A class-action lawsuit has been filed against the company hired by the state to design a website for the Pandemic Unemployment Assistance program, which had a security breach in the beginning and still has many claimants locked out of the system.
Chicago and Cleveland lawyers, associating locally with Dustin McDaniel, filed the suit against Protech Solutions on behalf of three named plaintiffs, including one who said she has been a victim of the security breach.
The lawsuit alleges Protech failed to protect personal and financial information. I haven’t received responses yet from Protech or the state for comment on the lawsuit.
It is seeking an emergency hearing to get people unlocked to receive claims. At one point, as many as 14,000 were said to be on hold.
Protech got a $3 million contract to design the system. The Arkansas Times reported May 15 that an applicant for claims for the self-employed had discovered all information on all claimants was easily seen. The system was shut down for security fixes. The state has asked for an FBI investigation, still in progress. The state has also said it has insurance for such circumstances.
Since then, though payments have begun, thousands of people have complained that their accounts are on hold and they can’t penetrate state phone lines or web portals to get information. The state has blamed the problems on rooting out fraud, though an official acknowledged to legislators recently that some problems might be linked to simple errors on forms.
UPDATE: A consulting firm with ties to Governor Hutchinson (see below in this article) apparently has been designated to provide responses for Pro Tech. It sent this statement from Kenneth French of the company:
In an effort to protect individuals and the state, ProTech Solutions implemented a fraud detection instrument to catch all possible threats to the PUA program. In these cases, accounts are flagged and then reviewed by the state—at which point a decision is rendered by the state. This is a standard operating procedure.
“As for the allegation of an identity incident, there is no evidence of this being linked to the PUA data incident on May 15. It is important to note, however, that the state has made available $1 million in identity protection insurance for all PUA applicants affected by the data incident. The individual must decide whether or not to accept that protection.”
This statement is silent on the security breach acknowledged in May for the entire database. It also is silent on the assertion by the state that it doesn’t have the security plan the firm was supposed to provide under it’s $3 million contract.
If the governor’s former aide, J.R. Davis, who provided this statement or ProTech or Workforce Services ever provides a number on those locked out; why they’ve remained locked out for weeks, and why it is so difficult for claimants to get answers from Workforce Services, I’ll pass that along.
The lawsuit says:
… at one of the worst times in the lives of Plaintiffs and Class members, when they find themselves unemployed in the midst of a pandemic and resulting recession, Protech negligently and recklessly made Plaintiffs’ and Class members’ path to recovery significantly harder by interfering with their access to PUA payments and putting their identity and credit standing at risk.
You can get a flavor of the frustration from a continuing string of comments on an earlier item we did about PUA problems.
The lawsuit continues:
As a result of the Data Breach, the PUA Application System was temporarily shut down. Even after the PUA Application System was back up and running, Plaintiffs and other Class members were and are still locked out of their accounts pending a “fraud review.”
As a result of the Data Breach, Plaintiffs and Class members must now be vigilant and review their credit reports for incidents of identity theft, and to educate themselves about security freezes, fraud alerts, and other steps to protect themselves against identity theft.
Data security breaches have dominated the headlines for the last two decades, and it does not take an IT industry expert to know that the failure to take reasonable security precautions places individual’s personal information at risk.
The lawsuit details the consequences of security breaches and says they sometimes aren’t discovered until long after the fact.
The suit said one plaintiff received a payment June 8 and 15 and then was locked out; another has not received a benefit since June 1, and a third, Terry Morrow, was a victim of the data breach.
On or about May 14, 2020, Morrow applied online for PUA benefits through the ADWS PUA website created, implemented, and maintained by Protech. During the application process, Morrow supplied her account information for her Skylight Net Spin Card with Regions Bank, so that her PUA payments could be made directly to that account.
As a direct result of the Data Breach, Morrow was the victim of identity theft. The day after she applied online for PUA benefits through the PUA website created, implemented, and maintained by Protech, someone fraudulently used her name and SSN to set up an account with Bank of America in Texas (“BOA Account”), and without her authorization or knowledge transferred all her money from her Skylight Net Spin Card (i.e., $757.24) into the BOA Account.
Morrow spent approximately 20 hours trying to get her money back, including filing a police report and dealing with the bank. As a direct result of the data Breach, Morrow fell behind on paying her utilities and other bills. Morrow has also been charged late fees and penalties on accounts that, as a direct result of Defendant’s conduct, have become delinquent.
As a direct result of the Data Breach, Morrow will have to expend additional time and energy protecting and monitoring her identity and credit.
The suit says the class covered by the lawsuit numbers 30,000. It claims negligence and invasion of privacy and seeks injunctive relief, including to lift holds on the PUA accounts.
The case has been assigned to Judge Alice Gray.
Thomas Zimmerman of Chicago, one of the lawyers filing the suit, told me that it had received a copy of the Protech Solutions contract. See it below:
Zimmerman notes that page 6 of the contract requires Protech to submit a data security plan. Lawyers asked for a copy of the data security plan. They got this response:
I’ve asked Workforce Services, which hired Protech, and Protech for comment on the lawsuit. Shortly before I learned about the lawsuit, a Workforce Services spokeswoman told me apologetically that she’d been delayed responding to several other questions about PUA because “we are dealing with a lot internally at this time.”
A tidbit relating to Protech, which does work nationally and has long had a large contract to handle the state’s child support collection effort. It has a well-connected Arkansas lobbyist.
Gilmore Strategy Group is headed by Jon Gilmore, a former top deputy, campaign strategist and chief money raiser for Governor Hutchinson. Other partners include other former Hutchinson insiders Rett Hatcher and J.R. Davis. Their website touts that connection in a photo showing Gilmore, Hatcher and Davis with their boss Hutchinson passing an income tax cut.
Gilmore has been tapped for several high-profile political jobs. And they are using their political log-rolling in ever-expanding ways, as I noted here.
Protech needs a lawyer right now more than a lobbyist, but the Gilmore group also worked on behalf of a Republican (wife of the state GOP chair) to the Arkansas Supreme Court this year. She’ll join a couple of other Republicans already in place, so there’s that friendly tie, too.