On November 26, the U.S. District Court for the Northern District of Georgia received notice of a class-wide settlement reached between plaintiffs, an individual and a class of similarly situated harmed individuals, and the defendant, a deposit risk management firm, in a data breach case. The parties informed the court they have prepared a class action settlement agreement to be executed by December 6 and anticipate filing a motion for preliminary approval by the court by December 16. The parties requested that the case be stayed, and all pending dates will be stricken.

The complaint, filed on July 8, detailed a hacking incident that occurred on November 3, 2023, when the defendant detected unusual activity on its computer systems. The breach compromised sensitive personal information maintained by the defendant, including names, Social Security numbers, financial account information, driver’s license numbers, and addresses. The defendant waited seven months before notifying the affected individuals, during which time the plaintiffs were at risk of identity theft or harm.

The plaintiffs alleged the defendant failed to implement reasonable data security measures which put the plaintiff’s personal information at risk, violating the California Consumer Privacy Act and other regulations. The complaint included seven counts against the defendant: negligence, negligence per se, breach of implied contract, violations of the California Consumer Privacy Act, unjust enrichment, breach of third-party beneficiary contract, and declaratory judgment. The plaintiffs sought monetary relief, injunctive relief, and lifetime credit monitoring for the affected class members. The number of affected class members is unknown but is estimated to be in the thousands.

The complaint further claimed the defendant’s inadequate security measures and failure to properly monitor its networks led to the data breach. The plaintiffs argued the defendant’s actions resulted in significant harm, including the loss of control over their personal information, potential identity theft, and other financial damages. The plaintiffs also highlighted the defendant’s alleged violations of the California Consumer Privacy Act, which mandates the implementation of reasonable security procedures to protect consumers’ personal information.