Insurance broker Gallagher sued over ransomware attack
Insurance and benefits broker Arthur J. Gallagher is the target of a proposed class action lawsuit for a ransomware attack he suffered in 2020.
The complainants allege that Gallagher failed to follow federal and state and industry standards to protect their personal information from hackers and failed to notify or adequately assist those whose information was stolen.
Complainants say they, customers and other Gallagher employees have suffered injuries, incurred costs and face the prospect of a “present and imminent lifelong risk of identity theft” . The plaintiffs claim that criminals have already used the stolen personal data to try to steal certain identities.
The principal applicants are two former Gallagher employees: Jason Myers of California and John Parsons of Louisiana.
They ask for unspecified damages and the implementation by Gallagher of a multitude of compensatory and safety measures.
Arthur J. Gallagher, a leading Illinois-based insurance and benefits broker, declined to comment on the lawsuit. The lawsuit also names Gallagher’s third-party administrator, Gallagher Bassett Services.
The lawsuit claims the hackers obtained personally identifiable information from thousands of Gallagher customers, prospects, employees and other consumers, including social security numbers, tax ID numbers, driver’s licenses, passports , dates of birth, usernames and passwords, employee identification numbers, account information, credit card information, electronic signatures and medical records.
Alleged injuries include personal expenses associated with identity theft, tax evasion or unauthorized use of their information and increased risk as their information remains available on the dark web for individuals to access and secure. abuse.
Gallagher detected the ransomware attack on or around September 26, 2020. It took its global systems offline and launched an investigation.
According to the complaint, Gallagher informed some media of the ransomware attack as early as September 29, 2020, but took no action to notify those affected until or around June 30, 2021.
Complainants argue that those who saw the September 2020 media reports on the matter but did not receive any notice of a data breach “likely concluded that their data had not been affected” and therefore “did not” would not have known that it was necessary to take action to protect themselves. “
According to the lawsuit, Gallagher offered 24 months of identity check services, which the plaintiffs claim to be “totally inadequate.”
In addition to seeking compensatory, statutory, nominal and punitive damages, legal fees and credit monitoring, the lawsuit is asking the court to order Gallagher to have its network security tested regularly by third parties, improve the training of its security personnel and purchase or provide funds for credit monitoring services for its clients.
The lawsuit is Myers versus Arthur J. Gallagher. It was filed with the United States District Court for the Northern District of Illinois.
Want to stay up to date?
Receive the latest insurance news
sent directly to your inbox.