Posted On November 2, 2022 Consumer Privacy & Data Breaches
On October 29, 2022, Multi-Color Corporation (“MCC”) filed notice of a data breach with the California Attorney General after the company reportedly experienced a cyberattack that compromised the security of employee information contained on its computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to certain employees’ names, dates of birth, email addresses, mailing addresses, telephone numbers, Social Security numbers, driver’s license numbers, healthcare and health insurance-related data, and certain tax and financial data. After confirming that consumer data was leaked, MCC began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the MCC data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Multi-Color Corporation.
The available information regarding the Multi-Color Corp. breach comes from the company’s filing with the California Attorney General’s “Data Security Breaches” page. According to this source, on September 29, 2022, MCC detected unusual activity within its computer network, which was soon after determined to be related to an unauthorized party that had gained access to the system. In response, MCC secured its systems and began working with an outside “incident response” team to assist with the company’s investigation.
As a result of the investigation, MCC learned that an unauthorized party accessed certain company files, including those containing sensitive information about employees.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Multi-Color Corp. began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, email address, mailing address, telephone number, Social Security number, driver’s license number, healthcare and health insurance-related data, and certain tax and financial data. The breach impacted the server where MCC stored information pertaining to the company’s health and benefit programs, so the information of dependents was also subject to unauthorized access.
On October 29, 2022, Multi-Color Corp. sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1916, Multi-Color Corporation is a label company based in Batavia, Ohio. The company serves some of the most prominent businesses across a wide range of industries, including beverage, wine & spirits, food & dairy, personal care & beauty, home care & laundry, healthcare, durables & technical and automotive & chemicals. Multi-Color Corporation operates 109 label-producing operations in 26 countries across the world. Multi-Color Corp. employs more than 13,000 people and generates approximately $2 billion in annual revenue.
Yes, in certain circumstances, employees can hold an employer liable following a data breach through a data breach class action lawsuit. However, the mere fact that a breach occurred does not automatically mean that your employer is on the hook for your damages. As a general rule, employers are only financially responsible for breaches that were the result of their negligence.
In the data breach context, establishing an employer was negligent requires an employee to prove,
In most cases, the first element of the negligence analysis doesn’t raise much of a hurdle, as it’s commonly understood that employers have an obligation to protect sensitive employee information. However, determining that an employer’s negligence was the cause of or a contributing factor to a breach is more challenging.
Of course, data breaches are criminal acts carried out by third parties. And clearly, no employer intends to leak employee information. However, just because a criminal actor carried out the attack doesn’t mean that an employer is immune from liability. This is because employers have a legal duty to protect employee data by implementing an adequate data security system. And whether an employer has a data-security system isn’t necessarily the end of the inquiry because the adequacy of an employer’s system can be called into question. For example, employers should conduct regular training about the risks of email phishing attacks to help prevent employees from providing their login credentials to hackers. Companies should also ensure that they respond appropriately to any potential unauthorized access, thus limiting a hacker’s opportunity to remove files from the company’s network.
Given the complexities that arise with these cases, victims of an employee data breach should reach out to a dedicated data breach lawyer for assistance.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the MCC data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Multi-Color Corporation (the actual notice sent to consumers can be found here):
Multi-Color Corporation (“MCC”) understands the importance of cybersecurity and protecting your personal data. Unfortunately, the purpose of this letter is to inform you that MCC was the victim of a cyberattack and your personal data within our custody was compromised during the incident. However, based on the measures that we have implemented and the actions we have taken, there is no indication that your personal data has been misused or will be misused in the future. Yet, out of an abundance of caution, MCC is providing you complimentary credit monitoring and identity theft protection services and we encourage you to enroll in these services.
On September 29, 2022, MCC identified unusual activity occurring within our information networks and systems and discovered that a third party had unauthorized access to our information technology environment. MCC immediately deployed security measures to contain and mitigate the threat and retained an external incident response team to accelerate our recovery efforts. Because of the substantial security controls implemented prior to the cybersecurity incident, we were able to contain the threat within a few hours and become fully operational again within days. However, as part of our investigation, we discovered that the perpetrator of the attack accessed MCC files and records, including proprietary information and personal data related to our employees.
What Information Was Involved
The MCC files and records that were compromised as part of this cybersecurity incident included personnel files and other HR-related data on our employees. Accordingly, the types of personal data on our employees that were compromised in this cybersecurity incident included the following: employee names, dates of birth, email addresses, mailing addresses, telephone numbers, social security numbers, driver’s license numbers, and similar government-provided identifiers, healthcare and health insurance-related data, and certain tax withholding and similar financial data.
In some, limited circumstances, employees retained “personal” files on MCC computers and shared-folders that were unrelated to MCC business activities (e.g., personal pictures, applications, records), and this data may also have been compromised.
There is evidence that information that was used as part of MCC’s healthcare and benefits programs was also compromised during this incident and included sensitive personal data (such as social security numbers) related to your spouse, partner, or dependents enrolled in these programs. Please note that we are extending our credit monitoring and identity theft protection services to these individuals.
However, based on the measures that we have implemented and the actions we have taken, there is no indication that personal data subject to this cybersecurity incident has been misused or will be misused in the future.
What We Are Doing
MCC has taken action to remediate this cybersecurity incident and help prevent future occurrences. Given the comprehensive information security program that MCC had established prior to this incident, we were able to return to a normal state of operations in a timely manner. We have retained independent third-party IT security consultants to analyze the incident, including our information security programs and tools and the status of our data security hygiene. In addition, we proactively notified the Federal Bureau of Investigation, and filed incident reports with certain state regulatory authorities, regarding the nature and scope of this cybersecurity incident. For our employees located outside the United States, we have notified applicable foreign data protection regulators, such as the applicable supervisory authorities in the European Union, the United Kingdom, and in Australia.
Credit monitoring Services
To help address any concerns you may have, MCC will provide you, and your immediate family members, with complimentary credit monitoring and identity theft protection services for 24 months offered through Equifax. The enclosed sheet provides instructions for enrollment in these Equifax Credit WatchTM Gold and Equifax Child Monitoring services.
What You Can Do
Although there is no indication that personal data subject to this cybersecurity incident has been misused or will be misused in the future, there are several steps that you can take to better protect yourself and your personal data more generally. We recommend you remain vigilant and regularly review your credit card bills, bank statements, and credit reports for any unauthorized activity. Promptly report incidents of suspected identity theft or fraud to your local law enforcement agency, the Federal Trade Commission, your state Attorney General, your financial institution, and to one of the three nationwide consumer reporting agencies to have such incidents removed from your credit file. You should change your passwords regularly, and refrain from using easily guessed passwords and re-using the same passwords for multiple accounts. Be vigilant against third parties attempting to gather information by deception, and exercise extreme caution when clicking on unknown or suspicious website links. See the attachment for additional information with respect to certain security services that may be available to you.
Point of Contact
We have established a dedicated call center to answer questions you may have about this incident, which you can reach at 888-291-2363, from Monday – Friday, 9:00 am to 9:00 pm (Eastern Standard Time). We have also established a dedicated website about this incident that includes a Frequently Asked Question (FAQ) section, and it is available at [Redacted].
MCC recognizes the importance of data privacy and information security, and we deeply regret that this cybersecurity incident occurred. From the start, we moved quickly to contain the incident and conducted a thorough investigation with the assistance of leading security experts. We are working hard to ensure that individuals impacted by this incident have answers to questions about their personal data. Thank you for your attention to this matter.