Texas Plaintiff Sues Insurance Firm, PSC, PBI Over MOVEit Data Breach
Insurance company Talcott Resolution “negligently assessed and managed the cybersecurity risk posed by its third party service providers” Pension Benefits Information (PBI) and Progress Software Corp. (PSC), alleged a class action Tuesday (docket 1:23-cv-11864) in U.S. District Court for Massachusetts…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
in Boston. Talcott provided the personally identifiable information (PII) of plaintiff Edward Casey, a Texas resident, to PBI and to PSC, which reported on May 31 a vulnerability in its MOVEit Transfer and MOVEit Cloud software that could lead to “escalated privileges and potential unauthorized access to the environment,” said the complaint. PSC launched an investigation, notified MOVEit customers of the issue and provided mitigation steps; it applied additional patches June 9 and June 16 to address other vulnerabilities that were discovered, the complaint said. Russian cyber gang Clop took responsibility for the attack, which began May 27, and began attempts to ransom and exploit data accessed from MOVEit, the complaint said. PBI was one of the companies whose data was “accessed and stolen” by Clop, which included PII of millions of individuals, including Casey and class members, it said. Defendants Talcott, PBI and PSC had “obligations created by contract, industry standards, common law, and representations” made to Casey and class members to keep their PII confidential and to protect them from unauthorized access and disclosure, it said. Due to the data breach, Casey will continue to spend time trying to mitigate the consequences of the breach, including time spent verifying the legitimacy of communications about the breach and self-monitoring his accounts and credit reports to ensure no fraudulent activity has occurred, said the complaint. The plaintiff suffered “imminent and impending injury arising from the present and ongoing risk of fraud, identity theft, and misuse” resulting from his PII “being placed in the hands of cybercriminals.” The defendants should have known the importance of safeguarding Casey’s and class members’ PII, it said. The action claims negligence, negligence per se, breach of third-party beneficiary contract and unjust enrichment, and seeks declaratory and injunctive relief. Casey requests an order requiring defendants to encrypt all data collected through the course of its business; destroy his and class members’ PII; maintain a comprehensive information security program; and “meaningfully educate” class members about threats they face as a result of the breach. He seeks an award of actual, consequential and nominal damages, plus attorneys’ fees and legal costs.