Because they handle payroll and benefit management for other companies, Sequoia Benefits and Insurance Services, LLC and Sequoia One PEO, LLC, hold in their systems a great deal of personally identifiable information (PII) and other private information. Even so, the complaint alleges that Sequoia did not implement reasonable, industry-standard measures to secure this information, leading to a data breach in the second half of 2022.
The class for this action is all persons Sequoia identified as being among the individuals affected by the data breach, including all those who were sent a notice of the data breach.
According to the complaint, Sequoia is licensed to do business in all fifty states and has more than 1,500 clients, each of whom in turn has many employees whose information the company stores. The complaint quotes Sequoia as saying that its HRX platform “brings together all your data from previously-disconnected transactional systems and centralizes everything in one place for a holistic view of the programs that makes up your total people investment.”
The complaint quotes Sequoia as touting their good security, saying that their “endpoints are secured using advanced solutions to detect and respond quickly to malicious attacks. … Systems are monitored 24/7 by a variety of technologies and our SIEM is monitored 24/7/365…”
But the complaint alleges that “these representations are false,” because unauthorized parties were able to access Sequoia’s cloud storage system from September 22 to October 6, 2022, and the intrusion was not discovered until November 17, 2022. According to the complaint, the data breach compromised the information of more than 580,000 people. The complaint quotes a TechCrunch article as saying that it is “not clear if Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned, if any.”
The complaint also quotes Sequoia as claiming to use “strong encryption algorithms” but claims that this as well was not true because, “upon information and belief, the Private Information accessed in the Data breach was not encrypted…”
Listed in the complaint are measures it says Sequoia should have taken, as recommended by the US Government, the US Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team. It claims that the very fact that the data breach occurred shows that Sequoia failed to implement these measures.
Furthermore, the complaint alleges, “[e]ven if the cybercriminals had been able to access [Sequoia’s] network despite reasonable security measures, [Sequoia] could have prevented the consequences by properly encrypting the files containing PII, or destroying PII it no longer had a legitimate need for.”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Sequoia Benefits and Insurance Cybersecurity Breach Complaint
December 19, 2022
Because they handle payroll and benefit management for other companies, Sequoia Benefits and Insurance Services, LLC and Sequoia One PEO, LLC, hold in their systems a great deal of personally identifiable information (PII) and other private information. Even so, the complaint alleges that Sequoia did not implement reasonable, industry-standard measures to secure this information, leading to a data breach in the second half of 2022.
Sequoia Benefits and Insurance Cybersecurity Breach ComplaintCase Event History
Sequoia Benefits and Insurance Cybersecurity Breach Complaint
December 19, 2022
Because they handle payroll and benefit management for other companies, Sequoia Benefits and Insurance Services, LLC and Sequoia One PEO, LLC, hold in their systems a great deal of personally identifiable information (PII) and other private information. Even so, the complaint alleges that Sequoia did not implement reasonable, industry-standard measures to secure this information, leading to a data breach in the second half of 2022.
Sequoia Benefits and Insurance Cybersecurity Breach Complaint