A class action suit involving a data hack of participant data at a consulting firm has reached a $7.75 million cash settlement.
The suit arose from a November 2021 cyber security “incident” involving Horizon Actuarial Services LLC[i] and data on some 100,000 individuals who were signed up for benefit plans through their employers.
The suit was filed in April 2023 in the Northern District of Georgia by plaintiffs Justin Sherwood (the original plaintiff), Lindsey Quan, Tabatha Bedont f/k/a Tabatha Johnson, Greg Torrano, Jennifer Hill, Sia Moody, Anthony Ruiz, Alice Dodd, Frederick Lewis, Douglas Ackman, Ryan Evans, Amber Thomas, and Maria Chavez who in filing the suit alleged that a series of failures put at risk the security of their personally identifiable information (PII).
The Suit
According to the suit, the breach affected 25 multiemployer benefit plans[ii] and thousands of plan participants. The suit alleged that the data breach was a direct result of Horizon's failure to implement adequate security systems and safeguards, despite the fact that data breaches are increasingly common and "wreak havoc" on those affected by them. The suit not only criticized the lack of operational safeguard, but also alleged that Horizon failed to:
- properly train and supervise its employees and vendors;
- comply with industry-standard data security practices; and
- comply with state and federal laws and regulations governing data security and practices.
According to the proposed settlement, “despite occurring in November 2021,[iii] Horizon waited to begin informing Class Members until roughly January 13, 2022. Plaintiff did not receive his Notice of Data Incident from Horizon until April 14, 2022 (it was dated April 8, 2022)—more than 5 months after the Data Breach occurred. During this time, Plaintiff and Class Members were unaware that their sensitive personal identifying information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm.”
"Defendant allowed thieves access to plaintiff's and class members' [personally identifiable information], thereby decreasing the security of plaintiff's and class members' financial and personal accounts, making plaintiff's and class members' identities less secure and reliable, and subjecting plaintiff's and class members to the imminent threat of identity theft," the complaint said. "Not only will plaintiff and the other members of the class have to incur time and money to re-secure their bank accounts and identities, but they will also have to protect against identity theft for years to come."
The Settlement
The Settlement (Sherwood v. Horizon Actuarial Services LLC, case number 1:22-cv-01495, in the U.S. District Court for the Northern District of Georgia) negotiated on behalf of the class provides for the creation of a $7,750,000 non-reversionary Settlement Fund, which would be used to pay for the following: (1) reimbursement for Out-of-Pocket Losses, Lost Time, and Cash Compensation; (2) Notice and Administrative Expenses; (3) Fee Award and Expenses as awarded by the Court; and (4) a cy pres payment to the benefit of all class members.
The proposed settlement also notes that amounts that are eligible to be reimbursed as Out-of-Pocket Losses include, without limitation:
- losses relating to fraud or identity theft;
- professional fees including attorneys’ fees, accountants’ fees, and fees for credit-repair services;
- costs associated with freezing or unfreezing credit with any credit-reporting agency;
- credit monitoring costs that were incurred on or after Defendant’s notice of the Data Security Incident to the Class Members through the date of claim submission; and
- miscellaneous expenses such as notary, fax, postage, copying, mileage, and long-distance telephone charges, provided that the amount in question must represent an amount that was actually paid out of pocket to a third party and has not otherwise been reimbursed to the Settlement Class Member.
Other Stuff
According to the settlement, the defendant has agreed that Plaintiffs may request, subject to Court approval, up to $2,583,075, or 33.33% of the Settlement Fund to proposed Class Counsel for attorneys’ fees and up to $50,000 in costs and expenses, though that request will formally come in a separate motion.
Now we’ll see if the court approves the proposal.
[i] According to the suit, “Horizon began offering its actuarial services for multiemployer and Taft-Hartley plans on February 1, 2008.” It boasts that it provides “superior actuarial and consulting services to multiemployer benefit plans—first as the Wyatt Company, then as Watson Wyatt, and now as Horizon Actuarial Services, LLC.”
[ii] Horizon positions itself as a specialist in multiemployer plan benefits.
[iii] “The investigation revealed that two Horizon Actuarial computer servers were accessed without authorization for a limited period on November 10 and 11, 2021. The group provided a list of information they claimed to have stolen. The types of information impacted may include names, dates of birth, Social Security numbers, and health plan information.”
