Perkins & Co. (“Perkins”) recently confirmed a data breach stemming from a data security incident at a third-party company that Perkins used to store data in the cloud. According to Perkins, the breach resulted in the compromise of the following data: names, Social Security numbers, and financial account numbers. Perkins believes that the recent data breach affected 354,647 people. On May 27, 2022, Perkins filed an official notice of the breach and sent data breach letters to all affected parties.
If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of a Perkins & Co. data breach, check out our recent article on the topic. here.
What caused the Perkins & Co. data breach
Information related to the Perkins data breach comes primarily from several letters the company filed with state regulatory agencies following the incident. Evidently, around December 3, 2020, Perkins was informed by Netgain Technologies (“Netgain”), a provider that Perkins uses to host its data in the cloud, that Netgain had recently suffered a ransomware attack.
After Perkins learned of the ransomware attack on Netgain, the two companies frequently communicated about the incident. On January 15, 2022, Netgain transmitted the following to Perkins management: Between the dates of November 8, 2020 and December 3, 2020, Netgain servers containing Perkins data were accessed by an unauthorized party. The unauthorized party also copied and stole some of the files from the server. The unauthorized party also encrypted the files and demanded Netgain to pay a ransom in exchange for the return of the stolen files. Netgain paid the ransom and the unauthorized party returned the files they had stolen and provided Netgain with a decryption key.
Upon discovering that an unauthorized party could access sensitive consumer data, Perkins & Co. conducted its own investigation into the incident to determine if any of the consumer data in the company’s possession was compromised. Although the information breached varies by individual, it can include the individual’s name, Social Security number, and bank account number.
On May 27, 2022, Perkins & Co. sent data breach letters to everyone whose information was compromised as a result of the recent data security incident.
More information about Perkins & Co.
Perkins & Co. is an accounting firm based in Portland, Oregon. Perkins provides a wide range of services to individual and organizational clients, including business advisory services, tax services, estate planning, litigation support, employee benefit plan audits and more. Perkins & Co. employs more than 156 people and generates approximately $29 million in annual revenue.
Who is responsible for a data breach?
After a data breach, victims often wonder who may be responsible for leaking their information. Under United States data breach laws, all organizations in possession of consumer data have an obligation to safeguard the information in their possession. This includes those organizations that directly receive the information from consumers, as well as third-party companies that receive the data through an intermediary.
In the case of the Perkins data breach, there is no indication that Perkins was negligent in maintaining its own data security systems. However, depending on future evidence, there is a possibility that Perkins negligently entrusted consumer data to Netgain. For example, this may be the case if Perkins had reason to believe that Netgain’s servers were not secure or that the company had a history of mishandling consumer data.
Of course, Netgain could also be potentially responsible for the infringement. Organizations and their data security systems are the first line of defense against cyber attacks. Those companies that choose not to maintain strong data security systems do so at great risk to consumer privacy, as hackers routinely target those companies known to have inadequate protections.
The bottom line is that data breach laws provide a mechanism for victims of a data breach to file a claim for compensation against the company responsible for the breach. However, determining which company is responsible requires a thorough understanding of complex data breach laws. Those seeking answers in the wake of the Perkins data breach should consult with an experienced data breach attorney to learn more about their rights.