Arkansas vendor sued over data breach

Gov. Asa Hutchinson says Saturday, May 16, 2020, that a team was working through the weekend to get the Pandemic Unemployment Assistance system running again after the website had exposed applicants’ private information. More photos at (Arkansas Democrat-Gazette/Stephen Swofford)

A lawsuit filed Thursday in Pulaski County Circuit Court says the security breach of a new state computer program this spring led to identity theft of those seeking to apply for unemployment compensation benefits.

The lawsuit claims that Protech Solutions of Little Rock, which was hired by the state to develop the program, was negligent in its work, leading to a breach that compromised banking information and other personal data of applicants. Plaintiffs also claim the breach led to an invasion of privacy.

Congress, with passage in March of the CARES Act as an economic response to the coronavirus pandemic, established the Pandemic Unemployment Assistance program. It provided benefits, for the first time, to independent contractors, the self-employed, freelancers, "gig" workers and others who typically would not qualify for unemployment benefits.

Congress gave all states federal money to implement and manage the program.

The Division of Workforce Services, which is part of the state Department of Commerce, hired Protech to develop a computer program to collect applications from newly unemployed workers. The state isn't a defendant in the lawsuit, which was assigned to Circuit Judge Alice S. Gray.

Sam Acker, a Wyoming resident who does business in Arkansas, Philip Davidson of Paragould, and Terry Morrow of Clarksville filed the lawsuit. Their attorneys are the Little Rock firm of McDaniel, Wolff & Benca, the Zimmerman firm in Chicago, and DannLaw in Cleveland, Ohio.

In seeking class-action status, the attorneys say some 30,000 applicants could have been affected by the breach. The lawsuit doesn't specify monetary damages being sought.

Tipped off to the problems by a tech-savvy applicant, the Arkansas Times on May 15 reported the data breach on its website and informed state officials. The Times said the applicant, a computer programmer whom it didn't identify, realized that the site left applicants' bank accounts and Social Security numbers exposed.

The Times said the programmer had attempted to contact state authorities before calling the newspaper.

Once informed by the Times of the breach, the state took the program offline for repairs. It went back online five days later.

Along with being victims of identity theft, the plaintiffs said the computer program's failure has prevented them from applying for or receiving unemployment benefits, imperiling their financial condition. With their efforts to apply on hold pending a "fraud review" by the state, the three asked the court for an injunction that would allow their applications to proceed.

State officials have largely declined comment on the breach, citing ongoing investigations by law enforcement.

The weekly benefits in Arkansas under the Pandemic Unemployment Assistance range from $132 to $451. Eligible recipients also get a $600 weekly federal supplement under the Federal Pandemic Unemployment Compensation program, another component of the CARES Act. The $600 supplement, however, expires July 25 in Arkansas unless Congress votes to extend it.

The state has paid out more than $1 billion in federal unemployment benefits in 16 weeks of the pandemic. Arkansas also has paid out $271.3 million in regular unemployment benefits through the unemployment insurance trust fund.

Asked generally about possible fraud before the lawsuit's filing Thursday afternoon, the Division of Workforce Services said, "Like many states, Arkansas has seen a significant increase in Unemployment Insurance benefit fraud, largely in association with identity theft. About 20,000 unemployment claims have been flagged for review over the last few weeks."

The agency said any identity theft in Arkansas "likely occurred as part of national and global breaches in the months and years" before the pandemic. The agency can accept reports of possible fraud at (501) 682-1058, via an online form at and by email at [email protected].

The case is Samuel Acker et al v. Protech Solutions, 60CV-20-3858.