" to the defendant, “who then possessed and controlled it,” the complaint said.

V12 began sending notices of the breach to victims like Sinitski months after learning of it, the complaint said. In addition, it said V12's notice contained information that the company completed a review thereafter. The notice also included basic details of the breach and recommended next steps, the complaint said. A data security breach report at the Office of the Attorney General of Texas website said the V12 data breach affected 286,396 Texas citizens alone; San Jose-based V12 reported the breach to the office March 21. Consumers did not receive notice, the report showed.

On information and belief, unauthorized third-party cybercriminals gained access to Sinitski’s and class members’ PII that V12 hosted “with the intent of engaging in the misuse of the PII, including marketing and selling” it, the complaint said. The unauthorized party is “an undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding” Sinitski and class members in the future, it said.

The plaintiff was injured in the form of lost time dealing with the consequences of the breach, including time spent verifying the legitimacy and impact of the incident, exploring credit monitoring and identity theft insurance options, self-monitoring his accounts with "heightened scrutiny" and seeking legal counsel regarding his options for remedying its effects, the complaint said. The plaintiff has also suffered “imminent and impending injury arising from the substantially increased risk” of fraud, identity theft, and unauthorized third party and criminal use of his PII, it said.

V12Software could have prevented the data breach by safeguarding and encrypting its servers more securely, the complaint alleged. Moreover, the company had a duty to Sinitski and class members to provide “reasonable security,” consistent with industry standards and requirements, and to ensure that its computer systems, networks, and protocols adequately protected his and class members’ PII, it said.

Sinitski brings claims of negligence, breach of implied contract and implied covenant of good faith and fair dealing, and unjust enrichment. He seeks actual, nominal and consequential damages; orders enjoining V12 from unlawful activities and requiring it to implement a comprehensive information security program; attorneys’ fees and costs; and prejudgment interest. V12 didn't comment Friday.