Elemetal LLC faces a data breach class action resulting from its alleged failure to implement appropriate security measures, which led to a 2023 breach of approximately 13,000 customers’ personal information. Elemetal is a precious-metal refiner based in Texas, operating in more than 45 locations in the U.S.

The subject breach occurred between August 22 and September 1, 2023, and affected former and current customers’ personal information, including names, government-issued identification numbers, and Social Security numbers, according to the March 1 customer notification.

The complaint, filed in the U.S. District Court for the Northern District of Texas, alleges that Elemetal did not adhere to industry standards such as encrypting personal information or deleting data once it is no longer necessary for business purposes. The complaint further alleges that Elemetal failed to notify customers of the breach in a timely manner, which violates California’s Unfair Competition Law and Consumer Privacy Act (CCPA). The CCPA is the only consumer privacy rights law in the country that includes a private right of action related to damages suffered as a result of a breach of personal information. The lead plaintiff claims he has received an increase in spam calls, texts, and emails since the incident occurred. The complaint alleges negligence, breach of implied contract, and unjust enrichment, and seeks money damages as well as equitable and injunctive relief and attorneys’ fees and costs. Specifically, such relief includes a requirement that Elemetal delete or destroy all personal information of class members and implement a comprehensive data privacy and security program.