Retirement Plan Participant Files J.P. Morgan Data Breach Lawsuit

Class action attorneys for Milberg Coleman Bryson Phillips Grossman (“Milberg”) are representing a participant of a retirement plan administered by J.P. Morgan Chase & Co. in a data breach lawsuit against the company.

The class action accuses J.P. Morgan of failing to implement adequate cybersecurity measures, resulting in harm to approximately 451,000 plan participants.

If your personal data was exposed in the J.P. Morgan retirement plan data breach, you may be eligible to join this lawsuit as a class member.

Regulatory Filing Reveals Cybersecurity Incident

According to a regulatory filing with the Maine Attorney General, J.P. Morgan discovered a data breach affecting 451,809 retirement plan participants on February 26, 2024.

J.P. Morgan began sending data breach notifications to participants in April, informing them that a software issue “caused certain reports run by three authorized system users to include plan participant information they were not entitled to see.”

The reports, which the system users ran between August 26, 2021 and February 23, 2024, included participants’ names, addresses, Social Security numbers, payment and deduction amounts, and the bank routing and account numbers of participants enrolled in direct deposit.

The data breach has caused plaintiff to suffer fear, anxiety, and stress, which has been compounded by the fact that defendant has still not fully informed him of key details about the data breach’s occurrence.

In its Maine AG filing, J.P. Morgan describes the incident as an “inadvertent disclosure” and writes that “We promptly addressed the access issue and have applied a software update.”

A company spokesperson told PLANSPONSOR that the breach was not part of a cyberattack and there is no indication of data misuse.

J.P. Morgan is offering those impacted by the breach two years of identity theft protection services through Experian.

Plaintiff: J.P. Morgan Didn’t Do Enough to Protect PII

Benjamin Valentine, a former Long Island Railroad employee whose retirement account is administered by J.P. Morgan, alleges that his and other participants’ personally identifiable information (PII) was compromised and unlawfully accessed due to the breach.

Valentine claims in a 57-page complaint filed in New York federal court that the J.P. Morgan retirement plan data breach was a direct result of the defendant’s failure to implement reasonable cybersecurity measures. He also alleges that he and the class members were not given prompt and accurate notice of the breach, were not informed about the root cause of the data breach in the notice letter, and that the 24 months of identity monitoring services being offered to them is an inadequate remedy.

More than 730 data compromises in FY Q3 exposed the information of more than 66 million individuals.

As a condition of his employment at LIRR, Valentine was required to provide his name, address, Social Security number, and other sensitive personal information to J.P. Morgan in order to receive certain employee benefits. J.P. Morgan should have known this information was at risk of being stolen and had a responsibility to protect it, but did not provide the level of data security expected under federal and New York state law, says Valentine.

“Instead of providing a reasonable level of security that would have prevented the hacking incident, defendant instead calculated to increase its own profit at the expense of plaintiff and class members by utilizing cheaper, ineffective security measures and diverting those funds to its own profit,” the complaint states.

It could be years before cybercriminals use the stolen information to commit identity theft crimes, such as applying for credit cards, opening bank accounts, and obtaining government benefits, according to Valentine. J.P. Morgan acknowledges as much in the letter, noting that “identity theft can happen months and even years after a data breach.”

Financial Institutions at High Risk of Cyberattacks

Valentine’s lawsuit adds that, given the large number of data breaches against financial institutions, J.P. Morgan knew, or should have known, about the vulnerability of the data it collects, maintains, and is responsible for safeguarding.

There were more than 730 data compromises in the third quarter fiscal year 2023 alone involving cyberattacks and system and human errors. These incidents exposed the data of over 66 million individuals. The financial services industry was the most targeted, followed by healthcare, professional services, manufacturing, and education.

Proposed Damages and Classes

The lawsuit seeks damages to compensate victims of the J.P. Morgan retirement plan data breach based on alleged negligence, breach of contract, and violations of New York General Business Law. Two classes are proposed:

• Nationwide Class: All individuals residing in the United States whose PII was accessed and/or acquired by an unauthorized party as a result of the data breach reported by J.P. Morgan in April 2024.
• New York Subclass: All individuals residing in the State of New York whose PII was accessed and/or acquired by an unauthorized party as a result of the data breach reported by J.P. Morgan in April 2024.

David K. Lietz and Vicki J. Maniatis of Milberg are representing Valentine and the class members.

Milberg was recently named one of most active class action law firms in the country, with 892 filings from 2021 – 2023. A report from Duane Morris published in January found that data breach class action filings increased substantially last year and were certified at a rate of 86%.