P2 Energy Failure to Protect PII from Data Breach Class Action

P2 Energy, LLC offers software and accounting services for oil and gas companies around the world. But the complaint for this class action alleges that P2 did not take adequate measures to protect the personally identifiable information (PII) it held in its systems from a data breach, and then did not inform the individual victims of the data breach for more than a year.

The class for this action is all individuals living in the US whose PII was exposed in the data breach that was first announced by P2 Energy on or around December 19, 2022.

P2 could not operate its business without having the PII of many people in its systems. “By obtaining, collecting, using, and deriving a benefit from the PII” of all these people, the complaint alleges, P2 “assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

It appears, however, that P2 despaired from the beginning of being able to maintain complete security over the information it stored. The complaint quotes the company’s Privacy Policy as saying, “No method of transmission over the Internet, or method of electronic storage, is fully secure. While we use reasonable efforts to protect your personal information from unauthorized access, use, or disclosure, we cannot guarantee the security of your personal information.”

The complaint quotes P2’s Notice about the data breach saying that the company “identified suspicious network activity on November 17, 2021” and eventually determined that “an unauthorized party accessed and acquired certain files from our network between November 8, 2021 and November 17, 2021.”

According to the complaint, the information exposed included names and Social Security numbers and affected some 62,000 people. The complaint alleges that the information was unencrypted and unredacted.

The Notice, as quoted in the complaint, says that P2 “implemented additional security measures to enhance the security of our network and we are continuing to train our employees concerning data security.”

However, the complaint alleges that the Notice leaves out a great deal: “Omitted from the Notice Letter were the details of the root cause of the Data Breach, the vulnerabilities exploited, why P2 initially failed to investigate the Data Breach after detecting suspicious activity on its network, why P2 failed to notify impacted individuals[] about their compromised data for more than thirteen months, and the remedial measures undertaken to ensure such a breach does not occur again.”

The complaint alleges that data breaches are preventable and that P2 “could have prevented this targeted Data Breach by properly securing and encrypting the files and file servers” that contained the private information.

It claims that P2 did not follow measures recommended by the US government, the US Cybersecurity and & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. The complaint lists a number of these recommendations and implies that P2 did not put them into practice.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy