Close Close
ThinkAdvisor

Life Health > Annuities

MOVEit Breach Suits Against Genworth, TIAA and Others Head to Boston

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The attack on MOVEit may have exposed the personal information of about 26 million U.S. life, annuity and pension users.
  • Some parties, included TIAA, wanted their cases considered separately.
  • Others, including Genworth, supported centralization.

A judge in Boston will manage the pretrial proceedings for all of the MOVEit-related data breach lawsuits, including the suits naming life and annuity issuers such as Genworth Financial, Prudential Financial and TIAA as defendants.

Judge Karen Caldwell and two other judges on a multidistrict litigation panel ruled last week that Judge Allison Burroughs of the U.S. District Court for the District of Massachusetts should steer the litigation.

The panel knew of 101 actions subject to the centralization order, and Caldwell predicted, in the transfer order announcing the ruling, that more “tag-along” cases will come in. The centralization order does not affect suits filed in state courts.

MOVEit is a popular tool for moving big batches of sensitive data. Cases related to hackers’ attack on MOVEit are important to retirement advisors and their clients because many life insurance, pension and annuity issuers used a vendor relied used MOVEit to manage data. A ThinkAdvisor analysis found that the attack may have affected more than 26 million life, pension and annuity client accounts.

TIAA and other parties could not immediately be reached to comment. Progress Software has emphasized in past statements that it patched the MOVEit vulnerability as soon as it knew of it.

What it means: Many financial services executives and their lawyers will be heading to Burroughs’ court, on Fan Pier in Boston, to figure out how just what the attack did, how exactly it worked, and what they should do to help the people affected and guard against other attacks in the future.

The attack: Cl0p, a Russian group, breached MOVEit systems in May, according to the Cybersecurity and Infrastructure Security Agency, an arm of the U.S. Department of Homeland Security.

Cl0p was able to get the data stored on MOVEit servers. It tried to persuade companies to pay it ransom in exchange for keeping the records secure, and it is believed to have dumped most or all of the data it gathered online in August, according to media reports.

U.S. financial services clients were not the only people affected by the attack. Bert Kondruss, managing director of KonBriefing Research, estimates in his latest MOVEit attack impact update that breach reports show the attacked has affected at least 2,255 organizations and more than 62 million people around the world.

Breach reports suggest that many of the U.S. financial services company records affected included consumers’ names and Social Security numbers.

The litigation: Progress Software owns the business that runs the MOVEit system.

Many financial services companies affected by the attack are involved because they relied on Pension Benefit Information, a MOVEit user, to track life insurance insureds and retirement benefit recipients and see whether those people were still alive.

Some of the many suits related to the attack named many parties as defendants. Others focused on Progress Software, PBI or individual, consumer-facing organizations, such as insurance companies or pension plan administrators.

The centralization fight: Caldwell noted in the case transfer order that some parties wanted pretrial proceedings centralized in Massachusetts, some wanted proceedings centralized in other federal districts, and some wanted to have their litigation handled entirely in the courts where the suits were originally filed.

Genworth, for example, supported centralization, according to the order. Prudential and TIAA wanted claims against them considered separately.

“All actions can be expected to share common and complex factual questions as to how the MOVEit vulnerability occurred, the circumstances of the unauthorized access and data exfiltration, and Progress’s response to it, as well as the response of various downstream MOVEit users and customer-facing defendants with whom plaintiffs did business,” Caldwell wrote in the order.

Centralization should streamline the pretrial the proceedings and conserve the resources of the parties, their lawyers and the courts, Caldwell said.

“Although no single defendant is named in all cases, we are of the opinion that the parties can obtain significant efficiencies by placing all actions concerning the vulnerabilities in the MOVEit software before a single judge,” Caldwell added.

Caldwell noted that centralization affects only investigations involving the questions that the parties have in common, and that the original courts can continue to address the questions that aren’t directly affected by centralization, if the judges in the original courts choose to do so.

The panel picked Massachusetts to be the “transferee district” for the MOVEit cases because Progress Software is based in Burlington, Massachusetts, and more MOVEit cases are pending in the Massachusetts district than in any other, according to the order.

Credit: Shutterstock


NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.