A consulting firm’s data breach has triggered a second class action lawsuit by an affected participant on behalf of a class of some 2,500,000 individuals.
The suit, brought by plaintiff Greg Torrano, claims that 2,537,261 individuals signed up for benefits plans through their employers—only to subsequently find that their personally identifiable information (PII), including names, birthdates and Social Security numbers, was stolen in a data breach. “Defendant did not use reasonable security procedures and practices suitable or adequate to protect the sensitive, unencrypted information it was maintaining for customers, causing the unauthorized exfiltration of the PII of more than 2,500,000 individuals,” according to the suit (Greg Torrano v. Horizon Actuarial Services LLC, case number 1:22-mi-99999, in U.S. District Court for the Northern District of Georgia) against consulting firm Horizon Actuarial Services LLC.
According to the suit, on or around Nov. 12, 2021, Horizon received an email from a group “claiming to have stolen data from its computer servers” on Nov. 10, 2021 and Nov. 11, 2021. Horizon, after conducting an investigation, paid the group in exchange for an “agreement that they would delete and not distribute or otherwise misuse stolen information.” The group provided a list of information they claimed to have stolen from Horizon’s servers.
Subsequently “on or about Jan. 9, 2022, Horizon determined the information contained the sensitive information of individuals and preliminary list of individuals affected by the Data Breach. Defendant determined that the unauthorized actor accessed and exfiltrated the PII of more than 2,537,261 current and former Horizon customers (‘Class Members’), including that of Plaintiff and Class Members.” Then around Jan. 13, 2022, Horizon began notifying affected class members. “Despite learning of the Data Breach in November 2021, Horizon waited to begin informing Class Members until roughly January 13, 2022. Plaintiff did not receive his Notice of Data Incident from Horizon until April 14, 2022.”
“Until notified of the breach, Plaintiff and Class Members had no idea their PII had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm. The risk will remain for their rest of their lives,” according to the suit, which claims their PII was compromised as a result of Defendant’s failure to:
- adequately protect the PII of Defendant’s customers;
- warn Defendant’s customers of Defendant’s inadequate information security practices; and
- effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities.
“Defendant’s conduct amounts to negligence and violates federal and state statutes,” according to the suit.
The suit goes on to outline the “numerous actual and imminent injuries as a direct result of the Data Breach,” and thus, the damages suffered by the plaintiff, including:
(a) theft of their PII;
(b) costs associated with the detection and prevention of identity theft;
(c) costs associated with time spent and the loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the consequences of the Data Breach;
(d) invasion of privacy;
(e) the emotional distress, stress, nuisance, and annoyance of responding to, and resulting from, the Data Breach;
(f) the actual and/or imminent injury arising from actual and/or potential fraud and identity theft posed by their personal data being placed in the hands of the ill-intentioned hackers and/or criminals;
(g) damages to and diminution in value of their personal data entrusted to Defendant with the mutual understanding that Defendant would safeguard their PII against theft and not allow access to and misuse of their personal data by others; and
(h) the continued risk to their PII, which remains in the possession of Defendant, and which is subject to further injurious breaches, so long as Defendant fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class Members’ PII, and, at the very least, are entitled to nominal damages.
Black Market ‘Bonus’
The suit points out that the information compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to change—name, birthdate, financial history and Social Security number—and thus, “commands a much higher price on the black market.”
“Although Defendant has offered its customers identity monitoring services for twelve months through Kroll, the offered services are inadequate to protect Plaintiff and Class Members from the threats they face for years to come, particularly in light of the PII at issue here,” the suit continues. Moreover, this plaintiff says he hasn’t signed up for the credit monitoring program (now) offered, explaining that he “…has an inherent mistrust of the Defendant following the Data Breach.”
The suit claims that, since learning of the data breach, the plaintiff:
- has spent additional time reviewing his bank statements and credit cards (approximately two hours every day reviewing his bank, credit and debit card statements); and
- has suffered significant fear, anxiety and stress, which has been compounded by the fact that Horizon has not been forthright with information about the Data Breach.
“Defendant also had a fiduciary duty to have procedures in place to detect and prevent the improper access and misuse of Plaintiff’s and the Class’s PII,” according to the suit. “Defendant’s duty to use reasonable security measures arose as a result of the special relationship that existed between Defendant and Plaintiff and the Class. That special relationship arose because Plaintiff and the Class entrusted Defendant with their confidential PII, a necessary part of obtaining services from Defendant, and because Defendant was the only party in a position to know of its inadequate security measures and capable of taking steps to prevent the Data Breach.”