Southwestern Family of Companies Confirms Recent Data Breach

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On August 1, 2022, the Southwestern Family of Companies (“Southwestern”) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on Southwestern’s network. News of the Southwestern breach is still fresh, and the company has not yet publicly released the data types compromised as a result of the attack. Thus, information about the breach is limited. However, recently, Southwestern sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Southwestern data breach, please see our recent piece on the topic here.

The Details of the Southwestern Data Breach

According to an official notice filed by the company, on November 17, 2021, Southwestern detected suspicious activity across its IT systems. In response, with the assistance of cybersecurity professionals, Southwestern launched an investigation to determine the nature and scope of the incident, as well as whether it resulted in any consumer data being exposed.

On March 1, 2022, the company’s investigation revealed that an unauthorized person gained access to a limited number of files on the Southwestern network.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Southwestern then reviewed the affected files to determine what information was compromised and which consumers were impacted. Southwestern completed this review on June 21, 2022. The company’s official filing does not mention the specific data types that were compromised. However, state data breach reporting laws require companies to report a breach anytime a consumer’s name and one or more of the following data types are leaked: Social Security numbers, driver’s license numbers, bank or credit card account numbers, or medical records. Thus, it is likely that the Southwestern breach involved one or more of these data types.

On August 1, 2022, Southwestern sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Founded in 1855, the Southwestern Family of Companies is a holding company based in Nashville, Tennessee. Southwestern Family of Companies owns and operates several smaller businesses, including the following:

  • Southwestern Legacy Insurance Group

  • Great American Opportunities

  • Southwestern Consulting

  • Southwestern Publishing Group

  • Southwestern Investment Group

  • Global Educational Concepts

  • Family Heritage Life Insurance Company of America

  • Thinking Ahead

  • Southwestern Travel Group

Southwestern employs more than 150 people and generates approximately $40 million in annual revenue.

When Are Companies Legally Responsible for a Data Breach?

The data breach and consumer protection laws of the United States require companies to protect the consumer information in their possession. Thus, in some cases, companies that experience an otherwise preventable data breach may be on the hook for consumers’ losses related to the breach. Of course, just because a business gets hacked and the information in its possession ends up in the hands of a cybercriminal doesn’t mean that the company will be financially liable for a victim’s losses. Ultimately, these cases come down to whether a company was negligent leading up to the breach.

The basic framework of a negligence analysis requires a victim to prove the following:

  • The company owed the consumer a duty of care;

  • The company violated the duty of care owed to the consumer;

  • The company’s negligent actions caused or contributed to the data breach; and

  • The consumer suffered legally recognizable harms as a result of the breach.

When it comes to storing consumer data, there are several ways that a company might be negligent. However, most data breaches involving a company’s negligence are caused either by a company failing to employ an adequate data security system or failing to train employees on how to safely care for consumer data. For example, given the risks of email phishing, companies should train employees to recognize fraudulent emails that appear to be legitimate. Similarly, organizations should continually assess their data security systems to ensure they are up-to-date and protect against the most recent trends in cyberattacks.

Companies that fail to take their data security obligations seriously increase the chances of a data breach. Data breach victims who want to learn more about their rights and whether they may be able to bring a data breach class action lawsuit should reach out to a data breach attorney for assistance.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide