Trade Law Daily is a Warren News publication.
'Ineffective and Inadequate'

Christie's Client Sues on Behalf of 500,000 Class Members Over Ransomware Event

Plaintiff Efstathios Maroulis and some 500,000 class members suffered “concrete injuries” due to a data breach at art auction house Christie’s, alleged Maroulis' class action Monday (docket 1:24-cv-04221) in U.S. District Court for Southern New York.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Maroulis and class members’ sensitive personally identifiable information (PII) – which they entrusted to Christie’s on the “mutual understanding” that the defendant would protect it against disclosure – “was targeted, compromised and unlawfully accessed” in a May 9 ransomware attack on Christie’s IT network, said the complaint.

The defendant began notifying customers Thursday about the cybersecurity incident, saying an “unauthorized third party had managed to gain access to Christie’s IT network for a limited period of time.” It “worked to revoke all access, isolate our systems, and ensure that our network was secure,” said the notice. During the attack, the third party downloaded a “limited amount of client data from Christie’s internal client verification system,” it said.

Affected data included photo IDs that individuals provided to Christie’s for its client verification procedures, name, gender, birthdate and place, driver’s license and passport numbers and the machine-readable code at the bottom of the identity page in the front of a passport, the complaint said. Christie's notice didn’t identify the cybercriminals, the root cause of the breach, the vulnerabilities exploited or the remedial measures undertaken to prevent a future breach; ransomware group RandsomHub took credit for the attack, the complaint said.

The notice letter didn’t say whether Christie’s undertook any efforts to contact the half million affected class members to find out if they suffered misuse of their data, whether they should report the misuse to the defendant or whether it set up any mechanism for them to report misuse of their data, the complaint said.

Christie’s had obligations to keep Maroulis’ and class members’ PII confidential and to protect it from unauthorized access and disclosure under the FTC Act, contract and common law, and industry standards, alleged the complaint. The defendant didn’t use reasonable security procedures and practices appropriate to the nature of the sensitive information it maintained for them, such as encrypting it or deleting it when it was no longer needed, the complaint alleged.

As a result of the defendant’s “ineffective and inadequate data security practices,” the data breach and the “foreseeable consequences” of class members’ data ending up in the hands of criminals, the risk of identity theft to them “has materialized and is imminent,” the complaint said. The actual injuries sustained by Maroulis and class members include invasion of privacy, theft of PII, lost or diminished value of their PII, and lost time and opportunity costs associated with mitigating the consequences of the breach, it said.

In addition to time spent on attempting to mitigate the effects of the breach, Maroulis has experienced an uptick in spam emails, calls and texts to gain access to his devices or elicit further personal information for use in committing identity theft or fraud, said the complaint. The breach has caused him to suffer fear, anxiety and stress. He is at "present risk" as a result of the breach and “will continue to be at increased risk of identity theft and fraud for years to come,” it said.

The lawsuit asserts claims of negligence, breach of implied contract, unjust enrichment and violation of the New York Deceptive Trade Practices Act. Maroulis requests on behalf of himself and class members orders enjoining Christie’s from engaging in the wrongful conduct described; requiring it to encrypt all data collected through the course of its business in accordance with appropriate laws and industry standards; to delete and purge their PII; and to provide them out-of-pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud or unauthorized use of their PII.

The plaintiff also seeks an award of actual, nominal, statutory, consequential and punitive damages, plus attorneys’ fees, litigation expenses and prejudgment interest on all amounts awarded. Christie’s didn’t comment Tuesday.