Elemetal LLC faces a data breach class action resulting from its alleged failure to implement appropriate security measures, which led to a 2023 breach of approximately 13,000 customers’ personal information. Elemetal is a precious-metal refiner based in Texas, operating in more than 45 locations in the U.S.

The subject breach occurred between August 22 and September 1, 2023, and affected former and current customers’ personal information, including names, government-issued identification numbers, and Social Security numbers, according to the March 1 customer notification.

The complaint, filed in the U.S. District Court for the Northern District of Texas, alleges that Elemetal did not adhere to industry standards such as encrypting personal information or deleting data once it is no longer necessary for business purposes. The complaint further alleges that Elemetal failed to notify customers of the breach in a timely manner, which violates California’s Unfair Competition Law and Consumer Privacy Act (CCPA). The CCPA is the only consumer privacy rights law in the country that includes a private right of action related to damages suffered as a result of a breach of personal information. The lead plaintiff claims he has received an increase in spam calls, texts, and emails since the incident occurred. The complaint alleges negligence, breach of implied contract, and unjust enrichment, and seeks money damages as well as equitable and injunctive relief and attorneys’ fees and costs. Specifically, such relief includes a requirement that Elemetal delete or destroy all personal information of class members and implement a comprehensive data privacy and security program.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.