Death by a Thousand Paper Cuts

In 2023, Pension Benefit Information, LLC — a Minneapolis data broker — lost the presenter's name, Social Security Number, and date of birth in the MOVEit/Cl0p ransomware breach. Notification arrived 42 days after PBI's own discovery, violating Washington State's 30-day statutory requirement. The presenter spent time on expert remediation, invoiced PBI $1,050, and was refused. He filed small claims in King County District Court.

PBI responded with corporate counsel and a jurisdictional dismissal motion. On March 16, 2026, Judge Michael J. Finkle denied that motion and issued judgment for the plaintiff, explicitly finding that a cybersecurity professional's time assessing a breach is compensable at professional rates. Routine tasks any victim could perform are not. PBI paid.

This talk distills the experience into a complete, replicable playbook for any breach victim with documentation, a $50 filing fee, and a few hours of preparation. Class actions pay lawyers. Small claims pays you.

• Washington State has jurisdiction over PBI despite no physical presence in state — 18,856 WA residents were affected; PBI filed breach notifications with the WA AG; individual residents have no practical recourse outside WA courts.
• Plaintiff is entitled to opt out of pending class action and pursue individual remedy. Class action does not bar this claim.
• MOVEit had a single security vulnerability. Defense-in-depth (double layers of security) is the appropriate standard. PBI was negligent.
• One hour of expert cybersecurity evaluation time is compensable at professional rates ($300). Routine tasks any affected individual could perform are not.
• Judgment: $300 principal + $50 filing fee = $350 total. Paid within 30 days.

All documents are either public court record or the presenter's own work.

• [PDF] Judgment After Trial — 25CIV60102KCX Public record — King County DC
• [PDF] Plaintiff's Trial Argument Outline 20-minute argument structure
• [PDF] Evidence Package — 25 pages Appendices A–H
• [PDF] Washington State King County Small Claims Defendant Packet — 5 pages Appendices A–H
• [PDF] Washington State King County Small Claims Plaintiff Packet — 10 pages Appendices A–H
• [TXT] DEF CON 34 CFP Submission — Full Outline Talk sections, template, references

1. Get the breach notification. Scan it immediately. Save everything.
2. Archive the sender's web presence on the Wayback Machine the same day. Blogs disappear during litigation. Screenshots too — belt and suspenders.
3. Find the correct legal entity: state SoS registry + AG breach notification registry. The name on the letter is not necessarily the entity you sue.
4. Log remediation time with timestamps and specific activities from day one. Include hardcopy review AND online research time. Separate expert-skill tasks from routine tasks — the judge WILL draw this line.
5. Document your rate basis with specifics. Market data helps. You are asking for a conservative, defensible floor — not your ceiling.
6. Invoice before filing. Set a payment deadline. Keep the refusal letter. "They wouldn't pay" is the whole story in two seconds.
7. Find your state's small claims limit and appealability threshold. Consider whether you want the case to be appealable. Act accordingly. NOTE: Not all states are as well-documented as Washington — King County's process is unusually clear. Read everything on your court's website. If it isn't clear, call the clerk and ask.
8. File. Name the correct entity. Serve the registered agent, not the PR address. CRITICAL: You cannot serve the defendant yourself. Find someone over 18 who is not a party. Service must be completed at least 10 days before pretrial. File the Declaration of Service afterward. Miss this and your case is dismissed. No exceptions.
9. After filing, ask the clerk explicitly how to attach your account to the case in the court portal. You are the plaintiff. This is not automatic. Nobody volunteers this.
10. Expect mandatory mediation before trial. It is free. It is confidential and does not become part of the court record. It does not affect your right to trial if it fails. Do not settle for less than your documented claim just to avoid the hearing — walk out and go to trial.
11. If they file a jurisdiction motion, oppose it with the data: how many residents of your state were affected, and where can those individuals practically sue? The answer to the second question is: here.
12. Exchange evidence with the other party 14 days before trial. Not optional — failure risks continuance or exclusion. Do it in writing, keep proof of delivery. Bring two printed copies of everything to the courtroom. The clerk makes nothing.
13. Show up prepared. Five elements. Documented evidence. No drama.
14. Take the check. Then file a Satisfaction of Judgment with the clerk to close the record. Your court packet includes this form. File it.

Ken Hollis spent 40 years in technology across aerospace (Kennedy Space Center), enterprise networking, SCADA/ICS, and 18 years at Microsoft with 11 in security engineering, including the Cyber Defense Operations Center and critical infrastructure security for data centers and industrial control systems. He is retired and lives near Redmond, Washington. He is not a lawyer. He won anyway.