Andrea DeField and Matthew J. Revis of Hunton Andrews Kurth write:
While America was tuned into the big game, one California insurance broker faced its own treacherous showdown in the form of a putative class action filed on February 8, 2024 stemming from a data breach. With cyber incidents still on the rise, this is a story we know all too well: an unauthorized third party gains access to personally identifiable information, the company eventually detects the threat actor and leadership must decide how to respond. Once notifications to the public go out, the individuals impacted often file suit to recover for their alleged harm.
According to the complaint in Ruma v. Keenan & Associates, the third party accessed the protected information in August of 2023 and the broker learned of the breach soon thereafter. The compromised repository contained information such as full names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, health insurance information and general health information. Five months later, individuals received notification of the breach in a notice that they allege was neither prompt nor accurate. A putative class filed suit and asserted seven causes of actions: negligence in data protection, negligence per se related to violation of HIPAA and FTC rules, unjust enrichment and breaches of confidence, contract, the covenant of good faith and fair dealing and fiduciary duty.
Read more at The National Law Review, but you won’t find more information on the lawsuit. The article is really about the need for a good cyberinsurance policy.