Epiq Seeks Removal of Data Breach Class Action to Federal Court
Author: Victoria Hudgins – Law.com
…alleged information stolen from Epiq’s networks included nonencrypted and unredacted personal information and that Epiq failed to satisfy its duty to implement reasonable security procedures and practices as required by CCPA…
…statutory damages between $100-$750 per class member for each CCPA violation or actual damages…
…applying the minimum statutory damages sought by Karter would exceed $5 million, Epiq said…
Epiq’s “Ruyk” ransomware attack in February cut off customer access to their hosted discovery matters for roughly three days. This outages constitutes a major service interruption and violation of normal Service Level Agreements for one of the largest global legal service providers. Beyond SLA penalties, missed production deadlines and unhappy customers, Epiq is now facing a potential class action suit under the new California Consumer Privacy Act (CCPA). Epiq asserts that based on their investigation no consumer data was exfiltrated and no PII exposed in the attack. But what is the cost to defend against the allegations and the cost to their reputation?
I generally recommend actively screen for PII in collections or excluding or redacting it during processing as being irrelevant and a risk. Even better is having a written policy in your discovery protocols that requires counsel approval before collecting from data sources with known PII (i.e. HR reports, benefits managers, etc.). Of course, this requires you to have an updated data map in your ECA process. So many moving parts for discovery practitioners to account for.