Arthur J. Gallagher & Co. and Gallagher Bassett Services, Inc. face a proposed class action over a data breach that reportedly occurred between June and September 2020 and compromised the personal information of thousands of customers, potential customers, employees and others.
Per the lawsuit, Gallagher, one of the largest U.S. insurance brokerage, risk management and HR and benefits consulting firms, began notifying consumers and state attorneys general in June 2021 of a data breach that apparently exposed customers’ and employees’ personally identifiable information (PII) to unauthorized parties. Among the information exposed in the breach, according to the case, were consumers’ Social Security numbers; tax ID numbers; driver’s license, passport and other government ID numbers; dates of birth; usernames and passwords; employee ID numbers; financial account information; credit card information; electronic signatures; treatment, claim, diagnosis, medication or other medical information; health insurance details; medical record or account numbers; and biometric information.
The case alleges the defendants’ negligence and failure to implement reasonable security measures has exposed customers and employees to a lifetime risk of identity theft and fraud, especially given their Social Security numbers and electronic signatures were apparently exposed.
The lawsuit further decries Gallagher’s response to the breach, arguing that the company’s year-long delay in notifying those affected has deprived the individuals of the information they needed to mitigate the effects of the incident.
“As a result of this delayed response, Plaintiffs and class members had no idea their PII had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the complaint scathes. “The risk will remain for their respective lifetimes.”
Per the suit, Gallagher detected in September 2020 what appeared to be a ransomware attack on its network, after which the company opened an investigation with the assistance of a third party. Though the defendantsnotified certain media outletsof the incident “as early as September 29, 2020,” Gallagher did not conclude until May 24, 2021 that certain information had been stolen from its network by an unauthorized third party, the lawsuit relays.
The case claims Gallagher reported the data breach to state attorneys general a full year after the incident took place and took no measures to notify those affected until June 30, 2021. Moreover, the lawsuit claims Gallagher has withheld certain information about the root cause of the breach, which vulnerabilities were exploited and the measures that were taken to prevent future data security incidents.
Per the case, the defendants were fully aware of the risks of a data breach and their obligations under contract, common law, industry standards and their own representations to protect the personal information provided to them in the course of doing business. Nevertheless, Gallagher failed to comply with Federal Trade Commission guidelines and industry standards regarding data security, the filing argues.
The lawsuit claims those affected by the breach have been offered no compensation for the unauthorized disclosure of their information and instead may or may not have been provided “wholly inadequate” credit monitoring services that offer protection for only 24 months. Aside from financial harm, those whose information was accessed in the breach have suffered “anxiety, emotional distress, and loss of privacy, and are at an increased risk of future harm,” the case alleges.
The lawsuit looks to cover anyone in the U.S. whose personally identifiable information was compromised in the data breach announced by the defendants on or around June 30, 2021, with two state-specific subclasses for California and Louisiana residents who fit the same criteria.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.