When you think of cybersecurity and trash collection, it’s not hard to picture someone doing a little dumpster diving, which is a social engineering technique. There are people out there who will sift through a victim’s garbage to find sensitive information for use in and of itself or in conjunction with a cyberattack. However, the recent class action case filed against Waste Management Inc this week in the United States District Court, Southern District of New York (Fusilier et al vs. Waste Management Inc) puts the garbage industry on alert, that, like any other category of business, customer records must be protected within the standards, policies, and laws of the states they conduct waste removal in.
Plaintiffs Detail the Damage Done by Waste Management Inc
Like most of the cases similar in terms of privacy and data loss that came before it, the plaintiffs in this matter use the common law doctrine of negligence, breach of contract, unjust enrichment as well as various statutory guidelines requiring safeguard of information of customers, in this case New York law. Also, like the cases in the past, the breach occurred in January of 2021 but allegedly wasn’t reported to the customers until May of 2021, some four months later.
The most interesting part of the case, in my opinion, is the detail in which the plaintiffs described their harm or damages in the pleading. To quote:
- Plaintiffs and members of the proposed Class have suffered actual and imminent injuries as a direct result of the data breach. The actual and imminent injuries suffered by Plaintiffs and the proposed Class as a direct result of the data breach include: (a) theft of their personal data; (b) costs associated with the detection and prevention of identity theft; (c) costs associated with time spent and the loss of productivity from taking time to address and attempt to monitor, ameliorate, mitigate and deal with the consequences of the data breach(d) the stress, nuisance and annoyance of dealing with all issues resulting from the data breach; (e) actual fraudulent activity on financial accounts (f) increased fraudulent robo calls and spoofing email attempts (g) the potential for future fraud and the increased risk of identity theft posed by their personal data being placed in the hands of the ill-intentioned hackers and/or criminals; (g) damages to and diminution in value of their personal data entrusted to Waste Management; (h) the retention of the reasonable value of the PII entrusted to Waste Management; and (i) the continued risk to their personal data which remains in the possession of Waste Management and which is subject to further breaches so long as Waste Management fails to undertake appropriate and adequate measures to protect the PII in its possession.
Quantifying the Impact of a Data Breach
While I admit I have not looked at every data breach lawsuit that has been filed over the last ten years, it is safe to say I studied many of them and few, if any, had this sort of detail of damages, laid out early in the pleading. The allegation referring to increased robo calls and “spoofing” (most commonly known as phishing) emails is often overlooked or maybe more correctly, not connected to data breaches, in many of these lawsuits. How this is defended and then monetary amounts specified is the type of things that make legal nerds sing with anticipation. As a side note, just maybe I had a data breach occur, and have been wrongfully blaming the last few cybersecurity conferences on my phone number being passed around between vendors like rolls at a family dinner. Opt out if that choice presents itself, trust me.