This could be a tech staffing firm's worst nightmare. The University of California Board of Regents has launched a lawsuit (copy attached below) against Kelly Services asserting that an employee of one of its sub-subcontractors downloaded the names, addresses, birthdates, and Social Security numbers of approximately 179,629 University employees or dependents onto an "external hard drive." In addition to Kelly, the Complaint names as defendants Kelly's subcontractors Simply The Best Technology Solutions, Inc. and Datalore Technologies, Inc., as well as IT consultant Harinath Vangeti, who is alleged to have been an employee of Datalore.
The breach was discovered through an unusual set of circumstances, as described in the Complaint:
On March 15, 2021, Plaintiff was contacted by Wells Fargo Bank (“Wells Fargo”), which advised that through Wells Fargo’s data loss prevention program, it had discovered personal information of Plaintiff’s employees on an external hard drive that was connected to a Wells Fargo laptop computer. Plaintiff immediately began an investigation, which included contacting the Federal Bureau of Investigation to request assistance. Prior to the contact by Wells Fargo on March 15, 2021, Plaintiff had no knowledge or notice that there had been a data breach relating to its employees’ personal information which was discovered by Wells Fargo.
Over the next couple of months, the investigation by Plaintiff and the FBI revealed that the external hard drive that contained personal information of Plaintiff’s employees belonged to Defendant Vangeti, and that on February 26, 2021, Vangeti had connected the hard drive to a docking station used by his wife, who was a contractor working for Wells Fargo at the time (the “Data Breach”). During the investigation, Vangeti did not deny that he had disclosed Protected Information in violation of Plaintiff’s policies, but he asserted that he had inadvertently connected his hard drive to the wrong port on his wife’s docking station.
Among other things, the investigation revealed that Vangeti had downloaded Protected Information from Plaintiff’s network onto an external hard drive and had taken the hard drive home in violation of Plaintiff’s written policies. In addition, the Protected Information on the hard drive was not encrypted, which also violated Plaintiff’s policies. Furthermore, although Vangeti had ceased providing services to Plaintiff under the Kelly Contract in June 2020, he had failed to return Plaintiff’s electronic data, including its employees’ Protected Information to Plaintiff, nor had he destroyed it, as required by Plaintiff’s written policies. Then, several months later, Vangeti improperly disclosed that Protected Information to Wells Fargo when he connected his hard drive to a Wells Fargo computer.
The Complaint naturally relies upon the broad, one-sided, indemnity provisions contained in Kelly's contract with the University System. The damages sought include $162,564 paid to Experian to provide notice to the affected employees.
Fortunately for Kelly, it does not appear that the personal information was used for improper purposes or publicly disclosed, except for the inadvertent disclosure to the security team at Wells Fargo Bank, which resulted from Vangeti merely connecting a device to Wells Fargo's systems. This speaks highly of Wells Fargo's data security capabilities, and perhaps less so of the University System's.
We can only speculate as to the reason the consultant chose to download the information. It is possible that he did it the ordinary course of his assignment, which related to work on the University's Human Resource Information System. In any event, one wonders if negotiated changes to Kelly's contractual indemnity obligations might have served to impose at least some of the responsibility upon the client for its own lax data security. I certainly think so, as I have succeeded in obtaining such changes in my own contract reviews for staffing firms.
Contact Bill Josey at firstname.lastname@example.org