Two proposed class actions have been filed in federal court in Massachusetts against Mapfre U.S.A. Corp. and its affiliate Commerce Insurance Co. over a recent data breach that one of the lawsuits contends may have exposed customer data for more than 260,000 individuals.
The suits blame the property/casualty insurer’s online quoting platform for allegedly automatically populating an individual’s driver’s license number and other information for anyone entering a bare minimum of publicly available information about that individual.
The complaints contend that not only actual and potential customers but even members of the public who were not Mapfre customers may have had sensitive information compromised.
The complaints allege that the insurer failed to exercise reasonable care in securing and safeguarding highly sensitive consumer data, violated federal driver privacy protection law and cyber security requirements, and breached their contract and fiduciary duty. They also argue that the insurer waited too long to notify customers.
Mapfre has acknowledged it suffered a data breach between July 1 and July 2, 2023. The insurer said that as soon as it became aware of the issue, it took down its Massachusetts online quoting platform and began an investigation to determine what happened. It also reported the incident to law enforcement and offered customers free identity theft protection
In a letter dated August 22, the insurer informed customers of its online platform that an “unknown party” used information about them – which was already in the unknown party’s possession – to obtain access to additional information about them through its Massachusetts online quoting platform.
The insurer said the unknown party obtained access to driver’s license numbers and may also have obtained information regarding vehicles the customers own, including make, model, year, and vehicle identification number.
The first complaint, filed September 6 by Richard Ma of Middlesex County, a current policyholder, and Fred Devereaux of Essex County, a former policyholder, alleges that the company failed to safeguard consumer data of more than 260,000 individuals.
Devereaux claims the insurer exposed data on him that it kept in its system even though he had not been a policyholder for five years. Devereaux says he did not know that Mapfre continued to retain his private information.
Brian Conway of South Hadley, Massachusetts is the plaintiff in the second and similar complaint that was filed September 8. Conway claims he experienced an approximately $400 fraudulent charge on his credit card after the data disclosure, a fraud he maintains is connected to the data derived from Mapfre’s data breach disclosure.
The suits seek certification as class actions and an order requiring the insurer to improve its data security, as well as damages.
Was this article valuable?
Here are more articles you may enjoy.