Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

ABA Faces Class Action Lawsuit After Data Breach

April 26, 2023

Law.com reported on April 24 that the American Bar Association (ABA) notified its member of a March 6th data breach on April 20, which resulted in an unauthorized third party gaining access on March 17 to certain usernames and hashed and salted passwords.

On the following day, Troy Law PLLC, a New York-based employment firm, filed a class action complaint against the ABA for damages resulting from the breach, alleging that the ABA “allowed widespread and systematic theft” of member information, and that its “actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal identifying information.”

The April 21 class action complaint, filed in the United States District Court for the Eastern District of New York, was brought by named plaintiff Tiffany Troy. It alleges that “the March 17, 2023, breach gave the hacker access to the personal and financial information of up to 1.4 million ABA members.”

“The Breach was caused and enabled by Defendant’s knowing violation of its obligations to abide by best practices and industry standards in protecting customers’ personal information,” the complaint states. “Defendant grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Breach.”

The complaint alleges that the breach exposed both personal and financial information of the affected members, and that “the hackers continue to use the information they obtained as a result of Defendant’s inadequate security to exploit and injure Class members across the United States.” The complaint does not specify how the illegally acquired information allegedly has been or continues to be used. In its initial email notifying members of the data breach, the ABA stated that it had received no reports that anyone’s information had been misused.

The complaint further alleges that the ABA was untimely in alerting members to the breach: “Defendant failed to uncover and disclose the extent of the Breach and notify its affected customers of the Breach in a timely manner. Defendant failed to take other reasonable steps to clearly and conspicuously inform its customers of the nature and extent of the Breach. Furthermore, by failing to provide adequate notice, Defendant prevented Class members from protecting themselves from the Breach.”

Plaintiff contends that the ABA members affected by the data breach were injured in the form of “opportunity cost and value of time” associated with monitoring financial and bank accounts following the breach, and the costs of obtaining replacement credit and debit cards.

The plaintiff seeks relief in the form of actual, punitive and statutory damages, at least three years’ worth of credit-monitoring fees, attorney’s fees, litigation costs, and pre- and post-judgment interest.

Legaltech News reached out to the ABA for a response. “We do not comment on pending/ongoing litigation,” a spokesperson said in an email.

Regarding the breach itself, the spokesperson noted that “the bad actor obtained only user names and encoded (salted and hashed) passwords—not other personal information and no financial data.”

Not the strongest class action suit I’ve seen after a data breach, but we’ll see what happens as the facts come out.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology