J.P. Morgan Sued For Data Exposure

A participant in a retirement plan managed by J.P. Morgan Chase & Co. has initiated legal action against the company following recent reports of a data breach where over 451,000 plan participants’ personal details were exposed, 

According to the lawsuit filed in the U.S. District Court for the Southern District of New York on May 3, former Long Island Railroad employee Benjamin Valentine’s personal information—which he entrusted with J.P. Morgan on the mutual understanding that the firm would protect it against disclosure—was “targeted, compromised and unlawfully accessed due to the data breach.”

The personal identifiable information that was exposed included participants’ full names, addresses, payment and deduction amounts and Social Security numbers, the bank confirmed last week when making public news of the breach.

A spokesperson at J.P. Morgan at that time said the breach was not part of a cyberattack and there was no indication of data misuse. A regulatory filing submitted to the Maine Attorney General had revealed that on February 26, J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see.

As a condition of Valentine’s employment with the Long Island Railroad, he was required to provide his personal identifiable information to J.P. Morgan, according to the lawsuit.

Valentine received a notice letter about the data breach on April 18, and according to the letter, his personal information was “improperly accessed and obtained by unauthorized third parties,” including his name, address, Social Security number and payment and deductions amount.

The lawsuit claims that Valentine suffered injury from having his information compromised. This includes invasion of privacy, theft of his PII, lost or diminished value of PII, lost time and opportunity costs associated with attempting to mitigate the actual consequences of the data breach and more.

“The data breach has caused [Valentine] to suffer fear, anxiety, and stress, which has been compounded by the fact that [J.P. Morgan] has still not fully informed him of key details about the data breach’s occurrence,” the lawsuit states.

The lawsuit also accuses J.P. Morgan of failing to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect its clients’ employees’ PII from a “foreseeable and preventable cyberattack.”

While J.P. Morgan denied that the breach was a result of a cyberattack, the lawsuit argues that the firm was targeted for a cyberattack due to its “status as a financial institution that collects and maintains highly valuable PII on its systems.”

In addition, the lawsuit accuses J.P. Morgan of failing to ensure its data systems were protected against unauthorized intrusions, failing to take steps to prevent the data breach and failing to provide affected participants “prompt and accurate notice” of the breach.

“Omitted from the notice letter were the details of the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again,” the lawsuit stated.

Lynne Atchison, executive director of benefit payment services at J.P. Morgan, wrote in the disclosure notice to the Maine AG that the firm “promptly addressed the access and applied a software update” once the firm was aware of the issue.

Through the lawsuit, Valentine seeks relief including, but not limited to, actual damages, treble damages, statutory damages, injunctive relief and attorney’s fees and costs.  

Valentine is represented by law firm Milberg Coleman Bryson Phillips Grossman LLC based in Garden City, New York.

J.P. Morgan did not respond immediately to a request for comment on the lawsuit.