McGlenn v. Driveline Retail Merch.

• Decision Date: 21 September 2021
• Docket Number: 18-cv-2097
• Parties: LYNN MCGLENN, Plaintiff, v. DRIVELINE RETAIL MERCHANDISING, INC., Defendant.
• Court: U.S. District Court — Central District of Illinois

LYNN MCGLENN, Plaintiff, v. DRIVELINE RETAIL MERCHANDISING, INC., Defendant.

No. 18-cv-2097

United States District Court, C.D. Illinois, Springfield Division

September 21, 2021

ORDER AND OPINION

SUE E MYERSCOUGH, UNITED STATES DISTRICT JUDGE

This cause is before the Court on DefendantDriveline Retail Merchandising, Inc.'s (“Driveline”)Motion for Summary Judgment(d/e 84).For the reasons stated below the Court GRANTS Defendant's Motion for Summary Judgment(d/e 84).

I.FACTS

The Court draws the following facts from the parties' statements of undisputed facts and from the evidence submitted by the parties.Any facts not disputed, or disputed without evidentiary documentation of the basis for the dispute, have been deemed admitted.SeeCDIL-LR7.1(D)(2)(b)(2).

On January 25, 2017, Driveline and thousands of its employees became the victims of a criminal phishing attack.An unknown individual (the “perpetrator”), disguised as the Chief Financial Officer (“CFO”) of Driveline, sent an e-mail to a Driveline employee who worked in the payroll department.The perpetrator asked the employee to send all of Driveline's employees' 2016 W-2s.The employee responded to the email and sent the 2016 W-2s of 15, 878 employees to the perpetrator.These 15, 878 W-2s contained social security numbers, names, home addresses, and wage information for employees who worked at and received wages from Driveline during the time period of January 1 2016 to December 31, 2016.Driveline admits that this information is irretrievably lost, to be used against its employees forever.

When Driveline realized that the email had been a phishing attack, it notified the Federal Bureau of Investigation (“FBI”).Driveline also provided the IRS with the names and Social Security numbers (“SSNs”) of the affected employees so the IRS could impose appropriate controls to prevent the filing of fraudulent returns.^[1] Driveline notified the appropriate governmental authorities of all fifty states, Guam, and Puerto Rico of the Disclosure.

Effective January 31, 2017, Driveline retained the services of AllClear ID, a credit and identity theft prevention monitoring service, to protect the employees whose personal identifying information (“PII”) was involved in the Disclosure.All affected employees were automatically enrolled in the base protection, called “AllClear ID Identity Repair.”Any employee suspecting identity theft could file a claim, and AllClear ID would provide identity and credit remediation services.Additionally, employees were given the opportunity to enroll for free for one year of enhanced services, called “AllClear Credit Monitoring.”To obtain the enhanced services, the employees had to contact AllClear ID and set up their individual accounts.

Driveline waited to notify employees of the Disclosure until the FBI gave Driveline the “green light.”On February 14, 2017, after the FBI notified Driveline that issuing notice would not hinder the FBI's investigation, AllClear ID mailed a letter and supporting materials on behalf of Driveline to all the employees involved in the Disclosure.

McGlenn's PII was part of the Disclosure.She received the Disclosure notification letter, but McGlenn did not enroll in the free enhanced credit monitoring offered by Driveline through AllClear Id.Some Driveline employees involved in the Disclosure received letters from the IRS requiring them to present to an IRS office in person before filing their 2016 taxes, but McGlenn did not receive such a letter.McGlenn does not claim that anyone attempted to file a fraudulent tax return using her PII.

McGlenn, however, did experience some fraudulent activity on her financial accounts after the Disclosure.Six months after the Disclosure, someone tried to activate a Capital One credit card on an account opened in her name.Capital One received a credit card application that included McGlenn's former married name (Lynn Watts), her telephone number, her date of birth, address, and SSN on or about July 20, 2017.A man attempted to activate the Capital One account via telephone by providing McGlenn's former name, her telephone number, and her date of birth.McGlenn's W-2 does not contain her date of birth.Nor did the Disclosure reveal her telephone number or former last names.Driveline never even knew McGlenn's former married name (Watts) because when she applied for a job with Driveline, she was already married to Mr. McGlenn.

In December 2017, eleven months after the Disclosure, someone used McGlenn's Charlotte Metro Credit Union debit card to incur a $252.79 charge.McGlenn confirmed that the information at issue in the debit card charge, which included her credit union account number, credit union name, credit card numbers, and debit card numbers, were not part of the Driveline Disclosure.

McGlenn also acknowledged that her data was stolen during the Equifax data breach.As clarified in McGlenn's response, Equifax provided notice of the breach in September 2017, but the breach itself occurred between May 2017 and July 2017.See d/e 86 at p. 3(citingIn re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1308(N.D.Ga.2019)(“On September 7, 2017, the DefendantEquifax Inc. announced that it was the subject of one of the largest data breaches in history.From mid-May through the end of July 2017, hackers stole the personal and financial information of nearly 150 million Americans.”)).McGlenn assumes that the Equifax data breach disclosed her SSN, her past and present address, her date of birth, other names she has used in the past, and the identities of her banks, lending institutions, and past and present credit card issuers.Equifax, like Driveline, offered free credit monitoring.McGlenn declined both offers because she was already using Credit Karma.

McGlenn also highlights reports by the IRS and FBI warning about certain frauds prior to the Disclosure.Driveline does not dispute the facts surrounding these reports, but Driveline argues that they are immaterial because there is no evidence that Driveline had received, was aware of, or should have been aware of these reports.First, on August 27, 2015, the FBI issued a report warning of the increasingly common scam, known as Business Email Compromise, in which companies had fallen victim to phishing emails.The report called attention to the significant spike in scams, also referred to as “spoofing, ” in which emails that appear to have been initiated from the CEO or other top-level executives request employee W-2 or other personal information.

Second, on March 1, 2016, the IRS issued an alert to payroll and human resources professionals warning of a scheme whereby false emails, purportedly from one of the company's chief officers, were sent to individuals in the human resources or accounting department asking for copies of W-2 data for all employees.The alert stated:

The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme-part of the surge in phishing emails seen this year-already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.

Pl. Resp., Ex. 4, IRS March 1, 2016 Alert, d/e 86-4.The IRS renewed this alert on January 25, 2017, specifically urging “company payroll officials to double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers.”Pl. Resp., Ex. 5, IRS January 25, 2017 Alert, d/e 86-5.

McGlenn also alleges these additional facts regarding the training, or lack of training, that Driveline provided its employees:

• Before January 25, 2017, Susan Merciel, the Driveline Payroll Department Manager who released Driveline Employees' W-2s, had no training from Driveline that would have aided her in spotting a phishing email.

• Before January 25, 2017, Ms. Merciel had not been trained or advised by Driveline that W-2 phishing emails were being perpetrated on payroll departments.

• Before Driveline sent out its employees' personal data, its employees had not been trained to hover their computer mouse over the sender's name to see from whom an email was sent.

• If Driveline's employees had been so trained, Ms Merciel or any other employee receiving the spoofing email would have seen that the request for employees W-2 was coming not from Driveline's CFO Lori Bennett, whose Driveline email address had always been “lbennett@drivelineretail.com, ” but instead came from fidelitycharitylaw@gmail.com.

• Ms. Merciel told another Driveline employee, Kristine Fountain, that she had previously received a request for W-2s in 2016, and that was why she did not find the 2017 phishing email unusual.

• Before Driveline sent out employees' personal data, Driveline employees had not been trained to question a request to email employees' PII or to call the person who was requesting via email a file containing the sensitive personal financial information of employees to confirm it was a real request.

• Prior to the Driveline Disclosure, Driveline's CFO Lori Bennett routinely requested confidential personal information of employees be sent to her via email without requiring or suggesting that the requested file be encrypted or password protected.

• Prior to the Driveline Disclosure, Driveline employees had not been trained to transfer sensitive and private employee data in an encrypted file.

• Driveline employees handling the most sensitive personal and

...