DEF CON 34 - CALL FOR PAPERS SUBMISSION
========================================

TITLE: Death by a Thousand Paper Cuts
       - How to Make Corporate Data Negligence Expensive One Small Claims Case at a Time

PRESENTER: Ken Hollis

REQUESTED SLOT: 45 minutes

TRACK: Main Stage

SUPPORTING MATERIALS: Signed judgment King County District Court case 25CIV60102KCX (public record),
Case arguments and Case evidence available at:
https://gandalfddi.z19.web.core.windows.net/pbibreach.html

========================================
TALK OVERVIEW / ABSTRACT
========================================

"Don't piss off a geek ... They don't have a life and can EASILY make you the focus of THEIR life" - Me

This talk presents a complete, replicable legal strategy for cybersecurity practitioners
who become data-breach victims to pursue accountability through small claims court and
get compensated for their time. Instead of relying on class-action settlements that pay
attorneys tens of millions while delivering $3.47 (coffee money) to victims, this approach
shows how individuals can turn breach remediation into a billable event and get paid for
it. The method bypasses the structural failures of class actions and reframes breach
response as recoverable labor rather than the "free time" companies quietly expect
victims to absorb.

The framework is built from a real case I won against a private-equity-owned data
broker (Boo!!!) following the 2023 MOVEit/Cl0p ransomware breach. King County District
Court case 25CIV60102KCX went to trial on March 16, 2026, where Judge Michael J. Finkle
issued a judgment against Pension Benefit Information LLC (PBI). PBI paid. The check is
cashed. The judgment is public record. But the outcome is not the point, the template
is. Everything I did is reproducible by any breach victim with documentation, a filing
fee ($50), a process server ($75), and a few hours of preparation.

The talk distills this experience into a practical, step-by-step playbook:
- Why class-action litigation structurally fails victims
- How to build and file a small-claims case that survives jurisdictional attacks
- How to use the process as the great equalizer, the only lever that reliably gets the
  attention of negligent data custodians

If enough Small Claims cases are won will this encourage companies to be more
secure? Probably not but here is a framework to win, at least it will get YOU some
satisfaction.


========================================
SECTION 1 - OPENING (3 minutes)
========================================

"Get in good trouble, necessary trouble, and help redeem the soul of America." - John Lewis

The talk opens with the signed judgment on screen. No biography slide. No agenda
slide. First words: "In 2023, a company I've never heard of lost my SSN. I
invoiced them. They refused. I sued. They sent a lawyer. I won. IANAL (I Am NOT a Lawyer)"

The judgment establishes immediately that this is not theoretical. It has a case
number, a judge's signature dated March 16, 2026, and a paid check.

My credibility is established in one sentence: 18 years at Microsoft, 11 years in
security engineering including the Cyber Defense Operations Center. The audience
is told that statistically half the room has received a breach notification letter,
and what follows is the template for taking these companies to small claims court,
a template they did not know existed.

Navigation purpose: eliminate skepticism before the audience has time to decide
whether this is relevant to them. It is.


========================================
SECTION 2 - WHY CLASS ACTIONS FAIL VICTIMS (5 minutes)
========================================

--> How to get the attention of Layer 8 and Above
https://en.wikipedia.org/wiki/Layer_8

Your work cleaning up after a data breach is NEVER fully repaid, it is
essentially free work with all the lawyers (Boo!) getting the bulk of the payout:
Equifax 2019: 147 million victims, $700M settlement fund, average per-victim cash
recovery under $10 after the claims process. Counsel fees: $77.5M.

Capital One 2023: 98 million victims, $190M settlement, approximately $25 average
per-victim recovery. Counsel fees: $63M.

Relying on class actions to refund your efforts isn't going to buy you much more
than a couple of coffee's. Class actions pay the attorneys. The company pays a
rounding error relative to revenue. No behavior changes. The breach pattern repeats.

Equifax has had multiple subsequent security incidents since 2017. The 2019
settlement changed nothing.

The King County judgment addendum addresses this directly. Judge Finkle wrote: "PBI
points to the fact that there are large-scale class action lawsuits pending,
including against PBI. But potential class members are entitled to opt out of the
class by filing their own lawsuit. That is what Hollis has done." That language is
now in a public court record.

Small claims is a mechanism that exists, has jurisdiction, and nobody uses because
nobody knows the procedural path. It is dead simple. The courts walk you through the
procedure, they helped me MULTIPLE times to move forward. I will show you what I did
(AND the mistakes I made).

References: Equifax settlement (FTC, 2019); Capital One data breach class action
settlement, E.D. Va. 2023; King County District Court, 25CIV60102KCX, Addendum to
Judgment After Trial (2026).


========================================
SECTION 3 - ANATOMY OF THE BREACH (7 minutes)
========================================

"Everyone has a plan 'till they get punched in the face" - Mike Tyson

Three sub-components establish the technical and legal foundation.

3A - The MOVEit/Cl0p breach context

Progress Software's MOVEit Transfer product contained a SQL injection vulnerability
(CVE-2023-34362) disclosed May 31, 2023. Cl0p began exploitation before the patch
was available. For negligence purposes, however, the critical question is not
zero-day exploitation, it is what a reasonably prudent organization would have
had in place assuming software will eventually be compromised. Defense in depth and
the lack thereof. YOU need to find out (to the best of your abilities) HOW the attackers
got in. The company is NOT going to come right out and tell you. I only got hints of
how this happened.

Not only did they fail defense in depth but they also failed protecting the encryption.
The Kroll forensic report, obtained and entered into evidence, documents that Cl0p
used MOVEit's own internal GetDecryptionStream function to access data. The
attackers did not crack encryption. They used the application's own decryption
logic. In plain terms: the door was locked, but the key was built into the door.
That is an architectural failure, not an act of God.

3B - PBI's security posture at breach

PBI's own blog, posted August 25, 2023, stated that their pre-breach security
program consisted of annual SOC 2 audits. That blog was removed July 16, 2024
while active litigation over this breach was underway. The Wayback Machine
preserved it. It was entered into evidence.

SOC 2 is a compliance framework designed by the American Institute of Certified
Public Accountants, audited by accounting firms. It attests that controls existed
on audit day. It does not require continuous monitoring, multi-factor
authentication, penetration testing, network segmentation, or patching cadence. A
company can pass a SOC 2 audit while its operational security is materially
deficient. That is not a theoretical observation. That is what happened here.

PBI's own breach notification letter (Appendix B, in evidence) states they were
"reviewing and enhancing our information security policies and procedures" in
response to the event. They did not need a court to tell them their posture needed
work, they said so themselves, in writing, to every affected individual. The NIST
Cybersecurity Framework, a federal standard freely available since 2014, prescribes
as baseline: multi-factor authentication, intrusion detection systems, network
segmentation, and encryption with proper access controls. Whatever PBI implemented
after the breach (and those "enhancements" are left up to speculation), their own
letter confirms they implemented them because the breach revealed a gap. That is the
definition of controls that should have been in place before it.

Judge Finkle's addendum found: "Based on [internet] research that double layers of
security are appropriate, the Court finds by a preponderance that MOVEit was
negligent." Small claims courts do not write law review opinions. The finding
against PBI followed from PBI's data custody combined with the security failure.

3C - The notification violation

RCW 19.255.010 requires notification to affected Washington residents within 30
days of breach discovery. PBI's own Washington State Attorney General breach
notification filing documents their discovery date. PBI notified me 42 days
after discovery. That is 12 days past the statutory limit.

Key evidentiary moment: the deleted blog. This section presents
the timeline side by side - Wayback Machine archive dated September 26, 2023
showing the security posture admission, and the live PBI site showing the page
removed July 16, 2024 during active litigation.

Lesson for the audience: archive the sender's web presence the day you receive a
breach notification. Corporate legal teams scrub. The Wayback Machine does not.

Example of NOT USEFUL:
Who is Twingate and where did they get this information? The two references on
their page do not show this information:
https://www.twingate.com/blog/tips/pbi-data-breach
"In response to the data breach, PBI implemented several enhanced security
measures to protect sensitive data and prevent future incidents. These measures
included ..."

References: CVE-2023-34362 (NVD); CISA Advisory AA23-158A (MOVEit, June 2023);
Kroll forensic report (submitted as evidence, 25CIV60102KCX); PBI post-breach
security measures; RCW 19.255.010; Washington State AG breach notification
registry, PBI filing (2023); Wayback Machine archive, web.archive.org (PBI blog,
September 26, 2023 capture; removal confirmed July 16, 2024).


========================================
SECTION 4 - BUILDING THE CASE: THE REPLICABLE STEPS (8 minutes)
========================================

... And where I made mistakes. Each step tells you what actually happened in this
 case, then abstracted to the general pattern.

Step 0: Identify the correct Plaintiff
The person in court is the correct plaintiff. If you did work for your parents
and THEY are who you are suing for then THEY must be in court. If you did work
for your WIFE then SHE must be in court. In the end because MY data was breached
I went that route. I represented that I had done the work, on my own
professional time. This is where the court helped. The Judge dismissed the first
case (24CIV19227KCX) "without prejudice" which meant I could refile for myself,
Case 25CIV60102KCX. The judge also explained clearly to me what that meant. As a
note when a case is dismissed "with prejudice" (on the other hand) it typically
signifies a final resolution that prevents the plaintiff from refiling the same
claim in that court. So that cost me an extra $50 (unrecoverable) PLUS another
Process Server fee ($75). In the end unless you want to "bill" someone for your
work and have them present in court then file the case for yourself.

Step 1: Identify the correct legal entity.
The breach notification came from "PBI Research Services." The correct defendant
for service of process is "Pension Benefit Information LLC." These are not the same
entity. Filing against the wrong name can produce a dismissal on a pre-answer motion
before any merits argument (assuming you even get that far). I had to amend the
original complaint (24CIV19227KCX) with the court AND had to have the Process Server
serve the documents again (Another $75 that was unrecoverable, total of $145 because
I made a mistake for the company name and another $75 because I had to refile (above),
$220 total) 

How to find the correct entity: state Secretary of State business registry
(free, public, 10 minutes) cross-referenced against the state AG breach
notification registry (also free and public). Both name the correct entity.

The gap between brand name on the notification letter and legal entity required for
valid service is how PE-backed data brokers operate. They make it difficult to track
for a reason. You have to untangle it.

This is the talk's first procedural trap demonstration. There are several. Each one
is designed to defeat pro se plaintiffs on form rather than on merits.

Step 2: Document remediation time immediately and specifically.
Do not bill for "spent time dealing with the breach." A timestamped log of
specific activities with rate basis documented contemporaneously. In this
case: breach research and exposure assessment (1 hour, expert-rate work);
credit report review (1 hour); credit freeze placement across three bureaus
(1.5 hours). Rate: $300/hour for expert work, conservative for senior
cybersecurity consulting in the Seattle metropolitan area.

The judge's ruling on this point is the most important precedent the talk creates.
Judge Finkle compensated the expert evaluation hour at full rate ("he utilized his
technological skills") but did not compensate the credit bureau enrollment time
("any of the 11,000,000 people impacted by the breach could do that"). This
distinction - expert-skill work versus tasks any victim could perform - is the
template refinement that makes future claims stronger.

For future plaintiffs: document separately which remediation steps required
professional expertise and which were routine. Claim the expert time. The judge's
reasoning supports it. You *might* be able to document a nominal $25/hour for "other"
time but don't be surprised if the judge removes that amount from the decision.

Step 3: Invoice before filing.
An invoice was sent to PBI with a payment deadline before any court filing. PBI
refused in writing, citing pending class action litigation. Both documents became
exhibits. The refusal created the cause of action and established that litigation
was a last resort, not a first choice.

Step 4: The appealability threshold as strategic tool.
RCW 12.40.020 sets the Washington small claims limit at $10,000. The appealability
threshold, the dollar amount above which the losing party may appeal to Superior
Court, is $1,000. The claim was filed at $1,050: fifty dollars above the line.

I went to small claims court website to figure out how to file, all the instructions
SHOULD be online. Since these are normal citizens filing small claims they pretty
much assume that you don't know anything (and in my case they were correct). After
filing, ask the clerk explicitly how to attach your account to the case in the court
portal. As plaintiff you are entitled to it. It is not automatic. Nobody will
volunteer this information. To be fair very few people would even CARE about this,
but you do.

PBI's options were to pay, or to drag a retired Microsoft cybersecurity engineer
through King County Superior Court with full discovery, depositions, and the
Wayback Machine archived blog over fifty dollars above the maximum $1,000 if they
had been required to pay the $1,050. As it was since the amount awarded was less
than $1,000 then no appeal was possible. Look for that amount in your state. Is your
bill REALLY more then that minimum amount? If you win do you want an appeal?

If you lose can they come back and claim frivolous lawsuit? IANAL, but IMHO it would be
hard to claim the case was frivolous because (AND YOU DID DOCUMENT, RIGHT?):
- It would grounded in statutory duties, documented harm, and good-faith legal arguments
  (KEEP YOUR DOCUMENTATION!)
- Document your timelines and make sure you have evidence, timelines, statutes, case law,
  and a clear causal chain
- Washington courts reserve "frivolous" for cases that are baseless AND brought in
  bad faith, a very high bar and you brought this with good faith
A company can say it, but getting a judge to agree is another matter entirely.

In the end they sent their own Managing Corporate Counsel to small claims court to respond
to the case. Think about that cost-benefit calculation. The attorney fees for small claims
defense exceeded the amount claimed several times over. This is what happens when a company
treats every claim as a threat to be litigated rather than a bill to be paid. While she was
able to debate pre-trial jurisdiction of the case itself (PBI contended it was not subject
to jurisdiction in WA because ... Many reasons (disputed in the DEFCON34_25CIV60102KCX_Evidence.pdf)
none of the reasons were accepted, see rebuttals in the Evidence document) because she was
a lawyer she was not able to present in Small Claim Court, a non-Lawyer for PBI had to represent
in court. LOTS more hours spent on this for her.

Washington State ALSO requires mediation before a trial. Since PBI still had my data I
offered to spend a few hours talking to their Cybersecurity team if they paid. Hey might
as well up THEIR game also, a rising tide lifts all boats. My offer was turned down. As a
side note if the companies lawyer wants to speak to your privately it is almost CERTAINLY
to get more information. Be careful, it probably won't help you, during the call with her I was
VERY careful what I said. For mediation also think about what OTHER "things" could this company
give you to compensate for your time? Product? Some kind of credit? Maybe send money to your
favorite 501(c)(3) charity? Think outside the box, be creative. In the end PBI refused everything
for mediation and we headed to court. This was their ONLY chance to get me to sign a NDA and
they missed that opportunity.

Because a legal counsel is not allowed during the Small Claims trial in Washington
State the CEO of the Private Equity firm was on the zoom call to represent his company.
Think of the people you will meet :-) ...

You will have find your own state's equivalent threshold. Most states have a small-claims
appealability threshold, typically between $500 and $2,500, but the exact amount varies
widely and must be checked state-by-state. Examples:
- California: Either party may appeal any small-claims judgment (but only the defendant can appeal if the plaintiff filed the case). No dollar threshold.
- Texas: Appeals allowed for judgments over $250.
- New York: Appeals allowed for any amount.
- Oregon: Appeals allowed only if the claim is over $750.
- Virginia: Appeals allowed only if the amount is over $50.
- Arizona: No appeals in small claims at all. You must choose "justice court" instead if you want appeal rights.

References: RCW 12.40.020; Washington SOS (Secretary of State) business registry;
Washington AG (Attorney General) breach notification registry; 25CIV60102KCX Addendum (Judge Finkle, 2026).


========================================
SECTION 5 - THE LEGAL FRAMEWORK: FIVE ELEMENTS (6 minutes)
========================================

Every U.S. jurisdiction recognizes the same foundational negligence structure
as Washington State and you must prove all 5. Some states compress them into
four by merging cause-in-fact and proximate cause into a single "causation"
element, but the substance is identical:
Duty
Breach of Duty
Cause in Fact
Proximate Cause
Damages

Duty: RCW 19.255.010 imposes a duty of care on any entity holding personal
information. No contract required. Duty attaches at the moment of data collection.
PBI's own conduct confirmed they understood this duty, they notified 18,856
Washington State residents and filed with the Washington AG. You do not comply with
Washington's breach notification statute if you believe you have no obligations to
Washington residents (this goes to the "WA Court No Jurisdiction" submissions from
the lawyer).

McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810, supports that voluntary custody
of personal data creates a common-law duty of reasonable care even absent a direct
contractual relationship.

Breach: Annual SOC 2 audit as the entirety of a security program falls below the
standard of care for any organization handling SSNs and dates of birth at scale.
The evidence is PBI's own words, preserved by Wayback Machine.

Causation: The but-for test is direct. But for PBI's breach, my data would not
have been exfiltrated. But for the exfiltration, no remediation time would have
been consumed.

Webb v. Injured Workers Pharmacy LLC, 72 F.4th 365 (1st Cir. 2023) holds that time
spent taking protective measures following a data breach satisfies the injury
requirement, treating opportunity costs and lost time as equivalent to monetary
injury. --> The court distinguished this from speculative future harm.<-- (This is
the IMPORTANT part). YOU DO NOT HAVE TO SHOW RECEIPTS THAT YOU WERE HARMED. This injury
requires me to respond to a substantial and imminent risk. Name, SSN, and date of
birth is precisely the combination required to open fraudulent credit accounts, file
false tax returns, and compromise Social Security benefits.

One additional causation point the talk highlights as a template element: PBI's own
breach notification letter instructed affected individuals to review credit reports,
place credit freezes, and monitor accounts. I did exactly what PBI told me to do.
The time that consumed is PBI's liability, not the victim's to absorb. The judge did
not allow compensation for this review BUT other courts may, at a discounted rate
(I heard $25/hr. thrown around?). The judge can always strike that amount if they do
not agree.

Proximate cause:
(This is the part WHERE YOU SHINE! Do your forensic investigation & figure out using
every website you can what actually happened. Distill it into the essentials & how it
affects you. Give the judge your knowledge but DO NOT BURY the judge in acronyms &
Cyberspeak. Explain it like you were talking to your parents)
The zero-day defense that an unforeseeable vulnerability makes
the breach unforeseeable fails on its own logic. You know this from experience.
Zero-day vulnerabilities are not exceptional events. They are the foundational
assumption of the entire cybersecurity industry. Defense-in-depth exists
PRECISELY because any software can be compromised without warning. PBI's post-breach
implementation of "enhancing our information security policies and procedures"
(which I assume is MFA, IDS, and network segmentation) proves they knew what
baseline controls were required. They just had not implemented them before the breach.

The Kroll finding that attackers used MOVEit's own decryption functions also
nullifies the RCW 19.255.010 encryption safe harbor argument. The data was
technically encrypted. The application decrypted it for the attacker. A safe harbor
for encrypted data does not extend to an architecture where the encryption key is
accessible through the application's own logic.

Damages: Documented remediation time at a documented expert rate, with the
judge's reasoning on what qualifies as expert-rate work and what does not.

The slide at this point is the five-element framework as a fill-in-the-blank
template. It is designed to be viewed & downloaded for the audience to fill in.

References: RCW 19.255.010; McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810;
Webb v. Injured Workers Pharmacy LLC, 72 F.4th 365 (1st Cir. 2023); Dittman v.
UPMC, 196 A.3d 1036 (Pa. 2018); Restatement (Third) of Torts §34; 25CIV60102KCX
Addendum (Judge Finkle, 2026).


========================================
SECTION 6 - IN THE COURTROOM (5 minutes)
========================================

This section demystifies small claims procedure. The goal is to eliminate the
intimidation factor that keeps people away from courts that exist for exactly this
purpose.

King County District Court, East Division, Redmond Courthouse. Small claims. No
formal rules of evidence. No required attorney. A judge who has heard thousands of
these cases and is not impressed by corporate counsel's appearance.

PBI filed a jurisdiction motion as their first move. This is a standard procedural
attempt to get the case dismissed before any merits argument. The motion was denied.
Judge Finkle's addendum addresses this directly: approximately 19,000 Washington
State residents were affected, individuals cannot practically sue in Minnesota,
and Washington courts have authority to retain jurisdiction.

This jurisdiction ruling is itself a template element. It establishes that a
company holding data from residents of a state can be sued in that state's courts
even without a physical presence there, when the harm to residents is the
company's business activity.

PBI sent a corporate representative via Zoom. The speaker appeared in person, in
the room. Why the CEO of the company I am not sure maybe to impress the judge?

The argument structure - five elements, walking through the evidence with specific
appendix references - is documented in the supporting materials. The Wayback
Machine exhibit (archived blog showing the deleted security posture statement) was
presented directly. The Kroll forensic report was presented.

Judge Finkle's ruling awarded $300 on the expert evaluation hour and declined the
credit bureau enrollment time on the grounds that routine tasks are not compensable
at expert rates. This partial outcome is the more useful precedent. It is not a
windfall ruling. It is a surgical one: your professional time assessing a breach is
worth your professional rate; paperwork that any victim could complete is not. That
line is now in a public court record. Future plaintiffs can use it.

The judgment was signed March 16, 2026. The check arrived and was deposited.


========================================
SECTION 7 - THE SCALE ARGUMENT (3 minutes)
========================================

18,856 Washington State residents were affected by the PBI breach. The broader
MOVEit breach affected approximately 11 million individuals across all affected
organizations.

If 1,000 of the PBI Washington victims file small claims actions, not at $1,050
but at $300 (the amount the judge found unambiguously compensable) that is
$300,000 in exposure from Washington alone. More importantly, it is 1,000
individual cases that cannot be aggregated into a single class action settlement,
cannot be resolved with a $3.47/victim fund, and create 1,000 separate court
records documenting the same negligent conduct and the time that PBI has to assign
someone to track, go to court, reply, etc. If the defendant doesn't show up you get
a DEFAULT JUDGEMENT! (YOU WIN!)

The PE ownership structural point: post-acquisition breach liability, asset versus
stock sale structures, R&W insurance coverage gaps, and entity layering are all
designed to insulate post-sale owners from pre-sale negligence. None of those
structures provide protection against individual small claims judgments in the
jurisdiction where the victim lives. The liability cannot be transferred in the
asset sale.

With the new AI tools being used to discover vulnerabilities the "unforeseeable
vulnerability" defense becomes harder to sustain. AI-assisted tools reduce the
expertise required to identify attack surfaces and less than expert users can run
discovery on a target to find holes with the help of AI. The standard of care for
data custodians is a moving target, and it is moving against them. Judge Finkle's
finding that double layers of security are appropriate is now documented case law,
however informal, in Washington small claims. It will be cited again.

========================================
SECTION 8 - THE TEMPLATE AND CLOSE (3 minutes)
========================================

The talk ends with an explicit numbered take-home template. This slide is designed
to be photographed, downloaded and shared.

1.  Get the breach notification. Scan it in and save it immediately.
2.  Archive the sender's web presence on the Wayback Machine the same day.
    The window between incident and legal review is where admissions live.
    They can delete blogs at any time, SCREEN SHOTS!!!!
3.  Find the correct legal entity: state SoS registry + AG breach notification
    registry. The name on the letter is not necessarily the entity you sue.
4.  Log your remediation time with timestamps and specific activities from day one.
    Include review of the documents you received (hardcopy) AND time spent online researching
    Separate expert-skill tasks from routine tasks. Document the distinction.
5.  Document your rate basis with specifics.
6.  Invoice before filing. Set a payment deadline. Keep the refusal letter.
7.  Find your state's small claims limit and appealability threshold.
    Consider whether you want the case to be appealable. Act accordingly.
8.  File. Name the correct entity. Serve the registered agent, not the PR address.
    You will have to fill out a Declaration of service, the courts SHOULD have given
    you explicit instructions on how this works. CAREFULLY FOLLOW ALL DIRECTIONS
9.  If they file a jurisdiction motion, oppose it with the data: how many residents
    of your state were affected, and where can those individuals practically sue?
10. Show up prepared. Five elements. Documented evidence. No drama.
11. Take the check.

Close: "Class actions are for lawyers. Small claims is for you. The template is in
your hands. I did this. So can 999 other people who got the same letter I did."

Talk materials, case documents, citation list, and replicable template will be
posted at: https://gandalfddi.z19.web.core.windows.net/pbibreach.html


========================================
REFERENCES
========================================

CVE-2023-34362, National Vulnerability Database, NIST (2023)

CISA Advisory AA23-158A, "MOVEit Transfer and MOVEit Cloud Vulnerabilities,"
  June 2023

Kroll forensic report, PBI Research Services / MOVEit breach investigation,
  2023 (entered into evidence, 25CIV60102KCX)

PBI breach notification letter to affected individuals, July 14, 2023
  [PBI's own admission of post-breach security enhancement; in evidence as Appendix B]

Washington State AG breach notification registry, PBI filing (2023)

Wayback Machine archive, web.archive.org - PBI Research Services blog,
  first capture September 26, 2023; removal confirmed July 16, 2024

RCW 19.255.010, Washington State data breach notification statute

RCW 12.40.020, Washington State small claims procedure and limits

King County District Court, case 25CIV60102KCX, Judgment After Trial
  (Doc 736221) and Addendum - Findings and Conclusions (Doc 736235),
  Judge Michael J. Finkle, March 16, 2026 [public record]

Webb v. Injured Workers Pharmacy LLC, 72 F.4th 365 (1st Cir. 2023)
  [remediation time as compensable injury, standing in data breach cases]

McKenzie v. Allconnect, Inc., 369 F.Supp.3d 810
  [duty of care attaches to data custody absent contractual relationship]

Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018)
  [duty of care for employers holding employee PII]

Restatement (Third) of Torts §34
  [superseding cause; criminal third-party exploitation of negligent condition]

Equifax data breach settlement, Federal Trade Commission (2019)

Capital One data breach class action settlement, E.D. Va. (2023)

NIST Cybersecurity Framework v1.1 (2018) / v2.0 (2024)
  [baseline controls; defense-in-depth; applicable standard of care reference]


========================================
ABSTRACT (for OpenConf submission form)
========================================

In 2023, Pension Benefit Information LLC - a Private Equity owned Minneapolis data broker -
lost the speaker's name, SSN, and date of birth in the MOVEit/Cl0p ransomware
breach. Notification arrived 42 days after discovery, violating Washington State's
30-day statutory requirement. The speaker spent time on expert remediation,
invoiced PBI $1,050, and was refused. He filed small claims in King County District
Court. PBI responded with corporate counsel and a "not the right jurisdiction" motion. On March 16,
2026, Judge Michael J. Finkle signed a judgment awarding $300 for expert
remediation time, explicitly finding that a cybersecurity professional's time
assessing a breach is compensable at professional rates. Routine tasks any
victim could perform are not. PBI paid.

This talk delivers the complete replicable template: finding the correct legal
entity (not the brand name on the notification letter), documenting remediation
time with the expert/routine distinction the judge drew, using the small claims
appealability threshold as a strategic tool, and preserving evidence that corporate
legal teams will attempt to delete. The Wayback Machine, the AG breach notification
registry, and the SoS business registry are all free, public, and more useful than
most people know. Class actions pay lawyers. Small claims pays you.


========================================
SPEAKER BIO (for OpenConf submission form)
========================================

Ken Hollis spent 40 years in technology across aerospace (Kennedy Space Center),
enterprise networking, SCADA/ICS, and 18 years at Microsoft with 11 in security
engineering, including the Cyber Defense Operations Center and critical
infrastructure security for data centers and industrial control systems. He was
present in Firing Room 1 for the Challenger STS-51-L launch on January 28, 1986.
He is retired and lives near Redmond, Washington. He is not a lawyer. He won anyway.