Insurance Firm Downplayed Nature of MOVEit Data Breach, Says Class Action
An insurance company “downplayed” the nature of Progress Software Corp.’s (PSC) May 29-30 MOVEit software data breach “and the threat it posed to victims" whose personally identifiable information (PII) was “illicitly accessed and stolen,” said a September fraud class action (docket 1:23-cv-09868) removed Wednesday from New York County Supreme Court to the U.S. District Court for Southern New York in Manhattan.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Michael Bernstein, a New Jersey resident, received a July 28 notice letter from retirement and life insurance company Global Atlantic Financial Group, informing him Pension Benefits Information (PBI) discovered the data breach following PSC's disclosure. PBI notified Global Atlantic June 7 that “personal data for an uncertain number of policyholders had likely been taken by the cyber criminals.”
Global Atlantic’s letter said PBI informed it that a cybersecurity incident involving MOVEit file transfer software had “impacted our policyholder data,” the complaint said. The letter described PBI as a third-party vendor Global Atlantic uses to “satisfy applicable regulatory obligations to identify the deaths of insured persons, which can impact premium payment obligations and benefit eligibility.” PBI is “one of hundreds of companies across a variety of industries that have been impacted by the MOVEit incident,” the letter said. Bernstein’s name, Social Security number, date of birth and policy number were believed to have been compromised, the letter said.
Global Atlantic “failed to tell its consumers how many people were impacted, how the breach occurred,” or why it took nearly two months “to begin notifying victims that hackers had gained access” to their PII, the complaint said. The “failure to timely report” the data breach made Global Atlantic’s customers “more vulnerable to identity theft, as those customers received no warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their stolen PII,” it said.
By failing to protect Bernstein and class members’ PII, to adequately notify them of the breach and by obscuring the nature of the breach, Global Atlantic violated state and federal law “and harmed an unknown number of their customers,” the complaint said. Through its “negligence and inadequate cybersecurity measures,” Global Atlantic “failed to properly use up-to-date security practices to prevent or mitigate the impact” of the data breach. Victims’ PII is “permanently exposed and unsecured,” it said.
The defendant recognized the “imminent harm and injury” possible from the data breach as acknowledged in the notice letter, said the complaint. But it offered “merely two” years of complimentary credit monitoring and identity monitoring services to victims, “which does not adequately begin to address the lifelong harm that victims will face” following the breach, it said. The breach involves PII "that cannot be changed, such as Social Security numbers," the complaint said. Even with two years of credit monitoring services, the risk of unauthorized use of victims’ PII is “high” and fraudulent activity resulting from the breach “may not come to light for years,” it said.
Bernstein asserts claims of negligence and negligence per se, breach of contract, unjust enrichment, violation of the New York Deceptive Trade Practices Act and General Business Law, and the New Jersey Consumer Fraud and Customer Security Breach Disclosure acts. He seeks declaratory and injunctive relief; awards of compensatory, exemplary, punitive and statutory damages; restitution; attorneys’ fees and legal costs; and pre- and post-judgment interest. Global Atlantic declined to comment.