On August 29, 2022, Donlen Corporation reported a data breach with the office of the Montana Attorney General after the company detected “unusual activity related to the inaccessibility of certain systems” on its computer network. While the company did not publicly release the data types that were leaked as a result of the incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers’ Social Security numbers, financial account information, and driver’s license numbers or state identification numbers. Thus, while it cannot be confirmed, it would appear that the Donlen breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Donlen Corp. began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Donlen Corp. data breach, please see our recent piece on the topic here.

What We Know About the Donlen Corp. Data Breach

The information about the Donlen Corporation data breach comes from the company’s official filing with the Montana Attorney General’s Office. According to this source, on around March 4, 2022, Donlen detected unusual activity across its IT systems, impacting the company’s ability to access certain portions of its network. In response, Donlen took the necessary steps to secure its system and then reached out to a third-party cybersecurity firm to assist with the company’s investigation.

The company’s investigation revealed that an unauthorized party was able to access portions of the Donlen network between February 24, 2021, and March 4, 2021. The investigation also revealed that the unauthorized actor removed some files from the company’s network and that these files contained sensitive consumer data.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Donlen Corp. began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. Donlen completed its review of the affected files on April 8, 2022.

While the notice filed with the Montana AG’s office does not provide the specific data types that were leaked, based on state reporting requirements, it is likely that the breach impacted one or more of the following:

• Social Security numbers,

• financial account information, or

• driver’s license numbers or state identification numbers.

On August 29, 2022, Donlen Corp. sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Donlen Corporation

Founded in 1965, Donlen Corporation is a fleet leasing and management company based in Bannockburn, Illinois. Donlen provides customers with consultation, maintenance, and outsourcing for corporate vehicle fleets. The company currently has approximately 165,000 vehicles under lease and management. Donlen Corp. employs more than 823 people and generates approximately $471 million in annual revenue.

Could Donlen Be Financially Responsible for the Data Breach?

Data breaches typically involve a hacker or some other type of bad actor bypassing a company’s data security system with the intent to steal consumer data. When it comes to determining liability after a data breach, the most obvious candidate is the hacker who carried out the attack. However, locating a hacker after a breach is challenging, and even if you can find them, it may not be worth pursuing a claim against them because they may not have the assets to satisfy a judgment in the event you are successful.

However, when considering who is responsible for a data breach, it’s not as easy as placing all the blame on the hacker who carried out the attack. While data breaches certainly present risks to targeted companies, the real victims of a data breach are those consumers whose information ends up in the hands of criminals. The first line of defense against a data breach is the target company’s data security system.

Recognizing this reality, state and federal law require companies to take certain precautions when they ask for or agree to store consumer information. Thus, in some cases, the company that was victimized in the attack may be liable for a victim’s harm.

Below are just a few ways a company may be negligent in how it handles consumer data:

• The company does not have an up-to-date data security system;

• The company does not provide training to employees regarding the dangers of phishing emails;

• The company stores sensitive consumer information in a way that allows public access to the data;

• The company sends sensitive consumer information to an unauthorized party; or

• The company disregards known security threats that could compromise the data in its possession.

Under United States data breach laws, companies that store consumer data have a legal obligation to keep consumer data safe and secure. Thus, those companies that are negligent in how they handle consumer data may be held financially liable after a breach. Of course, the laws governing these claims are complex, and it isn’t always easy to determine which company is liable and under what theory. Thus, anyone interested in learning more about data breach claims should consult with a data breach lawyer for assistance.