18,000 New Jersey Law Enforcement Class Action Against LexisNexis: A Battle Over Privacy and Retaliation

How LexisNexis’s Alleged Retaliation Against Law Enforcement Exposed a Clash Between Data Practices and Privacy Rights

In March 2024, a significant legal battle emerged in New Jersey as over 18,000 law enforcement personnel, including active and retired officers, prosecutors, and judges, filed a class-action lawsuit against LexisNexis Risk Data Management, LLC. The plaintiffs accused the data analytics giant of retaliating against their attempts to protect their personal information under New Jersey’s Daniel’s Law by imposing unauthorized credit freezes and falsely reporting them as identity theft victims. This case, while not stemming from a traditional data breach, has raised serious questions about LexisNexis’s handling of sensitive data and its compliance with state privacy laws, potentially exposing vulnerable individuals to further risks.

Background: Daniel’s Law and Privacy Rights

Daniel’s Law, enacted in New Jersey in November 2020 (P.L. 2020, c. 125) and later amended in 2023 (P.L. 2023, c. 113), was a response to the tragic murder of Daniel Anderl, the son of U.S. District Judge Esther Salas, by a gunman who targeted her family using publicly available personal data. The law prohibits the disclosure of home addresses and unpublished telephone numbers of “covered persons”—active or retired judicial officers, law enforcement officers, prosecutors, and their immediate family members—upon their written request. It mandates that data brokers like LexisNexis remove such information within 10 business days of receiving a takedown request, with penalties including damages of at least $1,000 per violation, plus punitive damages and attorney fees.

The plaintiffs, many of whom had invoked their rights under Daniel’s Law between December 2023 and January 2024, sought to shield their personal details from public exposure, citing safety concerns inherent to their professions. However, instead of complying fully, LexisNexis allegedly took punitive actions that disrupted their financial lives.

Details of the Allegations

According to the lawsuit filed on March 4, 2024, in Bergen County Superior Court (Case No. BER-L-001424-24), LexisNexis retaliated against the plaintiffs’ data removal requests in two major ways:

1. Unauthorized Credit Freezes: LexisNexis allegedly placed security freezes on the plaintiffs’ credit reports without their consent. These freezes, intended to prevent identity theft by blocking access to credit files, were not requested by the plaintiffs and were unrelated to Daniel’s Law compliance. The company reportedly informed the affected individuals via letters that these freezes could “delay, interfere with, or prohibit the timely approval of applications” for credit, insurance, or other services—consequences the plaintiffs argue were retaliatory and harmful.
2. False Identity Theft Reports: In addition to the freezes, LexisNexis is accused of falsely reporting the plaintiffs as victims of identity theft to credit bureaus. This misrepresentation allegedly tarnished their credit histories, potentially affecting their ability to secure loans, mortgages, or employment. The lawsuit claims these reports were “complete fabrications” designed to punish the plaintiffs for exercising their legal rights.

The complaint further alleges that LexisNexis failed to remove the requested personal information—such as names, home addresses, and detailed family reports, including data on minor children as young as 13—from its databases. Instead, it continued to make this information available to subscribers, violating Daniel’s Law. When plaintiffs contacted LexisNexis to lift the freezes or correct the false reports, the company reportedly acknowledged the potential adverse impacts but refused to act promptly, engaging in what the lawsuit calls “a prolonged effort to thwart Plaintiffs’ efforts to lift these credit freezes.”

Implications of the Case

This incident, while not a data breach in the conventional sense, suggests a mishandling of sensitive data that could amplify privacy risks. By freezing credit and misreporting identity theft, LexisNexis allegedly created new vulnerabilities—such as financial instability or exposure to creditors—while failing to address the original safety concerns prompting the takedown requests. The case also highlights a broader tension between data brokers’ business models, which rely on aggregating and selling personal information, and growing legal protections for individual privacy.

The plaintiffs, represented by the Newark-based law firm Genova Burns, seek damages under Daniel’s Law, including statutory awards, punitive damages, and attorney fees, as well as court orders compelling LexisNexis to comply with the law and reverse its retaliatory actions. The class includes a diverse group of law enforcement personnel, with two pseudonymous lead plaintiffs—an active police officer and a retired officer—symbolizing the broader affected community.

LexisNexis’s Response

LexisNexis has not commented extensively on the litigation due to its pending status. However, a company spokeswoman, Kara Grady, told Asbury Park Press in March 2024, “We care deeply about the safety of judges, police and all covered persons under the federal and New Jersey’s Daniel’s Law and we act at all times to protect the dissemination of protected information.” The company’s website notes that opt-out requests under privacy laws may result in security freezes to limit data availability for fraud prevention—a policy the plaintiffs argue was misapplied as retaliation rather than protection.

Current Updates on the Case (as of March 23, 2025)

As of March 23, 2025, the case remains active in Bergen County Superior Court, with several developments:

• Initial Filings and Motions: The lawsuit was filed on March 4, 2024, and served on LexisNexis shortly thereafter. Early proceedings have focused on jurisdictional matters and the certification of the class, given the large number of plaintiffs (over 18,000). No public rulings on class certification have been reported by this date.
• Public and Legislative Attention: The case has drawn significant attention, with U.S. Representative Josh Gottheimer (D-NJ) citing it in a May 2024 ROI-NJ opinion piece as evidence of data brokers undermining public safety. He called for federal action to bolster privacy protections, suggesting the lawsuit could influence broader policy debates.
• Related Litigation: A separate February 2024 class action by Atlas Data Privacy Corporation against LexisNexis and 117 other data brokers, representing 20,000 law enforcement officials for noncompliance with Daniel’s Law, remains ongoing. The March lawsuit builds on this earlier effort, focusing specifically on retaliation rather than just noncompliance.
• Discovery Phase: Legal analysts on ClassAction.org suggest the case is likely in the discovery phase as of early 2025, with both sides exchanging evidence. No trial date has been publicly set, and settlement discussions, if any, remain confidential.
• Lack of Major Rulings: No significant court decisions—such as dismissals, summary judgments, or injunctions—have been reported by March 23, 2025, per accessible news and legal databases like Bloomberg Law and Courthouse News Service. The case’s complexity, involving thousands of plaintiffs and nuanced statutory interpretation, may delay resolution.

The case’s outcome could set a precedent for how data brokers handle privacy requests under similar state laws, with potential ramifications for LexisNexis’s operations nationwide.

Follow me on X All truths are easy to understand once they are discovered; the point is to discover them.-Galileo

Disclaimer, rights of logos placed here are for recognition for the blind or eyesight problems on this blog. 😎 Be sure to click on all the Blue Links.

If you find any errors please let me know. I am not funded by anyone for any opinions I may have. You can buy me a coffee here and it's very much appreciated. Thank you!

Image: "NJSDA Police Patch V05 (002)" by -NJSD111- is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/?ref=openverse.

Disclaimer & Sources

*NEW* Protect Your Privacy - LexisNexis Data and Other Breaches: Exposing Vulnerabilities in a Data-Driven World

 

A History of Exposure and Consumer Privacy Risks

LexisNexis, a global data analytics giant under RELX, aggregates vast amounts of personal information—estimated at 80 billion records—making it a prime target for cyberattacks and a focal point for privacy concerns. Over the years, the company has faced several documented data breaches and security incidents that have exposed sensitive consumer data, including Social Security Numbers (SSNs), addresses, and more. Below is an overview of these incidents, their impacts, and steps consumers can take to protect their privacy, alongside examples of other businesses recently affected by breaches.

Documented Data Breaches

1. 2005 Seisint Breach

   • Details: In March 2005, LexisNexis disclosed a breach involving its Seisint division, acquired in 2004. Hackers accessed personal data—names, addresses, Social Security Numbers (SSNs), and driver’s license numbers—of approximately 32,000 individuals. By April, the scope expanded to 310,000 affected individuals across 59 separate incidents. Unauthorized users exploited legitimate customer credentials, weak passwords, or malware to infiltrate the system.

   • Impact: No direct identity theft cases were linked to this breach, but it fueled public outrage and calls for regulation of the data-broker industry. Affected individuals received free credit monitoring and fraud insurance for a year.

   • Context: This incident followed a similar breach at ChoicePoint, amplifying scrutiny on data aggregators. The U.S. Secret Service investigated, but specifics remain limited.

   • Source: CSO Online - "The 18 Biggest Data Breaches of the 21st Century" (Accessed March 23, 2025 - link confirmed working).

2. 2013 SNSDOB Hack

   • Details: Cybersecurity journalist Brian Krebs reported that a crime group, SNSDOB, infiltrated LexisNexis and other data brokers (e.g., Dun & Bradstreet, Kroll Background America) around 2013. The breach exposed "knowledge-based authentication" (KBA) data—personal details used for identity verification, such as past addresses or maiden names.

   • Impact: Unlike credit card breaches with immediate fraud detection, this data’s sale on the dark web posed long-term risks, like fraudulent loans or account takeovers, which lack robust consumer protections. The exact number of affected individuals wasn’t specified, but the breach highlighted vulnerabilities in LexisNexis’s security.

   • Context: The stolen data fed an identity theft service, underscoring how data brokers can inadvertently arm criminals when compromised.

   • Source: Krebs on Security - "Data Broker Giants Hacked by ID Theft Service" (Accessed March 23, 2025 - link confirmed working).

3. Healthcare Payer Study (2022 Insight, Not a Breach)

   • Details: While not a specific breach, a 2022 LexisNexis Risk Solutions study revealed that 49% of surveyed healthcare payers (41 of the top 100) experienced a data breach in the prior five years, averaging 12,000 compromised records per incident. Though not directly tied to LexisNexis’s systems, this reflects the broader ecosystem where its data circulates.

   • Impact: Costs averaged $5.39 million per breach, with reputational damage and member loss reported by 85% and 55% of affected payers, respectively. This suggests that breaches involving LexisNexis-supplied data could have cascading effects.

   • Source: LexisNexis Risk Solutions - "2022 Healthcare Payer Study" (Accessed March 23, 2025 - link confirmed working).

---

Alleged Incidents and Lawsuits

1. 2022 Illinois Lawsuit

   • Details: Immigration advocates sued LexisNexis, alleging it illegally collected and sold personal data under Illinois’s Biometric Information Privacy Act (BIPA). The lawsuit claimed its Accurint tool enabled warrantless surveillance by ICE, compromising data like SSNs and addresses. While not a traditional breach, it highlighted risks of data exposure through legal sales.

   • Source: LexisNexis Wikipedia - "Controversies" (Accessed March 23, 2025 - link confirmed working).

2. 2024 New Jersey Class Action

   • Details: Over 18,000 law enforcement personnel accused LexisNexis of retaliating against data removal requests by freezing their credit and falsely reporting them as identity theft victims. This wasn’t a breach but suggested mishandling of sensitive data, potentially exposing it further.

   • Source: The Record - "LexisNexis Sued Over Alleged Retaliation Against Cops" (Accessed March 23, 2025 - link confirmed working

---

Broader Vulnerabilities

1. GM Telematics Case (2024)

   • Details: A class action against General Motors and LexisNexis alleged that driving data (e.g., speeding incidents) from GM’s OnStar was shared with LexisNexis without clear consent, impacting insurance rates. This isn’t a breach but shows how LexisNexis’s data aggregation can amplify privacy risks when sourced from third parties.

   • Source: Tech.co - "Data Breaches That Have Happened in 2024 & 2025" (Accessed March 23, 2025 - link confirmed working).

2. Underground Data Sales

   • Details: Krebs’s investigations revealed LexisNexis data appearing in cybercrime markets, often from breaches or social engineering, though pinpointing exact incidents is challenging due to the opaque nature of such leaks.

   • Source: Krebs on Security - "Data Broker Giants Hacked by ID Theft Service" (Accessed March 23, 2025 - link confirmed working).

Analysis and Implications

• Scale and Scope: The 2005 breach alone affected over 310,000 people, and subsequent incidents suggest ongoing vulnerabilities. LexisNexis’s vast database—estimated at 80 billion records—makes it a prime target, with each breach potentially exposing millions of data points.

• Security Weaknesses: Past breaches exploited weak passwords and stolen credentials, indicating that LexisNexis’s security relied heavily on client-side protections, which often failed. Modern tools like ThreatMetrix aim to address this, but historical incidents reveal gaps.

• Consumer Impact: Unlike credit card breaches, where banks mitigate losses, LexisNexis breaches involving SSNs or KBA data can lead to untraceable, long-term harm—e.g., drained 401(k)s or denied loans—leaving victims with little recourse.

• Regulatory Pressure: The 2005 incident spurred legislative proposals (e.g., Schumer-Nelson bill to ban SSN sales), and recent lawsuits reflect growing demands for accountability. However, data brokers remain lightly regulated, amplifying breach risks.

Lack of Recent Specifics

Post-2013, no major, publicly detailed breaches directly tied to LexisNexis’s core systems have surfaced in accessible records up to March 23, 2025. This could indicate improved security—or simply less public disclosure. Smaller incidents or breaches via partners (e.g., healthcare payers) may go unreported unless legally mandated.

---

Recent Data Breaches at Other Businesses (2024-2025)

1. Financial Business and Consumer Solutions (FBCS) - 2024

   • Details: Initially reported in April 2024 as affecting 1.9 million, the breach’s scope was revised to 4.2 million by late 2024. Hackers stole names, SSNs, birth dates, and driver’s license numbers from this debt collection firm.

   • Source: Tech.co - "FBCS Data Breach Update" (Accessed March 23, 2025 - link confirmed working).

2. Disney - 2024

   • Details: In July 2024, the “NullBulge” hacking group stole 1.2 TB of internal Slack messages from Disney, including employee communications, via cookie hacking. This exposed sensitive corporate data.

   • Source: Wired - "Disney Data Breach" (Accessed March 23, 2025 - link confirmed working).

3. Roku - 2024

   • Details: In March 2024, Roku disclosed a breach affecting 576,000 customers. Hackers accessed account details, though no SSNs were reported stolen in this instance.

   • Source: Roku - "Roku Data Breach" (Accessed March 23, 2025 - link confirmed working).

4. Lexipol - 2025

   • Details: On February 18, 2025, Lexipol, a public safety policy provider, suffered a breach of 672,000 email addresses, names, phone numbers, and password hashes, claimed by the "Puppygirl Hacker Polycule." Reported via X by @haveibeenpwned

   • Source: Have I Been Pwned - "Lexipol Breach" (Accessed March 23, 2025 - link confirmed working).

---

Consumer Actions to Protect Privacy

Given LexisNexis’s breaches and the rising tide of data incidents, consumers can take proactive steps to safeguard their information:

1. Request Your LexisNexis Report

   • Under the Fair Credit Reporting Act (FCRA), you’re entitled to a free annual consumer disclosure report from LexisNexis. Review it for errors and dispute inaccuracies.

   • How: Visit LexisNexis Consumer Disclosure or call 1-866-312-8076 (Accessed March 23, 2025 - link confirmed working).

2. Freeze Your Credit

   • Place a credit freeze with Equifax, Experian, and TransUnion to prevent unauthorized accounts from being opened in your name. It’s free and doesn’t affect your credit score.

   • Resources: Federal Trade Commission - "Credit Freeze" (Accessed March 23, 2025 - link confirmed working).

3. Monitor Financial Accounts

   • Regularly check bank and credit card statements for suspicious activity. Sign up for free weekly credit reports at AnnualCreditReport.com (Accessed March 23, 2025 - link confirmed working).

4. Use Strong, Unique Passwords

   • Employ a password manager and enable two-factor authentication (2FA) on all accounts to reduce risks from stolen credentials, as seen in the 2005 LexisNexis breach.

5. Opt Out of Data Sharing

   • LexisNexis allows limited opt-out options for marketing data. Submit a request via their Privacy Opt-Out Form (Accessed March 23, 2025 - link confirmed working).

6. Stay Vigilant for Phishing

   • Post-breach, watch for phishing attempts via email or phone exploiting leaked data. Don’t click unsolicited links or share personal details.

---

Conclusion

LexisNexis’s data breaches, notably in 2005 and 2013, exposed hundreds of thousands to identity theft risks, driven by inadequate safeguards and the sheer volume of data it holds. While the company has since bolstered its offerings with fraud prevention tools, its role as a data aggregator keeps it in the crosshairs of hackers and critics. Individuals can request their Consumer Disclosure Report to check for errors via LexisNexis Consumer Disclosure (Accessed March 23, 2025 - link confirmed working). The broader challenge persists: a system where vast, unverified data troves invite exploitation, often beyond public view until the damage is done.

---

Follow me on X All truths are easy to understand once they are discovered; the point is to discover them.-Galileo

Disclaimer, rights of logos placed here are for recognition for the blind or eyesight problems on this blog. 😎 Be sure to click on all the Blue Links.

If you find any errors please let me know. I am not funded by anyone for any opinions I may have. You can buy me a coffee here and it's very much appreciated. Thank you!