On August 1, 2022, the Southwestern Family of Companies (“Southwestern”) confirmed that the company was affected by a data breach after an unauthorized party gained access to sensitive consumer data contained on Southwestern’s network. News of the Southwest’s breach is fresh, and the company has yet to release the types of data that were compromised as a result of the attack. Therefore, information about the injury is limited. However, Southwestern recently sent out letters to all affected parties informing them of the incident and what they can do to protect themselves from identity theft and other scams.
If you’ve received a data breach notification, it’s important that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from being a victim of fraud or identity theft, and what your legal options are in the wake of the South West data breach, please read our recent article on the subject here.
The details of the Southwestern data breach
According to an official company statement, on November 17, 2021, Southwestern detected suspicious activity in its IT systems. In response, Southwestern, with the assistance of cybersecurity experts, launched an investigation to determine the nature and scope of the incident and whether it exposed consumer information.
On March 1, 2022, the Company’s investigation revealed that an unauthorized individual had gained access to a limited number of files on the Southwestern network.
When Southwestern determined that sensitive consumer data was being compromised by unauthorized persons, Southwestern reviewed the affected files to determine which information was compromised and which consumers were affected. Southwestern completed this review on June 21, 2022. The company’s official filing does not mention the specific types of data that were compromised. However, state data breach reporting laws require companies to report a data breach whenever a consumer’s name and one or more of the following types of data are leaked: social security numbers, driver’s license numbers, bank or credit card account numbers, or medical records. Therefore, it is likely that the Southwest breach affected one or more of these data types.
On August 1, 2022, Southwestern sent out privacy breach letters to anyone whose information was compromised as a result of the recent data security incident.
Founded in 1855, the Southwestern Family of Companies is a holding company based in Nashville, Tennessee. The Southwestern Family of Companies owns and operates several smaller companies, including the following:
Southwestern Legacy Insurance Group
Great American opportunities
Southwest Publishing Group
Southwest Investment Group
Global Education Concepts
Family Heritage Life Insurance Company of America
Southwest Tour Group
Southwestern employs more than 150 people and has annual sales of approximately $40 million.
When are companies legally responsible for a data breach?
United States privacy and consumer protection laws require businesses to protect the consumer information they hold. Therefore, in some cases, businesses that experience an otherwise avoidable data breach may be liable for the losses to consumers related to the data breach. Of course, just because a company is hacked and the information in its possession ends up in the hands of a cybercriminal doesn’t mean that the company is held financially responsible for a victim’s losses. Ultimately, what matters in these cases is whether a company acted negligently prior to the violation.
The basic framework of a negligence analysis requires that a victim prove:
The company owed the consumer a duty of care;
The company violated the duty of care towards the consumer;
Company’s negligent actions caused or contributed to the data breach; and
The consumer has suffered legally recognizable damage as a result of the violation.
When it comes to storing consumer data, a business can be negligent in a number of ways. However, most data breaches that result from a company’s negligence are caused either by a company’s failure to employ an adequate data security system or by a failure to train its employees on how to keep consumer data secure. For example, given the risks of email phishing, organizations should train their employees to recognize fraudulent emails that appear legitimate. Likewise, organizations should continuously review their data security systems to ensure they are up to date and protect against the latest trends in cyber attacks.
Businesses that don’t take their data security obligations seriously increase the likelihood of a data breach. Victims of data breaches who want to learn more about their rights and whether they may be able to file a class action lawsuit for data breaches should contact a data breach attorney for assistance.