Lending Institution Settles $850K Class Action Suit for Data Breach

Cash Express, a Tennessee-based lender operating in four states, has set up an $850,000 settlement fund in response to a class action lawsuit stemming from a ransomware attack between January 29 and February 6, 2022. Filed on October 7, 2022, the lawsuit represents those potentially impacted by the breach, which exposed data such as names, birthdates, contact details, government IDs, Social Security numbers, and banking credentials. Cash Express was alerted to the breach on February 6 upon noticing unusual network activity and promptly enlisted external cybersecurity experts for a thorough investigation. The incident compromised the data of roughly 106,000 individuals.

According to the 26-page lawsuit, the plaintiff and class members allege Cash Express of violating Tennessee data privacy laws by failing to implement reasonable cybersecurity measures to safeguard the personal data of its borrowers. They claim that Cash Express failed to meet industry-wide minimum standards for cybersecurity as outlined by the NIST Cybersecurity and Federal Trade Commission’s (FTC) cybersecurity guidelines for business. Their complaint argues that Cash Express should have anticipated the breach, given prior warnings from agencies like the FBI and U.S. Secret Service about similar threats to companies in their sector.

Case Settlement Details

Cash Express agreed to a case settlement that creates a fund of $850,000. Eligible claimants under the settlement agreement will receive one, two, and/or three or more of the following Settlement benefits:

• Refunds for verifiable out-of-pocket expenses related to the breach, up to $5,000.
• A maximum compensation of $125 for time spent addressing the data breach concerns, such as monitoring accounts, signing up for credit protection services, or addressing potential identity theft or misuse of personal data linked to the incident.
• A base cash payment of $150 from the settlement fund. This amount may vary depending on the leftover funds after disbursing the above reimbursements and covering legal expenses.

Cybersecurity can be described as a game of “cat and mouse” or “whack a mole” because businesses often turn to security tools to protect their assets. While implementing best of breed security tools is certainly part of the equation, an ad hoc approach to purchasing the latest “must have” security tool will not get you the results you need. The foundation of robust cybersecurity is a strategic approach, rooted in a thorough cybersecurity risk assessment. This means understanding the vulnerabilities of your key assets and evaluating the potential business impact of breaches. Only then can you create a holistic approach that will ensure you are protected from your most viable threats. Cybersecurity risk assessments are so effective, in fact, that a growing number of laws, regulations, and standards such as HIPAA and PCI DSS require them. By identifying risks first, you can subsequently craft a strategic plan, ensuring you deploy the right defenses in the right places. HALOCK Security Labs utilizes the Duty of Care Risk Analysis Standard (DoCRA) for its cybersecurity risk assessments, assisting organizations in achieving optimal security without incurring unnecessary burdens. Having assessed such a diverse range of environments of organizations within different industries, HALOCK Security Labs possess the expertise to identify vulnerabilities and subsequently craft strategies to mitigate those risks effectively.