Rick Heidner and Gold Rush Amusements, Inc., the victims of a data breach by the Illinois Gaming Board (IGB), filed a lawsuit against the IGB, alleging that their personal and sensitive financial information was intentionally and illegally leaked by an IGB employee. The IGB compounded the harm by failing to promptly notify Mr. Heidner and Gold Rush of the unauthorized disclosures and by taking unfair and improper actions against them, resulting in significant financial and reputational harm.
The lawsuit, filed Tuesday in the Illinois Court of Claims, accuses the IGB of causing substantial harm when an IGB employee intentionally and without authorization disclosed sensitive financial information, including personally identifiable information relating to Gold Rush, Mr. Heidner, his wife, two of his children, and other individuals. The IGB is legally required to keep this data confidential. The complaint, which alleges breach of fiduciary duties and negligence, seeks the maximum allowable damages of $2 million each for Mr. Heidner and Gold Rush.
Approximately half of the more than 50 individual victims of the IGB data breach had previous contact with Mr. Heidner or Gold Rush, a licensed terminal operator serving more than 500 establishments across Illinois. In addition to immediate and extended family members, the victims include individuals with whom Gold Rush has a contractual relationship under the jurisdiction of the IGB.
The IGB delayed notifying Mr. Heidner and the other victims of the unauthorized disclosures for nearly a month. According to the complaint, Mr. Heidner and his family received the IGB’s data breach notices on Jan. 31, well after the IGB discovered the breach on Jan. 3, and a week after the media had reported the breach. The IGB’s failure to promptly notify Mr. Heidner and the other victims and cooperate with them in matters relating to the data breach, as well as its failure to implement and maintain reasonable security measures to protect their private information from unauthorized access and disclosures, violates the Illinois Personal Information Protection Act.
“Despite requiring licensees and associated individuals to hand over a veritable treasure trove of their most sensitive data, the evidence will show that the IGB’s approach to protecting Mr. Heidner’s data has been careless and cavalier, at best,” the complaint states. By leaking confidential, sensitive personal and financial information, “the IGB has breached the trust and confidence that forms the very foundation of the relationship” between the state gaming agency and its licensees, the suit adds.
The unauthorized disclosures by an IGB employee to three federal government entities between Oct. 12-31, 2019, purportedly began the day after the first of a series of articles relating to Mr. Heidner was published in the Chicago Tribune. The Oct. 11 article criticized certain real estate partnerships and implied they were not properly disclosed to the IGB. “Such insinuations were false, in that Mr. Heidner had made complete and accurate disclosures in both Gold Rush’s initial terminal operator license application and in all renewal and related submissions to the IGB,” the suit states.
“These disclosures . . . were made without authorization and were not in response to any valid legal request.” Instead, the suit alleges that an “IGB employee made these unauthorized disclosures to fuel―or at least in response to―negative media coverage the IGB helped generate against Mr. Heidner and Gold Rush.”
Gaming licensees and associated individuals are required to provide the IGB with detailed disclosures of highly confidential personal and financial information. In Mr. Heidner’s case, initially in 2010 and annually since Gold Rush was first licensed in 2012, he has given the IGB information relating to his personal background, social security number, assets, liabilities, personal bank accounts, personal and business investments, real estate holdings, life insurance policies, vehicle ownership, mortgages, and liens, among other details.
The information was leaked―and the unauthorized disclosures were undetected for months―at a time when negative media publicity speculated about the completeness of Gold Rush’s and Mr. Heidner’s disclosures to the IGB, and at a time when the IGB chose to take unfair, unfounded actions against them, according to the complaint. The series of adverse actions without a proper factual basis included, in December, initiating a Disciplinary Complaint, incited by Gold Rush’s competitors, against Gold Rush that seeks the severe penalty of license revocation despite the company’s history of compliance.
On Jan. 3, when the IGB finally discovered the unauthorized disclosures by an employee, it failed to promptly alert Mr. Heidner or Gold Rush that they were victims. A week later, the IGB notified state legislative leaders of the breach but, again, failed to notify the victims. Two weeks after that, the media reported information about the leak, but Mr. Heidner and Gold Rush still were not informed that they were victims. When the media reports caused Mr. Heidner to expressly ask the IGB if he was a victim, the IGB remained silent until Mr. Heidner and his family received formal notices in the mail on Jan. 31.
On Feb. 1, Gold Rush and Mr. Heidner sent a letter to the IGB demanding basic answers regarding the data breach, as well as “an immediate and thorough investigation into the IGB’s role in the orchestrated and public smear campaign” against Mr. Heidner that began in October 2019. On Feb. 7, the IGB responded it could not provide the requested information to Mr. Heidner.
Upon filing the complaint, Mr. Heidner and Gold Rush also referred the matter to Illinois Attorney General Kwame Raoul for further investigation.