United States: Kronos Agrees To $6 Million Settlement For 2021 Ransomware Attack Resulting From Inadequate Cybersecurity Safeguards

On April 28, 2023, Kronos Inc. and its parent company, UKG Inc., a workforce management solution for human resources (HR) functions, requested that the Northern District of California¹ approve a proposed settlement agreement between UKG and a class of employees affected by a 2021 ransomware attack. In December 2021, UKG suffered a ransomware attack on its Kronos Private Cloud ("KPC") platform, which targeted, and in some cases acquired, the personal data of employees and their dependents. The attack also resulted in an outage of the KPC platform for several weeks, disrupting operations and services to its customers and their employees.

Consolidated Class Action Complaint

After the data subjects whose personal data was targeted filed various complaints in the immediate aftermath of the incident, the court ordered all complaints consolidated into a single class action.²The consolidated complaint asserted nine total causes of action under both U.S. federal and California law, split between two putative classes: a first "Nationwide Class" covering all persons within the United States whose personal information (or payroll systems) were affected and a second "California Subclass" of persons residing in California whose personal information was involved in the attack. The consolidate complaint alleged, generally, that:

• Negligence³: UKG was negligent in establishing and maintaining its cybersecurity policy, pointing to UKG's own privacy policy that represented the appropriate protections of personal information.

• Negligence Per Se⁴: UKG violated Section 5 of the Federal Trade Commission (FTC) Act⁵, which sets forth a baseline duty to safeguard personal information, as well as state statutes.

• Unjust Enrichment⁶: UKG unlawfully benefitted from the collection and use of personal information despite its failure to protect it, which would not have been shared by UGK's customers and their employees but for UKG's "commitment to maintain [that personal information's] privacy, security, and confidentiality."

• Breach of Contract⁷: UKG breached its published privacy policy.

• Violation of the California Consumer Privacy Act⁸: Applicable only to the California subclass, UKG violated Section 1798.150(a) of the California Consumer Privacy Act, which creates a private right of action for any consumer whose personal information is "subject to unauthorized access and exfiltration" as a result of a company's failure to implement and maintain "reasonable security procedures and practices."

• Violation of the California Customer Records Act⁹: Only applicable to the California subclass, UKG breached Section 1798.81.5 of the California Civil Code, which provides a private right of action to customers injured by a business's failure to adequately protect personal information from "unauthorized access, destruction, use, modification, or disclosure" and untimely notification of the incident.¹⁰

• Violation of the California Unfair Competition Law¹¹: UKG willfully, deceptively, unfairly, and unconscionably engaging in deceptive business practices in allowing the breach to occur, and directly and proximately caused harm to California residents as a result.

• Invasion of Privacy¹²: Finally, invasion upon seclusion based upon UKG "intentionally intrud[ing]" upon the "solitude, seclusion, and private affairs" of the Plaintiffs and other class members by permitting unauthorized access to UKG systems and the personal information contained therein.

The Settlement

After months of negotiations, the parties notified the court of the settlement agreement, requesting preliminary approval.¹³ The proposed agreement identifies three "classes":

1. A "Nationwide Class" of all natural U.S. persons who are current or former employees of UKG customers who were impacted by the interruption of the KPC application from the December 2021 incident.

2. A "California Subclass", which includes all Nationwide Class members who were also California residents at the time of the December 2021 incident.

3. An "Exfiltration Subclass", which includes all members of the Nationwide Class whose data was exfiltrated during the December 2021 attack and were offered credit monitoring services.

UKG will establish a Settlement Fund of $5,500,000 to pay approved claims (and other expenses related to the settlement).From this fund, members of the Nationwide Class can seek up to $1,000 per person in compensation based on a series of relevant categories: long distance phone charges, cell phone charges, data charges, bank fees, credit monitoring, and late fees, and other documented non-wage monetary losses.¹⁴ In addition, Nationwide Class members may also seek up to four hours of lost "personal time" (at $25/hour) spent responding to the December 2021 incident. Further, members of the Exfiltration Subclass may seek up to $7,500 in additional damages based upon "actual, documented, and unreimbursed" monetary losses associated with the December 2021 incident, and members of the California Subclass may request an additional $30 enhancement.

Implications

This settlement provides several key takeaways for companies who may experience a breach (whether from malicious actors or otherwise).

First is the importance of prompt, complete notification to persons whose personal information is subject to a breach.Given the multi-jurisdictional reach of many companies, it is likely that a data breach may affect people in a wide range of locales, each with its own data breach notification requirements. Failure to adhere to even one of these myriad requirements may result in liability even if a company is able to avoid liability for the initial breach.

This underscores the second, but equally important, point: the necessity of pre-planning for security incidents.Where customers (and employees) can range across several jurisdictions, it is important to understand where, and when, breach notifications must be sent in the event of an incident. It is vital to have a plan in place to respond to the incident, assess the impacts, and determine notification obligations quickly and efficiently.

Third, companies must remain aware of both their vendors' cybersecurity posture and practices, as well as, where applicable, their customers' cybersecurity posture. Where a company's own actions may have secondary or tertiary effects outside its own operations, such effects may expose them to further liability to account for damages that are indirectly caused by its actions.For example, UKG's customers' employees, not UKG and not UKG's customers directly, at least according to the complaint, bore the brunt of the damage from the attack on UKG itself. These damages came in the form of risk of identity theft, the disclosure of sensitive personal information, and other potential harms.

Finally, the very nature of this lawsuit shows the growing sophistication and interconnectedness of cybersecurity.Although some individual counts in this case were primarily based upon California statutes, many of the allegations in the consolidated complaint relied upon various provisions of U.S. federal law, common law, and individual state statutes. This increasingly complex portrait of cybersecurity laws is only likely to become more complex in the future with the growing number of state-based privacy legislation.Singular actions by a company, seemingly minor incidents, have the capability to implicate laws across the nation and require knowledgeable, experienced counsel to coordinate national and international policy.

Footnotes

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.