Trade Law Daily is a Warren News publication.
'Unlawful' Data Security

Plaintiff Seeks 10 Years' Identity Theft Coverage in Ampersand.tv Data Breach Class Action

Impermissibly inadequate and unlawful data security” at advertising data analytics firm Ampersand.tv caused plaintiff Kathryn Mortensen and “hundreds of thousands of” class members’ personally identifiable information (PII) to be exfiltrated by cybercriminals in a Sept. 28 data breach, alleged a class action Friday (docket 1:24-cv-04749) in U.S. District Court for Southern New York.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

The data analytics company -- owned by Comcast, Charter and Cox -- claims to provide viewership insights and planning on 64 million households, said the complaint. The data Ampersand collected from Fairfield County, Connecticut, resident Mortensen, who's a former employee, included her name and Social Security number, the complaint said.

Ampersand confirmed in October it had experienced a ransomware incident “that briefly interrupted regular operations,” the complaint said. Media reports said the attack was carried out by Black Basta, which claimed credit for attacks on the American Dental Association, Ascension Healthcare (see story, this issue) and Swiss tech giant ABB, among others.

Ampersand’s failure to provide “timely notice” to data breach victims exacerbated their injuries, the complaint said. The defendant mailed a notification letter to its current and former clients March 15, saying it discovered on March 1 that the “impacted files that were accessed” contained their Social Security numbers and names. The notification promised breach victims 24 months of credit monitoring and identity restoration services through IDX, a “data breach and recovery services expert.” The coverage included a $1 million insurance reimbursement policy, the notice said. Mortensen seeks 10 years’ credit monitoring and identity theft protection from the company.

Ampersand received and maintained the PII of its employees and clients, and those records continue to be stored on the company’s computer systems, the complaint said. When it collected the PII, Ampersand promised to use reasonable measures to protect it from theft and misuse, the complaint said. Mortensen and class members relied on the company to keep their PII "confidential and securely maintained, to use this information for business and healthcare purposes only, and to make only authorized disclosures” of it, the complaint said.

Mortensen asserted the breach was aimed at Ampersand “due to its status as a large TV viewership data collection agency that collects, creates and maintains Personal Information.” Since the breach, she has experienced a “significant increase in spam calls and emails”; has suffered lost time, annoyance, interference and inconvenience; and has anxiety and increased concerns over the loss of her privacy, the complaint said.

The plaintiff and class members have suffered the loss of opportunity to control how their PII is used and diminution of its value; the compromise and continuing publication of their PII; out-of-pocket costs associated with the prevention, detection, recovery and remediation from identity theft or fraud; lost opportunity costs and wages associated with consequences of the breach; delay in receipt of tax refunds; unauthorized use of stolen information; and continued risk to their PII, the complaint alleged.

Mortensen claims negligence and negligence per se, invasion of privacy, and breach of implied contract. She seeks an injunction requiring Ampersand to adequately safeguard her and class members’ PII; to encrypt all data collected through the course of business in accordance with industry standards and all applicable regulations; to delete and purge breach victims’ PII; to implement a comprehensive information security program; to provide notice to each class member about the full nature and extent of the breach; and an award of actual, nominal, consequential and punitive damages; plus pre- and post-judgment interest and attorneys’ fees and costs.