Geico and its parent company, Berkshire Hathaway Inc., could have prevented the data breach announced April 9 that compromised the Social Security numbers, addresses, credit card numbers and driver’s license numbers of millions of current and former customers through basic security measures, authentications and training, according to the complaint filed by Alexander Mirvis, Betty Butler and Lainie Froehlich.
Between Nov. 24 and March 1, thieves gained access to policyholders’ personal information through the online sales system on Geico’s website and used driver’s license numbers to fraudulently apply for unemployment benefits under the policyholders’ names, according to the suit.
Despite promising to safeguard customers’ personal identifiable information, Geico and Berkshire Hathaway didn’t take reasonable steps to protect that sensitive information, the policyholders said.
“Plaintiffs’ and class members’ [personal identifiable information] is now readily available on the internet for anyone and everyone to acquire, access and use for unauthorized purposes for the foreseeable future,” the suit states.
All three policyholder plaintiffs said their names have already been used to make false unemployment claims. They said Geico failed to protect their personal information, failed to prevent cybercriminals from gaining access to it and failed to provide security measures consistent with industry standards for the protection of such information.
The data breach was foreseeable, the policyholders said, given the number of much-publicized data breaches in recent years. Geico and Berkshire Hathaway collect and manage huge amounts of personal information and knew they would be the target of security threats, according to the suit.
The companies had a duty to their customers to properly secure confidential personal information, the suit states.
Mirvis, Butler and Froehlich want to represent a nationwide class of people whose personal information was compromised in the data breach initially disclosed by Geico on April 9, as well as a class for New York residents.
The suit claims negligence, breach of contract, misrepresentation, breach of fiduciary duty and violations of New York General Business Law. It seeks actual, compensatory, consequential and punitive damages, statutory penalties, restitution and attorney fees, as well as credit monitoring services.
Philip Hines of Held & Hines LLP, counsel for the policyholders, told Law360 on Wednesday that his clients personal information has already been used to fraudulently apply for unemployment benefits and obtain credit cards.
“In the coming days, weeks and months, this information will most certainly be used for other nefarious purposes and be readily available on the dark web, injuring them personally and financially for years to come,” Hines said. “Had Geico been as diligent protecting our clients’ personal information as they are in collecting our clients’ premiums, this would have never happened.”
Geico and Berkshire Hathaway could not be immediately reached for comment.
Mirvis, Butler and Froehlich are represented by Philip M. Hines of Held & Hines LLP.
Counsel information for Geico and Berkshire Hathaway was not immediately available.
The case is Alexander Mirvis et al. v. Berkshire Hathaway Inc. et al., case number 1:21-cv-02210, in the U.S. District Court for the Eastern District of New York.
–Editing by Nicole Bleier.