By Joanne Cleaver
When Karen Anderson saw that self-employed workers could qualify for financial assistance through the Pandemic Unemployment Assistance (PUA) section of the federal CARES Act, the California freelance editor thought that — just maybe — freelancers might catch a break this year.
Then Anderson heard of the data breaches in Ohio, Illinois, and Colorado, all resulting from faulty PUA payment systems quickly built and introduced by Deloitte, the U.K.-based consulting and accounting giant.
“It discourages people who are qualified,” Anderson told Digital Privacy News of such glitches. “They’re afraid to apply.”
The systems made applicants’ data visible to other candidates — and in short order, resulted in identity theft and digital theft from the accounts of already hard-hit self-employed workers.
About 161,000 Ohio residents received letters from Deloitte explaining the problem. In Illinois, the data spill potentially affected at least 44,000 PUA applicants and likely at least 27,000 in Colorado.
“This clearly is a bigger problem that Deloitte says,” Marc Dann, a former Ohio attorney general, told Digital Privacy News. He now runs a Cleveland law firm that last month filed a class-action lawsuit against Deloitte, which received a no-bid contract from Ohio state officials to operate the system.
Ohio’s unemployment benefits staff “had every reason to expect that data security would be the least of their problems,” Dann said. “Capacity would be the problem.”

“This clearly is a bigger problem than Deloitte says.”
Marc Dann, former Ohio attorney general and Cleveland lawyer.
Deloitte’s Response
After learning that its computer system made applicants’ personal data visible to one another on May 15, Deloitte “stopped the unauthorized access,” the firm said in an email to Digital Privacy News.
Deloitte is offering “12 months of free credit monitoring to those PUA claimants potentially impacted,” the company said.
Nice try, but not good enough, Dann said.
The lawsuit already has been amended once it was filed May 22 to include new claimants and their situations, he added.
“The original named clients took the usual steps — they put freezes on their accounts — but in the next couple of days, we started to hear from people whose bank accounts were attacked,” Dann said.
One, now part of the class action, was notified by her bank 30 minutes after the PUA funds landed in her account that an unknown party was trying to change her account credentials, Dann explained.
Now, the Ohioan can’t get at the $6,100 she already had in her account along with the stimulus funds she’d just received.
Other Problems in California
Compiling financial distress with data exposure makes a mockery of the rare opportunity for contractors to win their slice of financial help, said Anderson, the California freelancer.
Such workers in her state face an additional threat: to claim PUA benefits, they must list their clients, whom the state has vowed to subsequently investigate to determine if the freelancers are contractors or if they are misclassified as employees.
The controversial California Assembly Bill 5, signed into law last September, laid such stringent requirements on contractors to validate their independent status that many freelancers are losing work.
Among the professions affected are photographers, editors, journalists, writers, and language and sign-language interpreters.
At the very least, said Anderson, freelancers could have protected what’s left of their privacy by receiving PUA benefits as part of the federally distributed financial aid to nearly all Americans, as dictated by the Coronavirus Aid, Relief and Economic Security (CARES) Act.
“To avoid mistrust and possible misuse of our data and information, it would have been so much better to have had that funding — instead of funneled through each state — to have received that money from the federal government, like we did with the stimulus checks,” Anderson told Digital Privacy News.
She is administrator of a Facebook advocacy group, Freelancers Against AB5.
“For Californians, the audit trigger is one more potential privacy invasion for claiming PUA, and it discourages people who are qualified, because they’re afraid to apply.”
Joanne Cleaver is a writer based in Charlotte, N.C.
Sources (external links):