Last week, two separate class actions were filed in the federal district court for the Southern District of Texas against DISA Global Solutions (DISA), a third-party employment screening services provider, related to an April 2024 cyber-attack.

DISA provides drug and alcohol testing and background checks for employers. DISA reportedly faced a cyber-attack from February to April 2024, which resulted in unauthorized third-party access to over 3.3 million individuals’ personal information. According to DISA, the information may have contained individuals’ names, Social Security numbers, driver’s license numbers, and financial account information.

DISA sent notification letters to individuals around February 24, 2025. The lead plaintiffs in both actions claim that they were required to provide their personal information to DISA as part of a job application or to obtain certain employment-related benefits.

Data breach class actions can help inform entities’ risk management strategies. We will consider some key considerations from the class action complaints against DISA.

Reasonable Safeguards

One plaintiff alleges that DISA had a duty to exercise reasonable care in securing data, but that DISA breached that duty by “neglect[ing] to adequately invest in security measures.” The complaint lists numerous commonly accepted security standards, including:

• Maintaining a secure firewall configuration;
• Monitoring for suspicious credentials used to access servers; and
• Monitoring for suspicious or irregular server requests.

The other plaintiff similarly alleges that DISA failed to adequately implement measures. This complaint also enumerates common measures, including:

• Scanning all incoming and outgoing emails;
• Configuring access controls; and
• Applying the principle of least-privilege.

Such claims of inadequate security and privacy measures are common in data breach class action litigation. Organizations should evaluate their security standards and ensure they are aligned with current best practices.

Notification Timeframe

DISA’s notification letter to affected individuals states that the unauthorized access occurred between February and April 2024. DISA sent notification letters in February 2025. One plaintiff alleges that the “unreasonable delay in notification” heightened the foreseeability that affected individuals’ personal information has been or will be used maliciously by cybercriminals.

It can take months to investigate a cyber incident and determine the nature and extent of information involved. Still, organizations who experience such incidents should be mindful of the ways in which plaintiffs can use the notification timeframe in their litigation.

Heightened Sensitivity of Social Security Numbers

One plaintiff includes in their complaint that Social Security numbers are “invaluable commodities and a frequent target of hackers.” This plaintiff alleges that, given the type of information DISA maintains and the frequency of other “high profile” data breaches, DISA should have foreseen and been aware of the risk of a cyber-attack.

The other plaintiff states that various courts have referred to Social Security numbers as the “gold standard” for identity theft and that their involvement is “significantly more valuable than the loss of” other types of personal information.

When it comes to information, not all data elements present the same level of risk if subject to unauthorized access. Organizations should track the types of information they maintain and understand that certain information may present higher risk if exposed, potentially requiring heightened security standards to protect it. The suits against DISA highlight that organizations should implement robust measures to not only minimize risk of cyber-attacks but also to minimize litigation risk in the often-inevitable class actions that follow.

Roma Patel also contributed to this article.