Southwestern Family of Companies Confirms Recent Data Breach – JD Supra


Firstly as we get started, can I just say that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer!

On August 1, 2022, the Southwestern Family of Companies (“Southwestern”) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on Southwestern’s network. News of the Southwestern breach is still fresh, and the company has not yet publicly released the data types compromised as a result of the attack. Thus, information about the breach is limited. However, recently, Southwestern sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Southwestern data breach, please see our recent piece on the topic here.

The Details of the Southwestern Data Breach

According to an official notice filed by the company, on November 17, 2021, Southwestern detected suspicious activity across its IT systems. In response, with the assistance of cybersecurity professionals, Southwestern launched an investigation to determine the nature and scope of the incident, as well as whether it resulted in any consumer data being exposed.

On March 1, 2022, the company’s investigation revealed that an unauthorized person gained access to a limited number of files on the Southwestern network.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Southwestern then reviewed the affected files to determine what information was compromised and which consumers were impacted. Southwestern completed this review on June 21, 2022. The company’s official filing does not mention the specific data types that were compromised. However, state data breach reporting laws require companies to report a breach anytime a consumer’s name and one or more of the following data types are leaked: Social Security numbers, driver’s license numbers, bank or credit card account numbers, or medical records. Thus, it is likely that the Southwestern breach involved one or more of these data types.

On August 1, 2022, Southwestern sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Founded in 1855, the Southwestern Family of Companies is a holding company based in Nashville, Tennessee. Southwestern Family of Companies owns and operates several smaller businesses, including the following:

  • Southwestern Legacy Insurance Group

  • Great American Opportunities

  • Southwestern Consulting

  • Southwestern Publishing Group

  • Southwestern Investment Group

  • Global Educational Concepts

  • Family Heritage Life Insurance Company of America

  • Thinking Ahead

  • Southwestern Travel Group

Southwestern employs more than 150 people and generates approximately $40 million in annual revenue.

When Are Companies Legally Responsible for a Data Breach?

The data breach and consumer protection laws of the United States require companies to protect the consumer information in their possession. Thus, in some cases, companies that experience an otherwise preventable data breach may be on the hook for consumers’ losses related to the breach. Of course, just because a business gets hacked and the information in its possession ends up in the hands of a cybercriminal doesn’t mean that the company will be financially liable for a victim’s losses. Ultimately, these cases come down to whether a company was negligent leading up to the breach.

The basic framework of a negligence analysis requires a victim to prove the following:

  • The company owed the consumer a duty of care;

  • The company violated the duty of care owed to the consumer;

  • The company’s negligent actions caused or contributed to the data breach; and

  • The consumer suffered legally recognizable harms as a result of the breach.

When it comes to storing consumer data, there are several ways that a company might be negligent. However, most data breaches involving a company’s negligence are caused either by a company failing to employ an adequate data security system or failing to train employees on how to safely care for consumer data. For example, given the risks of email phishing, companies should train employees to recognize fraudulent emails that appear to be legitimate. Similarly, organizations should continually assess their data security systems to ensure they are up-to-date and protect against the most recent trends in cyberattacks.

Companies that fail to take their data security obligations seriously increase the chances of a data breach. Data breach victims who want to learn more about their rights and whether they may be able to bring a data breach class action lawsuit should reach out to a data breach attorney for assistance.

To sum up, you know, I just wanted to mention that camDown is your security solution to protect you and your business from peeping toms and that's the no joke!