Recently, Mason Tenders’ District Council Welfare Fund, Annuity Fund and Pension Fund (“Mason Tenders’ District Council Funds,” “Mason Tenders”) confirmed that the organization experienced a data breach after an unauthorized party gained access to its computer network. According to Mason Tenders, the breach resulted in the names, Social Security numbers and dates of birth of 20,090 plan participants and dependents being compromised. On June 22, 2022, Mason Tenders filed official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Mason Tenders’ District Council Funds data breach, please see our recent piece on the topic here.
Details About the Mason Tenders’ District Council Funds Data Breach
According to an official notice filed by the organization, on April 17, 2022, Mason Tenders became aware of suspicious activity on certain IT systems within the organization. In response, the Mason Tenders enlisted the assistance of third-party cybersecurity professionals to investigate the incident. This investigation confirmed that an unauthorized party or parties gained access to the Mason Tenders’ system on December 2, 2021, until the organization was able to halt all access on April 18, 2022. Mason Tenders also learned that while the unauthorized user(s) were on the network, they had the ability to access certain directories.
After learning that sensitive consumer data may have been accessible to an unauthorized party, Mason Tenders’ District Council Funds then reviewed the affected files to determine whether any fund participants or their dependents were affected and, if so, what information was leaked. While the breached information varies depending on the individual, it may include your name, Social Security number and date of birth.
On June 22, 2022, Mason Tenders’ District Council Funds sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
The Mason Tenders’ District Council of Greater New York and Long Island is a labor organization based in New York, New York. Mason Tenders has nearly 15,000 members, including construction workers, asbestos and hazardous materials handlers, Catholic High School teachers, and recycling and waste handlers. The Mason Tenders’ District Council Welfare Fund, Annuity Fund and Pension Fund are various benefit funds provided to members.
Can Labor Unions and Related Parties Be Held Responsible for a Data Breach?
Yes, under U.S. data breach laws, all organizations, including non-profits, educational institutions, government entities and labor unions, have a duty to those whose information they possess. Thus, the fact that the organization that was responsible for a data breach wasn’t a business does not prevent data breach victims from pursuing a data breach lawsuit against an organization.
Of course, responsibility for a data breach does not always lie with the organization that leaked consumer information. Generally, before any organization is held liable for a data breach, there must be some evidence that the organization was negligent in how it handled the consumer information that was subject to unauthorized access. Additionally, data breach victims must prove that the organization’s failures were the cause of their harm. In other words, there was a causal connection between the organization’s negligence and the victim’s injuries.
Put more simply, to successfully hold any organization financially liable for a data breach a victim must prove each of the following elements:
The organization owed the victim a duty of care;
The organization breached the duty it owed to the victim;
The organization’s negligence caused or contributed to the victim’s harms (i.e., identity theft); and
The victim suffered economic or non-economic injury as a result.
Notably, courts have held that victims of a data breach do not necessarily need to experience identity theft to pursue a data breach lawsuit. These courts have held that the increased risk of identity theft in the future is sufficient to give the victim legal standing to sue.