Progressive Casualty Insurance and North Carolina-based Builders Mutual Insurance Co. have been served with class-action lawsuits over data breaches on their own computer systems in 2022, cyber attacks that may have exposed the personal data of more than 411,000 people.
“Plaintiffs bring this class action against Builders Mutual for its failure to properly secure and safeguard Plaintiffs’ and other similarly situated individuals’ name, date of birth, Social Security Number, and workers compensation information … from hackers,” reads the amended complaint against Builders Mutual, filed last week in federal court in North Carolina.
In federal court in South Carolina, plaintiff Dodie Waden, a resident of Columbia, South Carolina, and others made similar allegations about Progressive, which had learned of a data breach in May 2023.
“Defendant knew or should have known that due the increasing number of well-publicized data breaches that have occurred in the United States, large data storage such as this require the highest level of protection, which Defendant failed to provide,” reads the complaint.
While insurers worldwide in recent years have faced insured losses from cyber attacks on their policyholders, as well as some thorny litigation about the extent of coverage, relatively few carriers have seen class actions over reported breaches in their own computers. Marsh & McLennan Companies were famously sued by an employee after a 2021 computer breach reportedly exposed personal information to cyber criminals. That case is still pending, but an appeals court ruling last fall opened the door for more U.S. lawsuits alleging harm from cyber attacks, even when plaintiffs provide no evidence that the data was improperly used.
Mapfre USA and its affiliate Commerce Insurance Co. also were hit with class actions last September over a data breach that may have exposed personal information on some 260,000 people.
Now, Progressive and Builders Mutual face their own litigation after the 2023 breaches. Builders Mutual, with headquarters in Raleigh and contractor coverage in several Southeastern states, reported the attack to regulators in September 2023, but that was well after after suspicious computer activity was discovered, the plaintiffs said.
“Builders Mutual waited nine months to notify the public, including Plaintiffs and Class Members, that they were at risk,” the lawsuit alleges.
The Builders Mutual plaintiffs, which include Matthew Kocher and Mark Rogolino, of Florida, and James Jackson, of Virginia, is asking for millions of dollars in damages. The suit contends that more than 100 other plaintiffs could join the lawsuit. Altogether, personal data on some 64,000 people may have been accessed by criminals in the cyber attack, the suit said.
Builders Mutual, which turns 40 this year, provides workers compensation, general liability, builders’ risk, auto, property and other coverage to commercial clients, including several home builders associations, according to its website. The firm employs some 365 people and had about $384 million in annual revenue, the lawsuit notes. Michael Gerber is president and CEO.
The mutual insurer failed to follow Federal Trade Commission and other guidelines on cybersecurity, including removal of personal data when it is no longer needed, and implementation of protections against unauthorized access, the complaint reads.
One plaintiff, Rogolino, has already suffered from identify theft, including fraudulent benefit claims submitted in his name, unauthorized cellphone charges, and thousands of dollars in unauthorized utility charges for services he never received, the suit alleges. Kocher argued that cybercriminals have charged his credit card for movie tickets and for purchases at retail stores.
Builders Mutual has yet to file an answer to the complaint or a motion to dismiss the suit. The company could not be reached for comment Sunday. It was not reported if Builders had secured its own cyber insurance ahead of the 2022 attack or if it is self-insured.
In the Progressive suit, filed last week, the plaintiffs contend that the insurer learned of the breach in May 2023 but did not notify the 347,000 insureds and other victims until August of that year. The complaint argues that Progressive was unjustly enriched by accepting premiums but failed to use its revenue to secure its data. Progressive has not yet answered the complaint.
Cyber attacks and related litigation will likely continue to be a serious threat to insurers’ bottom lines in the years ahead. A 2022 report from IntSights, a computer security firm, said that the insurance industry is a target for ransomware and other cyber attacks, partly because insurers possess a great deal of personally identifiable information about policyholders. Insured companies also may be targets of hackers due to the perception that those policyholders may be more likely to pay ransoms if they are covered by cyber insurance.
The market for cyber insurance took a hit during the pandemic, but made a comeback in 2023, after significant premium increases, according to news reports.