Overby-Seawell Company and KeyBank agreed to pay $6 million to settle claims related to a 2022 data breach that compromised the personal information of their customers.

Class members can receive up to $6,000 for documented losses, including fraud and identity theft damages, fees, and credit costs. Additionally, they can get up to five hours of lost time compensated at $25 per hour.

California residents will receive an extra $100 payment. All class members are eligible for three years of free identity theft protection and credit monitoring services. https://topclassactions.com/lawsuit-settlements/closed-settlements/6m-banking-data-breach-class-action-settlement/ (Oct. 10, 2024).

Commentary

According to the above cited source:

According to the data breach class action lawsuit, a 2022 breach of Overby-Seawell's computer systems allowed hackers to gain access to information for current and former Overby-Seawell, KeyBank, and Fulton Bank customers. Plaintiffs in the case claim this theft of information injured them and argue Overby-Seawell should have prevented the breach by implementing reasonable cybersecurity measures.

Overby-Seawell is a contractor providing services to KeyBank and Fulton Bank. However, KeyBank is contributing to the $6 million settlement. That may be because it was also negligent in some manner, but the original breach was as to Overby-Seawell's computer system…not KeyBank. 

The takeaway is that financial organizations can be responsible for the actions and inactions of its contractors regarding cybersecurity, especially as to breaches that affect customers. Consequently, contracts should specify security requirements as well as the responsibilities of contractors for data security, prior to the signing of any contract.