Judge Jed S. Rakoff has granted UNITE's motion to dismiss the plaintiffs' Deceptive Trade Practices Act (DTPA) claim but denied the defendant's motion on all other counts. The case, which was filed against UNITE HERE for "its failure to properly secure and safeguard" personal information of members, will proceed with the plaintiffs' remaining claims.
According to Justia, the New York DTPA requires plaintiffs to show that the defendant's actions were consumer-oriented, materially misleading, and caused injury. UNITE HERE contends that the plaintiffs failed to prove the actions were deceptive or that they were aware of any misleading practices. The plaintiffs focused on UNITE HERE's website privacy policy but did not show they relied on it. The DTPA mandates deception proof, unlike the Federal Trade Commission Act. Consequently, the court has dismissed the DTPA claim but will proceed with the other claims.
UNITE HERE reported that an unauthorized party accessed its systems on October 20, 2023. The organization took steps to stop the intrusion, enhance security, and consult cybersecurity experts, according to the notice they sent to potentially affected members on February 23, 2024, where they included steps that individuals could take to protect themselves from potential fraud or identity theft that could occur as a result of the breach four months prior.
Potentially compromised data included names, Social Security numbers, and driver's licenses. According to UNITE HERE, there was no evidence of identity theft or fraud and all affected parties were notified. The organization reset system passwords, added extra security measures, and informed law enforcement. It is also offering credit monitoring and identity theft protection services through IDXm.
Michelle Puller-Soto, a former member of the union who is representing herself and others similarly affected, has filed a class action lawsuit against the labor union UNITE HERE. The lawsuit alleges that the union failed to secure the personal and health information of its members, including Social Security numbers and medical data, leaving them vulnerable to identity theft after a data breach.
According to the lawsuit, plaintiffs claim the breach occurred in October 2023 but was no information was disclosed to them until four months later. The plaintiffs seek damages and other remedies including improved data security measures, credit monitoring, and identity theft insurance.