RR Donnelly & Sons Company (RRD) offers marketing and business communications, commercial printing, and related services. Although it is on the Fortune 500 list, the complaint for this class action alleges it did not take adequate measures to safeguard the personally identifiable information (PII) entrusted to it.
The Nationwide Class for this action is all persons RRD identified as being among those individuals impacted by the data breach, including all who were sent a notice about the data breach.
The complaint alleges, “Businesses that collect and store PII have statutory, regulatory, contractual, and common law duties to safeguard that information and ensure it remains private.”
In its Privacy Policy, RRD describes its data security practices. The complaint quotes it as saying that it “follow[s] generally accepted industry standards to protect the personal data submitted to us” and “use[] reasonable measures to safeguard personally identifiable data, which measures are appropriate to the type of data maintained and follow[] applicable laws…. In addition, in some areas of our Sites, RRD may use encryption technology…”
According to the complaint, RRD also claims to “employ[] industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.
Nevertheless, for almost a month, between November 29 and December 23, 2021, the complaint alleges, RRD failed to detect the intrusion of unauthorized parties into its systems.
The complaint quotes the Notice of Data Breach as saying, “On December 23, 2021, RRD identified a systems intrusion in its technical environment. … Based on observed tactics, RRD identified the Threat Actor as being affiliated with a foreign ransomware group. RRD also determined that the Treat Actor gained access through a phishing attach that targeted several employees…”
At first, the complaint alleges, RRD did not believe any data had been removed from its systems. But at a later date, the complaint alleges, on or around mid-January 2022, RRD “became aware certain corporate data [had been] accessed and exfiltrated by a ransomware group.”
The complaint alleges that the information accessed included names, dates of birth, driver’s license numbers and Social Security numbers.
However, it was only many months later, on or around August 5, 2022, the complaint claims, that RRD began informing the individual victims of the data breach.
The complaint faults the company for three things: (1) failing to adequately protect the PII in its care, (2) failing to warn the people whose PII it maintained that it did not have adequate security practices in place, and (3) failing to secure the hardware that contained the PII with reasonable and effective security procedures that were “free of vulnerabilities and incident.”
It also complains about RRD’s delayed announcement of the incident.
Article Type: LawsuitTopic: News, Privacy
Most Recent Case Event
RR Donnelley & Sons Data Breach Complaint
August 15, 2022
RR Donnelly & Sons Company (RRD) offers marketing and business communications, commercial printing, and related services. Although it is on the Fortune 500 list, the complaint for this class action alleges it did not take adequate measures to safeguard the personally identifiable information (PII) entrusted to it.
RR Donnelley & Sons Data Breach ComplaintCase Event History
RR Donnelley & Sons Data Breach Complaint
August 15, 2022
RR Donnelly & Sons Company (RRD) offers marketing and business communications, commercial printing, and related services. Although it is on the Fortune 500 list, the complaint for this class action alleges it did not take adequate measures to safeguard the personally identifiable information (PII) entrusted to it.
RR Donnelley & Sons Data Breach Complaint