California Pizza Kitchen Exposure of Employee PII in Data Breach Class Action

California Pizza Kitchen, Inc. (CPK) offers restaurants that serve California-style pizza. Its workers must provide CPK with private, personally identifying information (PII) when they go to work for the company. Unfortunately, the complaint for this class action alleges that CPK did not take adequate measures to protect this PII and suffered a cybersecurity attack that exposed the information some 100,000 current and former employees.

The class for this action is all current and former CPK employees whose PII was accessed in the data breach.

The complaint quotes the Notice of the data breach as saying that around September 15, 2021, CPK found a “disruption to certain systems on [its] computing environment.” The company then hired computer forensic specialists to investigate the data breach.

On or around October 4, 2021, it was able to confirm that unauthorized parties had accessed some of its files. The complaint alleges, “CPK thereafter implemented safeguards it believes would have prevented the Data breach, including providing additional cybersecurity training for its employees.”

CPK sent out a Notice about the data breach dated November 15, 2021, a significant delay of about two months after the breach was discovered.

The complaint claims, “CPK has not publicly acknowledged the full extent of PII accessed by unauthorized individuals, but admitted in the Notice it mailed to current and former employees that the PII accessed includes full names and Social Security numbers, and other highly sensitive PII.”

CPK has also not made clear the length of time that the cybercriminals had access to its computer systems. The complaint speculates that, “based on the type of information accessed and exfiltrated, the unauthorized individuals likely had access to [CPK’s] computer systems for a significant amount of time prior to September 15, 2021.

The complaint claim that CPK is responsible for the data breach: “CPK failed to invest in adequate data security and properly safeguard its information systems.” This resulted in what the complaint calls “an eminently avoidable cybersecurity attack.”

The Federal Trade Commission (FTC) has been bringing cases against companies, the complaint alleges, “that have engaged in unfair or deceptive practices involving inadequate proteciotn of personal data, including recent cases concerning exposure of employee PII…. The FTC publicized these enforcement actions to place companies, like [CPK], on notice of their obligation to safeguard PII.”

The FTC publishes guidelines for businesses for the protection of information. According to the complaint, however, CPK failed to meet both FTC and industry standards for data protection.

The complaint also alleges that “data security experts have stated that the credit monitoring offered by CPK is insufficient to protect victims of the Data Breach.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy