Two new lawsuits against the San Francisco 49ers over a recent data breach highlight the risks sports teams face when collecting and storing sensitive materials. They also underscore how emerging efforts by NFL teams to monetize data necessitate similar energy for repelling and combating cybercriminals.
On Sept. 9, former 49ers security staffer John Garvey and current Atlanta Falcons live events employee Samantha Donelson filed state and federal lawsuits, respectively, arguing the team is liable for negligence, breach of implied contract and related claims. Both lawsuits seek to become certified as class actions on behalf of numerous people—potentially exceeding 20,000—whose personal information was compromised when the 49ers’ corporate IT network was attacked by ransomware between Feb. 6 and Feb. 11 of this year. In addition to 49ers financial data, the names, dates of birth, Social Security numbers and other personally identifiable information of 20,930 impacted individuals were accessed. The team notified law enforcement and assisted in a months-long investigation.
Garvey, who is represented by Scott Edward Cole and other attorneys from Cole & Van Note, had shared sensitive information as a condition of employment. He did so, the complaint maintains, “with the reasonable expectation and mutual understanding” the data would be safeguarded. The 49ers’ measures to prevent and address a breach are depicted in the complaint as inadequate and lacking. Garvey learned from the team on Aug. 31 that he was a victim of the breach, but says he remains “in the dark” on what information was accessed. Garvey worries the information “may end up for sale on the dark web,” where compromised identities can be sold, or “fall into the hands” of companies that will use it for target marketing.
Donelson, who is represented by Michael Boyle and other attorneys, similarly provided her information as a condition of employment. She says Credit Wise alerted her shortly after the breach that her Social Security number had been used on the dark web. Her complaint indicates there was, at the time, “no substantive information regarding who was affected.” Donelson has spent time and money trying to uncover how badly the breach has impacted her or could impact her, including with respect to potential fraudulent charges and damaged credit scores.
In a written statement, the 49ers told Sportico the team has taken multiple steps to mitigate the situation and will continue to pursue corrective measures.
“We have begun notifying individuals whose data may have been compromised during a cybersecurity incident on our corporate network earlier this year and are offering complimentary credit monitoring and identity theft protection services to them. We take seriously our responsibility to safeguard personal and sensitive information entrusted to us and are committed to working with cybersecurity experts to ensure we are protected from any future similar incidents. We regret any concern this has caused to the affected individuals.”
Data breaches and accompanying legal fallout aren’t new. A few years ago, Equifax agreed to pay at least $575 million in a settlement with the Federal Trade Commission and other government agencies regarding a data breach impacting about 147 million people. The company also settled with persons impacted by the breach. Also, sporting goods retailers and sports software companies have been involved in breach-related litigations, and these cases will likely continue as data breaches become more common.
In the coming weeks, attorneys for the 49ers will answer the complaints and offer defenses. The team will likely maintain that while it regrets the breach, it nonetheless acted reasonably, up to industry practices and consistent with NFL cybersecurity policies.
To that end, the 49ers might argue they crafted and adhered to a robust cybersecurity policy. Expect the team to say it ably trained employees on handling sensitive data. The 49ers, which Donelson says offer free credit monitoring services, could further insist they responded aggressively to the breach and in line with best practices. The role of the plaintiffs’ employment with NFL teams could prove relevant if the 49ers argue that employment-related disputes must first go to mediation or arbitration, or both.
Meanwhile, NFL teams and other sports businesses have made obtaining and using data a priority in pursuit of new revenue sources. That approach offers financial appeal but, as these two lawsuits show, the risk of breach and litigation.