Insurance and benefits broker Arthur J. Gallagher is the target of a proposed class action lawsuit over a ransomware attack it suffered in 2020.
The plaintiffs allege that Gallagher failed to follow federal and state government and industry standards to protect their personal information from hackers and failed to adequately notify or help individuals whose information was stolen.
The plaintiffs claim that they, customers and other employees of Gallagher have suffered injuries, incurred costs and face the prospect of “present and imminent lifetime risk of identity theft.” The plaintiffs claim that criminals have already used the stolen personal data to attempt to steal certain identities.
The lead plaintiffs are two former employees of Gallagher: Jason Myers of California and John Parsons of Louisiana.
They seek unspecified damages and implementation by Gallagher of a host of compensatory and security measures.
Arthur J. Gallagher, a large Illinois-based insurance and benefits broker, declined to comment on the lawsuit. The suit also names Gallagher’ third party administrator, Gallagher Bassett Services.
The suit claims that hackers obtained personally identifiable information of thousands of Gallagher’s customers, potential customers, employees and other consumers, including Social Security numbers, tax identification numbers, driver’s licenses, passports, dates of birth, usernames and passwords, employee identification numbers, financial account information, credit card information, electronic signatures and medical records.
The alleged injuries include out- of-pocket expenses associated with the identity theft, tax fraud, or unauthorized use of their information and increased risk because their information remains available on the dark web for individuals to access and abuse.
Gallagher detected the ransomware attack on or about Sept. 26, 2020. It took its global systems offline and launched an investigation.
According to the complaint, Gallagher informed certain media outlets of the ransomware attack as early as Sept. 29, 2020 but did not take any measures to notify affected individuals until on or about June 30, 2021.
The plaintiffs contend that those who saw the September 2020 media reports on the subject but who did not receive any notice of a data breach “likely concluded that their data was not impacted” and therefore “would not have known of the need to take action to protect themselves. ”
According to the suit, Gallagher has offered 24 months of identity monitoring services, which the plaintiffs claim is “wholly inadequate.”
In addition to seeking compensatory, statutory, nominal and punitive damages, legal costs and credit monitoring, the suit asks the court to order Gallagher to have regular third-party tests of its network security, improve training of its security personnel, and purchase or provide funds for credit monitoring services for its customers.
The suit is Myers v. Arthur J. Gallagher. It was filed in the U.S. District Court for the Northern District of Illinois.
(This article was previously published on Wells Media sister site Insurance Journal. Reporter Andrew G. Simpson is the chief content editor of Wells Media.)