It seems that not a week goes by without a report in the Hartford Courant or the Wall Street journal appears detailing the occurrence of a data breach involving financial, insurance and consumer companies.
, GAO, July 5, 2007,
(last visited Aug. 10, 2023).
Social security numbers are particularly dangerous should they be leaked or stolen;
“Facts + Statistics: Identity Theft and Cybercrime,” Insurance Info. Inst., https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime (discussing Javelin Strategy & Research's report “2018 Identity Fraud: Fraud Enters a NewEra of Complexity”)(last visited Aug. 10, 2023).
See, e.g., Christine DiGangi, 5 Ways an Identity Thief Can Use Your Social Security Number, Nov. 15, 2017, https://www.usatoday.com/story/money/personalfinance/2017/11/15/5-ways-identity-thief-can-use-your-social-security-number/860643001/ (last visited Aug. 10, 2023).
As a result of such data breaches, affected consumers personal information and are often compromised, and they continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm. The risk will remain for their respective lifetimes.
While many details of the Data Breach remain in the exclusive control of the involved companies for a time, often until litigation is commenced and discovery allows for the exercise of subpoena power, the underlying cause is often tied to a breach of duties and obligations , in one or more of the following ways:
(1) failing to design, implement, monitor, and maintain reasonable network safeguards against foreseeable threats;
(2) failing to design, implement, and maintain reasonable data retention policies;
(3) failing to adequately train staff on data security;
(4) failing to comply with industry-standard data security practices;
(5) failing to warn Plaintiff and Class Members of Defendant's inadequate data security practices;
(6) failing to encrypt or adequately encrypt the PII;
(7) failing to recognize or detect that its network had been compromised and accessed in a timely manner to mitigate the harm;
(8) failing to utilize widely available software able to detect and prevent this type of attack, and
(9) otherwise failing to secure the hardware using reasonable and effective data security procedures free of foreseeable vulnerabilities and data security incidents.
As a result of such unreasonable and inadequate data security practices that resulted in the Data Breach, those affected are at a current and ongoing risk of identity theft and may suffer numerous actual and concrete injuries and damages, including:
(a) invasion of privacy;
(b) financial “out of pocket” costs incurred mitigating the materialized risk and imminent threat of identity theft;
(c) loss of time and loss of productivity incurred mitigating the materialized risk and imminent threat of identity theft risk;
(d) financial “out of pocket” costs incurred due to actual identity theft;
(e) loss of time incurred due to actual identity theft;
(f) loss of time due to increased spam and targeted marketing emails;
(g) anxiety, annoyance and nuisance, and
(h) the continued risk to their Personal information, which remains in the possession of the entity suffering the data breach as they are subject to further breaches so long as the entity holding their information fails to undertake appropriate and adequate measures to protect them.
For these reasons, and the inefficiency of just one such affected individual taking on litigation against entities whose data breach results in the above types of harm, a type of litigation device known as class actions are particularly suitable for seeking compensation and effectively marshaling the resources and claims of many to force such an outcome. Often, this starts with one alert and affected person who becomes the lead Plaintiff for the class.
Typically Plaintiff's and Class Members seek a remedy to these harms on behalf of themselves and all similarly situated individuals whose personal information was accessed during the Data Breach. The remedies include, but not limited to, compensatory damages, reimbursement of out-of-pocket costs, future costs of identity theft monitoring, and injunctive relief including improvements to Defendant's data security systems, and future annual audits.
The involved legal theories or causes of action against Defendant seeking redress have claims (i) negligence, (ii) breach of implied contract, (iii) unjust enrichment, (iv) breach of fiduciary duty, (v) invasion of privacy.
The author of this post recently filed a class action, as local counsel , in the Federal District Court of Connecticut for a well known insurance company based in Hartford, CT. If you believe that you have been subject to an exposure of personal information from an entity that may have sensitive information that was exposed, it is essential to contact counsel and take other immediate steps to protect yourself from actual harm( see below basic response guidelines)
“Guide for Assisting Identity Theft Victims,” Federal Trade Commission, 4 (Sept. 2013), https://www.global-screeningsolutions.com/Guide-for-Assisting-ID-Theft-Victims.pdf (last visited Aug. 11, 2023).