Stephen McDonald, a customer of Peoples Bank, successor to Limestone Bank, has filed a lawsuit on behalf of himself and others similarly affected, alleging that the bank failed to protect their sensitive personal information (SPI) from a data breach. The lawsuit, filed on September 26, 2023, in the United States District Court for the District of Ohio, claims that the bank's negligence led to the compromise of SPI, including Social Security numbers, full names, and financial account numbers.
"The hack and exfiltration occurred between November 21, 2022, and March 23, 2023," the lawsuit states. The bank, however, did not promptly notify the affected individuals, which, according to McDonald, posed a significant risk of identity theft and various other forms of personal, social, and financial harm.
The lawsuit alleges that Peoples Bank, after acquiring Limestone Bank, experienced a data breach involving the exfiltration of SPI of approximately 47,590 current and former customers. The breach, according to the lawsuit, was a result of the bank's negligent and/or careless acts and omissions, as well as its failure to adequately protect and warn customers about the breach.
The claims against Peoples Bank include negligence and negligence per se, the latter being a violation of Section 5 of the FTC Act. This law prohibits "unfair or deceptive acts or practices in or affecting commerce," and its violation, as per the lawsuit, is due to the bank's failure to implement and maintain reasonable security measures to protect its customers' SPI.
McDonald and the class members are seeking damages for actual identity theft, loss of opportunity, compromise of SPI, out-of-pocket expenses, lost opportunity costs, continued risk to SPI, and future costs associated with preventing, detecting, and repairing the impact of the data breach. The lawsuit defines the class as all natural persons residing in the United States whose SPI was compromised in the data breach announced by the defendant on or about September 15, 2023.
The lawsuit paints a picture of a bank that, despite being entrusted with the SPI of its customers, failed to protect it, leading to a data breach that could have severe consequences for those affected. The bank's alleged failure to promptly notify the affected individuals about the breach further compounds the issue, as it potentially delayed the measures they could have taken to mitigate the impact of the breach.
While the lawsuit is still in its early stages, it brings to the fore the importance of data security and the potential consequences of failing to adequately protect customer information. As the case progresses, it will be interesting to see how the court interprets the claims of negligence and negligence per se, especially in the context of data breaches.