data breach

PlanMember Securities Corporation Targeted by Cyber Thieves

Affected California Consumers Receive Data Breach Notifications

On April 15, 2022, PlanMember Securities Corporation (“PlanMember”) reported a data breach to the California Attorney General’s Office. According to PlanMember, on February 17, 2022 criminal actors illegally gained access to a company executive’s email account and impersonated him, attempting to steal funds.

Within the corrupted email account were documents containing client personal information. PlanMember did not discover the security breach until March 15th, and does not know which particular documents the cyber thieves accessed from the breached email account. The personal data of over 70,000 individuals are at risk.

PlanMember Personal information at Risk:

  • Names
  • Social Security Numbers
  • PlanMember Account Numbers

PlanMember is providing 12 months of complimentary access to Experian IdentityWorks. There is a deadline for enrollment.

The full text of the PlanMember Notice of Data Breach can be found here.

PlanMember Securities is part of a family of companies that include PlanMember Financial Corporation, PlanMember Services Corporation, and PlanMember Asset Management Corporation.

With it corporate headquarters located in Carpinteria, California, PlanMember provides investments and retirement planning services nationwide.

Special California Laws Protect You

California has laws that specifically protect your personal information.

  • The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
  • The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.

If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.  Medical information is additionally covered by the CMIA.

If you are a California resident and received a Recent Notice of Data Breach from PlanMember, you may be entitled to between $100 and $750 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by PlanMember May Not Be Enough

Identity theft is on the upswing. For example, in Washington State, residents were sent 6.3 million data breach notices, the largest number on record.[1] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.

Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like Social Security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Businesses Should Be Held Accountable For Data Breaches

Many businesses amass huge troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cyber criminals is their responsibility.  When businesses decide to collect and keep personal data about California customers, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.

This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[3]

[1] Source: B. Ferguson, Attorney General, Washington State Attorney General’s Office, 2021 Data Breach Report (2021).

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Same