Class Actions Filed Against DISA Global Solutions Following Major Cyber-Attack
In a significant legal development, two separate class action lawsuits have been filed in the federal district court for the Southern District of Texas against DISA Global Solutions (DISA), a third-party employment screening services provider. These lawsuits stem from a cyber-attack that reportedly occurred between February and April 2024, compromising the personal information of over 3.3 million individuals. As a provider of drug and alcohol testing and background checks for employers, DISA’s breach raises critical questions about data security and the responsibilities of organizations in safeguarding sensitive information.
The Cyber-Attack and Its Consequences
DISA’s cyber-attack has been described as a severe breach of trust, with unauthorized access to a trove of personal information, including names, Social Security numbers, driver’s license numbers, and financial account details. The company began notifying affected individuals around February 24, 2025, a full year after the breach occurred. The lead plaintiffs in both class actions assert that they were compelled to provide their personal information to DISA as part of job applications or to secure employment-related benefits, highlighting the vulnerability of individuals whose data is entrusted to third-party service providers.
Reasonable Safeguards: A Legal Obligation
One of the central allegations in the lawsuits is that DISA failed to exercise reasonable care in securing the data it collected. The plaintiffs argue that DISA neglected to invest adequately in security measures, which is a fundamental expectation for organizations handling sensitive information. The complaints enumerate several commonly accepted security standards that DISA allegedly failed to implement, including:
- Maintaining a secure firewall configuration
- Monitoring for suspicious credentials used to access servers
- Monitoring for irregular server requests
These claims underscore a critical aspect of data breach litigation: the expectation that organizations will adhere to established security protocols to protect personal information. The plaintiffs argue that DISA’s failure to implement these measures constitutes a breach of its duty to safeguard the data it collects.
Notification Timeframe: A Point of Contention
Another significant issue raised in the lawsuits is the timeframe of DISA’s notification to affected individuals. The plaintiffs contend that the delay in notifying individuals about the unauthorized access to their personal information heightened the risk of identity theft and other malicious uses of their data. While it is acknowledged that investigating a cyber incident can take time, the plaintiffs argue that organizations must be mindful of the legal implications of delayed notifications.
The lawsuits suggest that timely communication is not only a best practice but also a legal obligation that can influence the outcome of litigation. Organizations that experience data breaches should prioritize swift notification to affected individuals to mitigate potential damages and legal repercussions.
The Value of Social Security Numbers
The lawsuits also emphasize the heightened sensitivity surrounding Social Security numbers, which are often referred to as “invaluable commodities” in the context of identity theft. One plaintiff notes that the presence of Social Security numbers in the compromised data significantly increases the risk associated with the breach. Courts have recognized these numbers as the “gold standard” for identity theft, underscoring the need for organizations to implement robust security measures to protect such sensitive information.
The distinction between various types of personal information is crucial in understanding the risks associated with data breaches. Organizations must be aware that certain data elements, particularly Social Security numbers, require heightened security standards due to their potential for misuse.
Lessons for Organizations
The class actions against DISA serve as a stark reminder of the importance of data security and the potential legal ramifications of inadequate safeguards. Organizations must evaluate their security practices and ensure they align with current best practices to minimize the risk of cyber-attacks. Additionally, they should be prepared for the possibility of litigation following a data breach, as the legal landscape increasingly holds organizations accountable for the protection of personal information.
In conclusion, the lawsuits against DISA Global Solutions highlight critical considerations for organizations in the realm of data security. By implementing reasonable safeguards, ensuring timely notifications, and understanding the value of sensitive information, organizations can better protect themselves and the individuals whose data they manage. As cyber threats continue to evolve, the importance of proactive risk management strategies cannot be overstated.