A consulting firm’s data breach triggered a second class action lawsuit filed by a concerned participant on behalf of a group of approximately 2,500,000 people.
The lawsuit, brought by plaintiff Greg Torrano, claims that 2,537,261 people signed up for employee benefit plans through their employers, only to find that their personally identifiable information (PII), including names , dates of birth and social security numbers, were stolen in a data breach. . “The defendant failed to use reasonable appropriate or adequate security procedures and practices to protect the sensitive, unencrypted information it maintained for clients, causing the unauthorized exfiltration of the PII of over 2,500,000 people “, according to the lawsuit (Greg Torrano v. Horizon Actuarial Services LLCcase number 1:22-mi-99999, in the U.S. District Court for the Northern District of Georgia) against the consulting firm Horizon Actuarial Services LLC.
According to the lawsuit, on or around November 12, 2021, Horizon received an email from a group “claiming to have stolen data from its computer servers” on November 10, 2021 and November 11, 2021. Horizon, after conducting an investigation investigation, paid the group in return for an “agreement that they would delete and not distribute or misuse the stolen information”. The group provided a list of information they claimed to have stolen from Horizon’s servers.
Subsequently, “on or about January 9, 2022, Horizon determined that the information contained the individuals’ sensitive information and the preliminary list of those affected by the data breach. Defendant determined that the unauthorized actor accessed and exfiltrated the PII of more than 2,537,261 current and former Horizon customers (“Class Members”), including those of Plaintiff and Class Members.” Then around January 13, 2022, Horizon began notifying affected class members.” Despite learning of the data breach in November 2021, Horizon waited to begin notifying class members until approximately January 13, 2022. The requester did not receive their data incident notice from Horizon until April 14, 2022.”
“Until they were made aware of the breach, Plaintiff and Class Members had no idea that their PII had been compromised and that they were, and continue to be, at significant risk of theft. identity and various other forms of personal, social and financial harm. The risk will remain for the rest of their lives,” according to the lawsuit, which claims that their PII was compromised due to the defendant’s failure to:
- adequately protect the PII of defendant’s customers;
- warn defendant’s customers of defendant’s inadequate information security practices; and
- effectively secure material containing protected PII using reasonable and effective security procedures that are free from vulnerabilities.
“The defendant’s conduct amounts to negligence and violates federal and state laws,” according to the suit.
The lawsuit goes on to describe the “numerous actual and imminent injuries resulting directly from the data breach” and, as a result, the damages suffered by the plaintiff, including:
(a) theft of their PII;
(b) costs associated with detecting and preventing identity theft;
(c) the costs associated with time spent and lost productivity in taking time to address and attempt to improve, mitigate and manage the consequences of the Data Breach;
(d) invasion of privacy;
(e) emotional distress, stress, annoyance and embarrassment related to and resulting from the data breach response;
(f) actual and/or imminent harm resulting from actual and/or potential fraud and identity theft caused by placing their personal data in the hands of hackers and/or malicious criminals;
(g) damages and diminished value of their Personal Data entrusted to Respondent with the mutual understanding that Respondent would protect their PII from theft and not allow access and misuse of their Personal Data by others. others ; and
(h) continued risk to their PII, which remains in Respondent’s possession, and which is subject to further detrimental breaches, so long as Respondent does not take appropriate and adequate measures to protect Complainant’s and Members’ PII of the class, and, at the very least, are entitled to nominal damages.
Black Market “Bonus”
The lawsuit points out that the information compromised in this data breach is impossible to “close” and difficult, if not impossible, to change – name, date of birth, financial history and social security number – and therefore, “commands a much higher price. raised on the black market.”
“Although Defendant has offered its clients identity monitoring services for twelve months through Kroll, the services offered are insufficient to protect Plaintiff and Class Members from the threats they face for years to come, particularly in light of the IPIs at issue here,” the suit continues. Additionally, this plaintiff says he did not enroll in the (now) offered credit monitoring program, explaining that he “…has an inherent distrust of the defendant as a result of the breach. of data “.
The lawsuit claims that since becoming aware of the data breach, the plaintiff:
- spent more time reviewing bank and credit card statements (approximately two hours per day reviewing bank, credit card and debit statements); and
- suffered from significant fear, anxiety, and stress, which was compounded by Horizon not being forthright with information about the data breach.
“Defendant also had a fiduciary duty to put in place procedures to detect and prevent inappropriate access to and misuse of Plaintiff and Class Personal Information,” according to the suit. “The defendant’s obligation to use reasonable security measures arises from the special relationship that existed between the defendant, the plaintiff and the class. This special relationship arose because the Plaintiff and the Group entrusted the Defendant with their confidential PII, a necessary party to obtain services from the Defendant, and because the Defendant was the only party able to know of his inadequate security measures and able to take steps to prevent the Data Breach.”