MLK Settles Insurance Technologies Data Breach for $11 Million

Mar. 4, 2022 – Zywave Inc., a software provider for insurance companies, has agreed to pay $11 million to settle a class action alleging the companies failed to protect the personal information of over four million customers during a February 2021 security breach.

Plaintiffs have moved for preliminary approval of the settlement,  saying it fairly settles claims they brought over a February 2021 security breach. 

In their motion for preliminary approval filed Monday in Texas federal court, the plaintiffs asked U.S. District Judge David C. Godbey to sign off on a deal that will see Zywave and its subsidiary Insurance Technologies Corp. cover thousands of dollars in reimbursement costs for over 4,000,000 class members, as well as paying hundreds of dollars in cash to a subclass of California residents.

In support of their motion, plaintiffs Jay Heath, Edward Shapiro, and Daisy Becerra Lopez, on behalf of the class members, urged the Northern District of Texas to approve the proposed deal, saying it fairly settles the claims and provides “significant relief in the form of monetary payments and identity theft protection.”

They also argue the settlement “terms are consistent with, and in fact exceed, agreement terms approved by courts in other, similar data breach cases.”

In an amended complaint filed in November 2021, Heath, Shapiro, and Becerra Lopez alleged they and other customers were not notified of the February data breach until on or about May 10, 2021, despite Insurance Technologies conducting an investigation of it that ended on March 4, 2021.

For over two months, they said the defendants did nothing to notify customers of what happened with their personal information and further alleged the defendants should have expected data breaches because of how widespread they have become in the technology industry.

The lead plaintiffs said Insurance Technologies’ alleged failure to comply with industry data protection standards and Federal Trade Commission guidelines put at risk the personal information of their customers, including Social Security numbers, driver’s license information, and birth dates. It also opened the customers up to potential identity theft and fraud.

“Plaintiffs and members of the classes now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” the plaintiffs alleged.

In their memorandum, the plaintiffs asked Judge Godbey to certify a nationwide class that includes all 4,341,523 individuals whose personally identifiable information was potentially impacted by the data breach. The group also includes a subclass of individuals who were California residents at the time of the breach and whose information was potentially compromised.

They also asked the court to establish three separate tiers of relief: a “tier one” fund paying $100-$300 to approximately 318,091 California subclass members; a “tier two” fund providing reimbursement of up to $5,000 in out-of-pocket expenses per class member, which includes $25 per hour for up to eight hours of attested lost time; and a “tier three” fund providing every settlement class member 12 months of Aura’s Financial Shield product, which offers a $1 million protection policy to every subscriber and focuses on protecting financial assets.

Only those California subclass members whose Social Security number and/or driver’s license information were accessed or potentially accessed during the breach, as confirmed by Insurance Technology’s business records, will be eligible to submit a tier-one claim.

In order to qualify for a tier two reimbursement, class members will need to provide documentation supporting their claim, a brief description of the loss, and information needed to verify the claim, including their name and mailing address, which will also be checked against Insurance Technology’s business records at the time of the breach.

Out-of-pocket losses will only be covered if the timing of the loss occurred on or after February 27, 2021, and the personal information used to commit the alleged identity theft or fraud was the same type of personal information provided to Insurance Technology before the breach.

Those losses could include claims for up to eight hours of lost time spent addressing identity theft or fraud, including the misuse of personal information, credit monitoring or freezing credit reports, and other issues related to the breach.

The plaintiffs are represented by Gary E. Mason, David K. Lietz, and Gary M. Klinger of Mason Lietz & Klinger LLP.

The case is Heath et al. v. Insurance Technologies Corp. et al., Number 3:21-cv-01444-N, in the U.S. District Court for the Northern District of Texas.