Heath et al. v insurance technologies corp. and zywave inc

Insurance technology provider Zywave has agreed to offer an $11 million fund to settle a class-action lawsuit related to a data breach at a company it acquired in 2020.

A proposed class-action suit was filed against Insurance Technologies Corp. (ITC) following a data breach that occurred on February 27. 2021. ITC, which was acquired by Zywave in November 2020, began notifying customers and attorneys general of the breach on May 10, 2021.

Zywave Acquires Insurance Technologies Corporation

The class-action lawsuit was filed in June 2021. It alleged that the ITC breach gave hackers access to names, Social Security numbers, driver’s license numbers, dates of birth, and log-in credentials of thousands of ITC customers, potential customers, and other individuals.

Carrollton, Texas-based ITC had more than 250 insurance companies and more than 9,000 agencies as clients when it was bought by Zywave. It claimed to be the largest provider of insurance agency websites in the United States and supported more than two million monthly auto and home quotes through its comparative rater TurboRater.

Court documents said hackers gained access to ITC’s AgencyMatrix application, a cloud-based agency management system. According to allegations outlined in the court documents, ITC said it contained the data breach on March 4, 2021.

“However, despite first learning of the data breach in February 2021 and concluding the investigation in March 2021, [ITC] did not take any measures to notify affected class members for over two months, on or about May 10, 2021,” the lawsuit alleged.

According to settlement-agreement documents filed late last month in U.S. District Court for the Northern District of Texas by one of the plaintiffs’ lead attorneys, Zywave will pay to notice potential class members, reimburse up to $5,000 per class member for out-of-pocket losses including compensation for lost time, and provide one year of free credit monitoring services.

Plaintiffs’ counsel intends to present fees of one third of the settlement fund – about $3.7 million – plus expenses not to exceed $30,000, to be paid out of the fund.

Related:

• Zywave Acquires Insurance Distribution, Quoting Software Firm ClarionDoor
• Zywave Continues Expansion with Purchase of IBQ Comparative Rating for Agencies
• Zywave Buys Workers’ Comp Software Firm Modgic
• Zywave Acquires Risk Management Solutions Provider, Enquiron
• Zywave Snatches Up Advisen in Move to Accelerate Global Growth

Topics Lawsuits Cyber

Was this article valuable?

Thank you! Please tell us what we can do to improve this article.

Thank you! % of people found this article valuable. Please tell us what you liked about it.

Here are more articles you may enjoy.

Mar. 4, 2022 – Zywave Inc., a software provider for insurance companies, has agreed to pay $11 million to settle a class action alleging the companies failed to protect the personal information of over four million customers during a February 2021 security breach.

Plaintiffs have moved for preliminary approval of the settlement,  saying it fairly settles claims they brought over a February 2021 security breach. 

In their motion for preliminary approval filed Monday in Texas federal court, the plaintiffs asked U.S. District Judge David C. Godbey to sign off on a deal that will see Zywave and its subsidiary Insurance Technologies Corp. cover thousands of dollars in reimbursement costs for over 4,000,000 class members, as well as paying hundreds of dollars in cash to a subclass of California residents.

In support of their motion, plaintiffs Jay Heath, Edward Shapiro, and Daisy Becerra Lopez, on behalf of the class members, urged the Northern District of Texas to approve the proposed deal, saying it fairly settles the claims and provides “significant relief in the form of monetary payments and identity theft protection.”

They also argue the settlement “terms are consistent with, and in fact exceed, agreement terms approved by courts in other, similar data breach cases.”

In an amended complaint filed in November 2021, Heath, Shapiro, and Becerra Lopez alleged they and other customers were not notified of the February data breach until on or about May 10, 2021, despite Insurance Technologies conducting an investigation of it that ended on March 4, 2021.

For over two months, they said the defendants did nothing to notify customers of what happened with their personal information and further alleged the defendants should have expected data breaches because of how widespread they have become in the technology industry.

The lead plaintiffs said Insurance Technologies’ alleged failure to comply with industry data protection standards and Federal Trade Commission guidelines put at risk the personal information of their customers, including Social Security numbers, driver’s license information, and birth dates. It also opened the customers up to potential identity theft and fraud.

“Plaintiffs and members of the classes now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” the plaintiffs alleged.

In their memorandum, the plaintiffs asked Judge Godbey to certify a nationwide class that includes all 4,341,523 individuals whose personally identifiable information was potentially impacted by the data breach. The group also includes a subclass of individuals who were California residents at the time of the breach and whose information was potentially compromised.

They also asked the court to establish three separate tiers of relief: a “tier one” fund paying $100-$300 to approximately 318,091 California subclass members; a “tier two” fund providing reimbursement of up to $5,000 in out-of-pocket expenses per class member, which includes $25 per hour for up to eight hours of attested lost time; and a “tier three” fund providing every settlement class member 12 months of Aura’s Financial Shield product, which offers a $1 million protection policy to every subscriber and focuses on protecting financial assets.

Only those California subclass members whose Social Security number and/or driver’s license information were accessed or potentially accessed during the breach, as confirmed by Insurance Technology’s business records, will be eligible to submit a tier-one claim.

In order to qualify for a tier two reimbursement, class members will need to provide documentation supporting their claim, a brief description of the loss, and information needed to verify the claim, including their name and mailing address, which will also be checked against Insurance Technology’s business records at the time of the breach.

Out-of-pocket losses will only be covered if the timing of the loss occurred on or after February 27, 2021, and the personal information used to commit the alleged identity theft or fraud was the same type of personal information provided to Insurance Technology before the breach.

Those losses could include claims for up to eight hours of lost time spent addressing identity theft or fraud, including the misuse of personal information, credit monitoring or freezing credit reports, and other issues related to the breach.

The plaintiffs are represented by Gary E. Mason, David K. Lietz, and Gary M. Klinger of Mason Lietz & Klinger LLP.

The case is Heath et al. v. Insurance Technologies Corp. et al., Number 3:21-cv-01444-N, in the U.S. District Court for the Northern District of Texas.