Cyber security data protection business technology privacy concept. Data breach
getty
In a recent column, I described the recent data breach at Allianz Life which potentially affects 1.4 million people. The data included in this data breach included names, addresses, birth dates, Social Security numbers and more, all of which can readily be used by criminals for costly identity theft. Consistent with many recent data breaches, this particular data breach was accomplished through social engineering tactics used by cybercriminals to gain access to information through a customer relationship management (CRM) system use by Allianz. Many, if not most, companies use and rely on cloud services, vendors and other external partners to manage their data and operations leaving customers’ data vulnerable when their employees are manipulated through social engineering.
In response to this data breach two class action lawsuits were filed in the Federal District Court for Minnesota on July 31st and August 1st. Specifically, the class actions allege that Allianz failed to notify victims of the data breach in a timely fashion, thereby exposing them to increased risk of identity theft in the days before the company publicly acknowledged the data breach. It was ten days from the discovery of the data breach by Allianz until Allianz disclosed the breach to regulators. Additionally, the plaintiffs accuse Allianz of violating its own privacy policies as well as accepted industry standards such as the NIST Cybersecurity Framework and federal law. The FTC Act and the Gramm-Leach Bliley Act both provide penalties for failure to secure consumer data. The NIST Cybersecurity Framework consists of voluntary guidelines developed by the National Institute of Standards and Technology to help companies and agencies manage cybersecurity risk. The class actions also accuse Allianz of not sufficiently monitoring its systems to prevent data breaches and failing to have a strong data security plan.
In addition to financial penalties, the class actions are asking the court to order Allianz to improve its cybersecurity practices through data encryption and annual independent audits of its cybersecurity protocols.
While the federal government has taken some action against companies for violating federal regulations related to protecting personal data of consumers from data breaches, such as the FCC’s civil action against T-Mobile which resulted in a $31.5 million settlement in 2024 which required T-Mobile to make significant cybersecurity improvements including increased use of multi-factor authentication and the FTC’s 2024 civil action settlement against Marriott which also required the implementation of heightened cybersecurity protocols, more action has come in response to increased class actions by consumers. In 2024 there were 1,488 data breach class actions almost triple the amount from just two years earlier.
The list of companies that have settled consumer class actions against them for negligence related data breaches include Morgan Stanley, MGM Resorts, and T-Mobile.
More significant enforcement of federal laws regarding protection of consumer data would be a positive step, but an unlikely one under the present administration so it may be that continued class actions to make companies pay for their failures to take the necessary steps to protect our personal information they hold will continue to be necessary to punish companies who do not act responsibly and hopefully serve as an incentive to companies to increase their cybersecurity.
This article was published by Steve Weisman on 2025-09-06 16:26:00
View Original Post
