Communications Litigation Today was a Warren News publication.
'Ferociously Aggressive'

Ex-Dish Employee Sues for Negligence After She's Told Her SSN Was Stolen

June 9, 2023 by Rebecca Day|Top News

Dish Network didn’t use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted personally identifiable information (PII) it was maintaining for customers and employees, alleged Corpus Christi, Texas, plaintiff Elizabeth Garza, in a class action Thursday (docket 1:23-cv-01458) in U.S. District Court for Colorado in Denver.

Dish confirmed in the following days that customer databases weren’t accessed in the incident but certain employee-related records and PII, along with information of former employees and their families, were among the stolen data, the complaint said, quoting the Dish notice. Garza, who worked for the company before the data breach, received notice around May 18 of Dish’s Feb. 23 announcement it had a network outage that affected internal servers and its information technology systems. Information stolen “appears to include your Social Security number,” it said.

In light of information “readily available and accessible on the internet” before the data breach, Dish had reason to be on guard for the exfiltration of the PII, and its business had cause to be particularly on guard against such an attack, said the complaint. The company should have known its computer systems were a target for cybersecurity attacks because warnings were readily available on the internet, it said.

The complaint cited articles on ransomware attacks, including an April 2020 ZDNet report saying ransomware was mentioned in over 1,000 SEC filings over the previous year. Ransomware gangs “are now ferociously aggressive” in pursuing big companies, the article said, saying they “breach networks, use specialized tools to maximize damage,” and leak corporate information “on dark web portals.”

The complaint cited the FBI, saying prevention “is the most effective defense against ransomware,” plus recommended U.S. government measures to prevent and detect such attacks, including an awareness and training program, strong spam filters, firewalls, security patches, strong access controls and software restriction policies.

The occurrence of the breach indicates Dish “failed to adequately implement one or more of the measures to prevent a ransomware attack," leading to the data breach and exposure of plaintiff’s and class members PII, said the complaint. Dish could have prevented the breach by properly securing and encrypting folders, files and data fields containing customers' and employees' PII, or it could have destroyed the data it no longer needed, the complaint said.

Garza’s PII may have been stolen as a result of the breach, and she had to spend time dealing with its consequences, she said. She suffered lost time, annoyance, interference, and inconvenience and has anxiety and increased concerns for the loss of her privacy, said the complaint. She suffered imminent and impending injury arising from the “substantially increased risk of fraud, identity theft, and misuse” resulting from her stolen PII, “especially her Social Security number, being placed in the hands of unauthorized third parties and possibly criminals.”

Garza asserts claims of negligence and breach of implied contract. She seeks for herself and the class orders enjoining Dish from engaging in the wrongful conduct alleged and requiring it to protect all data collected through the course of business, to destroy and purge PII not necessary to its operation, to engage third-party auditors for periodic testing, to train security personnel on new procedures, to create firewalls and access controls and other security measures. She also seeks an award of actual, consequential and nominal damages, plus attorneys’ fees and legal costs.