On August 12, 2022, Morrie’s Auto Group reported a data breach with the Attorney General of Montana. While the company did not publicly release the data types that were leaked as a result of the incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers’ Social Security numbers, financial account information, and driver’s license numbers or state identification numbers. Thus, while it cannot be confirmed, it would appear that the Morrie’s breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Morrie’s Auto Group began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Morrie’s Auto Group data breach, please see our recent piece on the topic here.
What We Know About the Morrie’s Auto Group Data Breach
The information about the Morrie’s Auto Group data breach comes from official documents filed with the Montana Attorney General’s Office. According to the most current information, on about March 24, 2022, Morrie’s detected suspicious activity within its computer system. In response, the company secured its systems and then began working with outside cybersecurity specialists to investigate the incident.
Morrie’s investigation confirmed that the company’s computer network had been infected with malware. The investigation also revealed that, as a result of the incident, an unauthorized party was able to access files containing sensitive employee information between March 23, 2022 and March 24, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Morrie’s Auto Group began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the company has not yet revealed what types of information were leaked, the attack likely involved one or more of the following: Social Security numbers, financial account information, driver’s license numbers or state identification numbers.
On August 12, 2022, Morrie’s Auto Group sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Morrie’s Auto Group
Founded in 1960, Morrie’s Auto Group is a car dealership based in Minnetonka, Minnesota. Morrie's Auto Group sells ten brands of vehicles, including Aston Martin, Bentley, Cadillac, Ford, Hyundai, Lincoln, Maserati, Mazda, Nissan and Subaru. The company operates about 35 car dealerships throughout Michigan, Wisconsin and Minnesota. In 2016, Morrie’s Auto Group was purchased by Fremont Private Holdings, LLC ("FPH"), the direct private investment arm of Fremont Group, the investment office for the Bechtel family. Morrie’s Auto Group employs more than 1,150 people and generates approximately $242 million in annual revenue.
Are Companies Responsible for Safely Maintaining Sensitive Information Belonging to Former Employees?
Most people recognize that employers have a duty to protect the sensitive employee information in their possession. However, what fewer people know is that a company’s obligation to protect an employee’s information does not end with a worker’s employment.
It is common for employers to have certain personal information about the employee in their files. This information may include an employee’s Social Security number, bank account numbers, health insurance information, medical history, work history, driver’s license number and contact information. When an employee leaves a company, there may be good reason for employers to hold on to that data (in fact, in some cases, they may be legally obligated to do so). However, the company’s obligation to protect and safeguard the information does not end when the person to whom the information belongs to leaves the company.
In this way, employers have the same duty to protect former employees’ information as they do to protect current employees’ information. Thus, if a data breach results in former employee information being leaked, the company in possession of that data may be financially responsible for any harm that befalls the former employee. Most often, this includes the financial and emotional costs of dealing with identity theft or other frauds.
Of course, just because a company leaks a former employee’s data through a data breach doesn’t automatically mean the company was at fault. The question then becomes whether the company was negligent in how it stored or maintained the data. For example, a company may be negligent under any of the following circumstances:
A company fails to implement or maintain an up-to-date data security system;
A company mistakenly posts sensitive consumer information such that it is publicly available;
A company mistakenly sends consumer information to an unauthorized party;
An employee at the company doesn’t follow the correct procedures when handling consumer data;
An employee opens an unsolicited email that installs malware on their computer; or
An employee responds to a phishing attack.
Those who are interested in learning more about their options in the wake of a data breach should reach out to an experienced data breach lawyer for assistance.