Southwestern Family of Companies Confirms Recent Data Breach |  Console and Associates, PC

Southwestern Family of Companies Confirms Recent Data Breach | Console and Associates, PC

On August 1, 2022, the Southwestern family of companies (“Southwestern”) confirmed that the company suffered a data breach after an unauthorized party gained access to sensitive user data contained within Southwestern’s network. News of the Southwestern breach is still fresh, and the company has yet to publicly release the types of data compromised as a result of the attack. Thus, information about the violation is limited. However, Southwestern recently sent data breach letters to all affected parties informing them of the incident and what they can do to protect themselves from identity theft and other fraud.

If you’ve been notified of a data breach, it’s important to understand what’s at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are after the Southwestern data breach, please see our recent feature on the topic here.

The details of the Southwestern data breach

According to an official notice filed by the company, on November 17, 2021, Southwestern detected suspicious activity in its IT systems. In response, with the help of cybersecurity professionals, Southwestern has launched an investigation to determine the nature and scope of the incident and whether it resulted in the disclosure of user data.

On March 1, 2022, the company’s investigation revealed that an unauthorized person had accessed a limited number of files on Southwestern’s network.

After discovering that sensitive user data had been accessed by an unauthorized party, Southwestern then reviewed the affected files to determine what information was compromised and which users were affected. Southwestern completed this review on June 21, 2022. The company’s official filing did not mention the specific types of data that were compromised. However, state data breach reporting laws require companies to report a breach any time a user’s name and one or more of the following types of data are leaked: social security numbers, driver’s license numbers, bank account numbers, or credit card or medical records. Therefore, it is likely that the Southwestern breach involved one or more of these data types.

On August 1, 2022, Southwestern sent data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Founded in 1855, the Southwestern Family of Companies is a holding company headquartered in Nashville, Tennessee. Southwestern Family of Companies owns and operates several smaller businesses, including the following:

  • Southwestern Legacy Insurance Group

  • Great American opportunities

  • Southwest Consulting

  • Southwest Publishing Group

  • Southwest Investment Group

  • Global educational concepts

  • Family Heritage Life Insurance Company of America

  • Forward thinking

  • Southwestern Travel Group

Southwestern employs more than 150 people and generates approximately $40 million in annual revenue.

When are companies legally liable for a data breach?

United States data breach and consumer protection laws require companies to protect user information in their possession. Thus, in some cases, companies that suffer an otherwise preventable data breach may be on the hook for consumer losses related to the breach. Of course, just because a business is hacked and the information it holds ends up in the hands of a cybercriminal doesn’t mean the company will be held financially responsible for the victim’s losses. Ultimately, these cases come down to whether a company was negligent leading to the violation.

The basic framework of the negligence analysis requires the victim to prove the following:

  • The company owed the consumer a duty of care;

  • The company has breached its duty of care to the consumer;

  • Negligent actions of the company caused or contributed to the data security breach; and

  • The user has suffered legally recognized damages as a result of the violation.

When it comes to storing user data, there are several ways a company can be negligent. However, most data breaches involving company negligence are caused by either the company not using an adequate data security system or failing to train employees on how to safely handle user data. For example, given the risks of email phishing, companies should train their employees to recognize fraudulent emails that look legitimate. Similarly, organizations must continually assess their data security systems to ensure they are up-to-date and protect against the latest trends in cyberattacks.

Companies that do not take their data security obligations seriously increase the chances of a data breach. Data breach victims who want to learn more about their rights and whether they can file a data breach class action lawsuit should contact a data breach attorney for assistance.

Leave a Comment

Your email address will not be published.