Overby-Seawell Co. (OSC), the complaint for this class action alleges, provides services to Fulton Bank, NA. Both of these entities collect and maintain the personally identifiable information (PII) of their customers in the course of operating their businesses. However, the complaint alleges that they did not take adequate measures to maintain the privacy and security of this information and bear some responsibility for a recent OSC data breach.
The class for this action is all individuals living in the US whose PII was accessed or exfiltrated in the data breach announced by OSC in 2022.
Fulton Bank provides financial services to consumers in Pennsylvania, Maryland, Delaware, New Jersey, and Virginia. OSC provides Fulton with various services, including making sure that Fulton Bank’s residential mortgage customers keep up the property insurance on their homes.
“According to OSC’s Notice of Data Event…” the complaint says, “OSC discovered suspicious activity on their computer systems on July 5, 2022. OSC conducted an investigation which concluded that ‘unauthorized access’ to their servers began on May 26, 2022; and that on July 11, 2022, their investigation concluded that PII was stolen from OSC’s network.”
The complaint claims that the information that the defendants did not safeguard includes names, addresses, loan information, and Social Security information.
The complaint alleges that the scope of the data breach has not been revealed and alleges that “the victims in this Action could number well into the millions, as numerous OSC banking clients were implicated in this Data Breach, including Defendant Fulton Bank, as well as at least one more bank (KeyBank).”
The defendants had an obligation to protect the PII, the complaint alleges: “As sophisticated institutions that collected, stored, and maintained the PII of Plaintiff and Class Members, [Fulton and OSC] owed Plaintiff and Class Members numerous statutory, regulatory, contractual, and common law duties and obligations, including those based on their affirmative representations” that they will keep the information in their care safe.
Also, the complaint alleges, that when customers gave their PII to the bank, they “reasonably expected and relied upon Fulton Bank to ensure that third[-]party vendors to whom it entrusted their PII, like OSC, maintained adequate data security and retention systems.”
According to the complaint, the PII held by OSC “was not encrypted or was not adequately encrypted” before the data breach took place: “Had the PII been properly encrypted, the cybercriminals would have accessed and ‘stolen’ only useless, unintelligible data.”
The complaint alleges that the companies should have foreseen the data breach, in light of the many other data breaches taking place these days. Despite this, the complaint alleges, they did not comply with data standards set forth by the Federal Trade Commission, comply with the Graham-Leach-Bliley Act, or meet industry standards for data security.