CAL Automotive Hit with Class Action Following September 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Certified Automotive Lease Corp. (CAL Automotive) faces a proposed class action over a September 2021 data breach during which the personal information of 68,837 consumers was reportedly compromised.

The 37-page lawsuit alleges CAL Automotive, who provides lease and loan services to car dealerships, failed to implement adequate data security measures to protect consumers’ information. According to the suit, the data breach exposed customers’ names; physical and email addresses; phone and driver’s license numbers; dates of birth; Social Security, account or loan and tax identification numbers; and in some cases vehicle information.

The lawsuit claims that CAL Automotive not only failed to protect customer information from unauthorized access but waited nearly six weeks before notifying those whose data was compromised. Per the suit, the defendant’s failure to provide timely and adequate notice of the incident left customers “in the dark for weeks” with regard to the fact that their personal information had been exposed and that they were, and continue to be, at an increased risk of identity theft and “various other forms of personal, social, and financial harm.” According to the case, this risk “will remain for their respective lifetimes.”

The suit states that on September 18, 2021, CAL Automotive “detected and stopped a network security incident” during which an unauthorized party gained access to the customer information stored on the company’s network. Per the case, the data breach was a direct result of the defendant’s failure to implement adequate security measures, including encrypting personal customer information or deleting it when it is no longer needed.

The suit goes on to allege that CAL Automotive failed to issue timely notice of the breach and instead sent out a letter dated October 26, 2021 to those whose information may have been compromised. The lawsuit stresses that customers’ sensitive data can be used to commit “countless different types of financial crimes,” and claims data breach victims now face “years of constant surveillance” of their financial and personal accounts.

According to the case, CAL Automotive’s offer of 12 to 24 months of identity monitoring services is “wholly inadequate” to compensate data breach victims given their information could be misused for multiple years.

The lawsuit looks to cover anyone in the U.S. whose personal information was compromised as a result of the CAL Automotive data breach.

Initially filed in Camden County, New Jersey Superior Court on February 4, the lawsuit was removed to the state’s District Court on March 18.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.