Blackhawk Networks, a private global branded payment company headquartered in California, is the object of a proposed class action lawsuit over an alleged “foreseeable” data breach that occurred in September of 2022 which has affected thousands of consumers.

The 34-page lawsuit asserts that the company, whose commercial products include providing payment services involving prepaid gift cards, eCodes and incentive cards for merchants and employers, failed to identify, protect and prevent the “particularly egregious” incident.

Blackhawk Networks works with some of the biggest retail names in the country. Blackhawk manages a site called MyPrepaidCenter.com where people can redeem a physical card or virtual code from Blackhawk Network or one of its partners. Their clients include some of the biggest retail names in the country.


Description

On October 31, 2022, Blackhawk Network filed a Notice of Breach with the Attorney General of Montana. A similar notice was filed with the Attorney General of Iowa the same day. Blackhawk states that they detected irregular activity involving MyPrepaidCenter.com and took immediate steps to investigate the incident and eradicate the suspicious activity. Their investigation showed that an unauthorized acquisition of data took place between September 4th and 12th. While it isn’t known how many individuals were affected, the acquired data included information such as full name, email address, telephone number and prepaid gift card information including card numbers, expiration dates and CW codes.


Basis of the Case

The class action complaint was filed in the state of California on November 11, 2022, by an individual plaintiff whose personal identifiable information (PII) was compromised in the attack. The suit is seeking damages for the plaintiff as well as class members who were similarly affected. The complaint states that by collecting the involved PII, the defendant had a “duty of care” to use reasonable security measures to secure and safeguard its computer property and prevent the disclosure and theft of private information. This “duty of care” was further amplified by the fact that Blackhawk had detected similar suspicious activity on its site previously in August of 2020.

The complaint states that the defendant had a “duty of care” concerning the following responsibilities:

  • Defendant owed a duty of care not to subject Plaintiff and the Class Members to an unreasonable risk of harm because they were the foreseeable and probable victims of any inadequate security practices.
  • Defendant breached its duties of care by failing to provide prompt notice of the data breach to the persons whose PII was compromised.
  • Defendant knew, or should have known, that the computer systems and security practices of its third-party vendors did not adequately safeguard the PII.
  • Defendant failed to exercise reasonable care in obtaining, retaining, securing, safeguarding, deleting, and protecting the PII in its possession.
  • Defendant’s “duty of care” extended to ensuring that any third-party vendors it hired and had exposure to the PII would implement adequate measures to prevent and detect cyber intrusions.

The lawsuit alleges that because Blackhawk failed to properly secure and safeguard the PII of those represented in the complaint, thousands of Blackhawks customers will continue to incur “real and imminent harm” as a direct consequence of the Defendant’s conduct including the following:

  • Unauthorized charges to their payment card accounts.
  • Theft of customers personal data and financial information.
  • Loss of use of and access to their account funds along with any costs associated with the inability to obtain money from those accounts.
  • Costs associated with the time spent and lost productivity due to the tasks required to deal with the aftermath of the breach such as the canceling and reissuing of cards, credit monitoring, etc.


Call to Action

A “duty of care” implies a situation in which a person or organization has a responsibility to act with the same prudence that a reasonable person would in a similar circumstance. If the actions fail to meet that standard of care, the acts may be considered negligent, resulting in a suit to claim damages resulting from the stated negligence. If your organization retains or works with the personal or sensitive information of others, you have an ethical and legal obligation to take reasonable measures to secure that data. While it is impossible to protect your computers and enterprise environments from all types of attacks, you are bound to take reasonable security measures to fulfill your “duty of care”.

Those who are unsure of what their “duty of care” is regarding cybersecurity should consider a Duty of Care Risk Assessment (DoCRA). DoCRA is risk assessment process that is easy to adopt and holds up to the scrutiny of regulators, attorneys, and executive management. At present, eight states have accepted the DoCRA test as the definition for reasonable security. The most recent include Pennsylvania and New York regarding the Herff Jones data breach settlement.

Review your current risk profile to establish reasonable security controls based on the mission, objectives, and obligations of your organization.


Estimating Risk by Industry

HALOCK’s risk approach has been recognized in the 2024 Verizon Data Breach Investigations Report (DBIR) Estimate risk based on real threat data. Read Appendix D in the DBIR to augment your risk analysis.