Federal lawsuit: Business firm responsible for unemployment data breach
St. Clair County resident claims contractor of negligence, mishandling info
By REBECCA ANZEL
Capitol News Illinois
SPRINGFIELD — The firm contracted to launch an unemployment claims portal is solely responsible for a data breach that made available almost 33,000 Illinoisans’ personal information, a St. Clair County resident has alleged in a federal lawsuit.
The state Department of Employment Security announced on May 18 that the web-based system built and maintained by Deloitte Consulting LLP – an international business services company – to process some unemployment claims allowed public access of applicants’ names, Social Security numbers and street addresses.
That online portal serviced Illinoisans applying for the federal Pandemic Unemployment Assistance program, designed to provide benefits to independent contractors affected by the novel coronavirus pandemic and who are not typically covered by unemployment insurance.
According to the lawsuit filed by St. Clair County resident Briana Julius, at least three other states — Ohio, Colorado and Arkansas — also contracted Deloitte to construct similar portals. Within five days of notice that Illinois’ system was compromised, both Colorado and Ohio made announcements their portals had the same flaw.
Deloitte was “negligent,” Julius alleges, by “actively mishandling” that information. She is suing on behalf of herself and all other Americans who might have been harmed, and is asking a judge to allow a jury trial.
The case is requesting the court find that Deloitte acted in an “unlawful” manner and establish a number of security measures, including safeguards for personal information, tests by “third-party security auditors” and encryption of all sensitive data. Damages could “exceed” $5 million, according to the lawsuit, when considering all Americans who were affected.
On May 21, the company sent Julius a letter alerting her that while sensitive information may have been exposed, “based upon (an) investigation, there is no indication that your personal information was improperly used or is likely to be misused.”
“Out of an abundance of caution,” Deloitte offered Julius a one-year credit monitoring program subscription. She alleged that proposal is equivalent to the company recognizing “the imminent harm caused by the data breach.”
According to the court filing, Julius’ bank account was accessed as a result of the unemployment portal’s lack of security and she is “at imminent risk of additional fraudulent transactions and other concrete, tangible harm.”
Only Deloitte “was in a position to ensure that its systems were sufficient to protect” residents’ personal information and inherently promised residents it would do so “using reasonable or industry-standard means,” Julius alleged, adding the company should have spent more financial resources on security measures.
“Instead of providing for a reasonable level of security that would have prevented the breach — as is common practice among companies entrusted by such (personal identifying information) — (Deloitte) instead consciously and opportunistically calculated to increase its own profits at the expense of Julius and (all other harmed Americans),” according to the lawsuit.
She is represented in the case, filed June 8, by two Missouri attorneys — Tiffany Yiatras, with Consumer Protection Legal LLC, and Francis Flynn Jr. Deloitte’s attorneys did not file a response yet, but were notified of the lawsuit in a letter mailed on June 9.
Capitol News Illinois is a nonprofit, nonpartisan news service covering state government and distributed to more than 400 newspapers statewide. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation.