ST. GEORGE — A St. George company is settling in a class action lawsuit after a 2018 data breach put its employees’ sensitive tax information at risk.
Mettekjistine Mckenzie of Arizona and Chasity Combs of Kentucky filed a class action lawsuit in April 2018 on behalf of the 1,854 former and current employees affected by the breach.
According to court documents, Allconnect released an email to employees informing them that their W-2 tax information was affected by the 2018 data breach. Allconnect said it hadn’t discovered the breach until “over a month after it occurred” in another email sent days later. The breach reportedly occurred after a February 2018 “email spoofing attack.”
In its statement, Allconnect said an individual pretending to be the company’s president emailed a human resource employee requesting “all 2017 Allconnect employee W-2 information.”
The Allconnect employee sent the unknown cyber criminals a data file that contained copies of W-2 statements or all of the sensitive personally identifying information needed to fill out a W-2. The stolen data included names, addresses, Social Security numbers and wage information for every W-2 employee who worked at Allconnect during 2017.
“I feel like everyone either has worked or is acquainted with someone who has worked at Allconnect at some point in time, no matter how brief,” one employee said, adding that those employed by the company “provided their personal information at the time their employment began.”
David Suetholz, the plaintiff’s attorney, asserts that the information stolen in the breach is “significantly more valuable than the loss of … credit card information in a large retailer data breach.”
The class action suit outlines four causes for action, including negligence, invasion of privacy, breach of implied contract and breach of fiduciary duty. According to Suetholz, the company had a duty to protect the personal information of its employees and failed to do so.
Employees in the suit also state Allconnect did not “adequately” or “accurately” inform employees of the situation, did not implement “reasonable security procedures” according to the situation and “engaged in unfair, unlawful, or deceptive practices.”
The company is hoping to reach a settlement with its employees by issuing each affected individual a $100 direct payment check and the opportunity to enroll in the AllClear ID Original Offering or Settlement Offering for identity theft protection over five years ending April 6, 2025.
Former or current employees affected by the breach can also submit claims for reimbursement if they experience documented economic losses related to the data breach that have not been reimbursed by AllClear ID or other third parties.
“I believe that a meager $100 and 5 years of identity protection with All Clear ID, a second rate identity protection company, is a very small tradeoff for a lifelong risk of having my life destroyed outright by identity theft,” a former employee said.
Those affected can decide to not respond and refuse any of the AllClear ID offers, but they also will be unable to sue Allconnect in a future lawsuit about the claims addressed in the settlement. Instead, employees can exclude themselves.
Employees who exclude themselves will not receive settlement benefits but will retain their right to see Allconnect in separate lawsuits on the issues already touched on in the settlement.
There is also an option to object to the settlement. All objections will be heard at the final approval hearing. Those hoping to exclude themselves or offer any sort of objection must do so by Aug. 18.
Allconnect projects total settlement costs to be about $52,089,057 “before the cost of any injunctive relief.”
There will be a final approval hearing Oct. 28 at 1:30 p.m. at the U.S. Courthouse in Lexington, Kentucky. The court will review the terms of the settlement and decide if it is “fair, reasonable and adequate” for both parties.
Copyright St. George News, SaintGeorgeUtah.com LLC, 2019, all rights reserved.