Plaintiffs Request Judge Approve Settlement in ERISA Data Breach Lawsuit

Retirement plan participants whose personal identifiable information was exposed in a 2021 data breach have asked a Georgia federal judge to approve an $8.733 million agreement to resolve allegations, which claimed national consultant Horizon Actuarial Services LLC failed to safeguard their sensitive data.

The plaintiffs’ attorneys are seeking final approval from the court of the proposed class action settlement. The settlement would resolve all claims related to the data security incident on behalf of the settlement class of approximately 4,386,969 individuals nationwide. The case is Justin Sherwood, et al. v Horizon Actuarial Services LLC. 

The plaintiffs’ attorneys write that agreement negotiated between the parties is “a fair, adequate and reasonable settlement, which guarantees members of the settlement class will receive significant compensation in direct reimbursements for the benefit of all class members.”   

Per the proposed settlement, members may self-certify the amount of time they actually spent resolving issues related to the data security incident.

Horizon has agreed to pay the total settlement amount into a fund to be used to make payments to settlement class members, administrative expenses, and attorneys’ fees and expenses.

Settlement class members’ are eligible for total reimbursement for any out-of-pocket losses together with any repayment for time losses is capped at $5,000.  

If approved, the settlement dismisses with prejudice all claims of the class against Horizon in the action, without costs and fees except as explicitly provided for in the settlement agreement.  

On March 11, attorneys for the class of plaintiffs filed a memorandum in support of their motion and two briefs to support their contention the settlement should be approved.  

“The question of liability on the part of service providers to plans for cyberattacks is an emerging issue,” says Drew Oringer, partner in and general counsel at the Wagner Law Group, which was not involved in the litigation. “This settlement is a reminder to recordkeepers and other service providers that the occurrence of a data breach could have significant financial ramifications for providers that may be accused of not having done enough to protect participant data.” 

Earlier this year, U.S. District Court Judge Eleanor L. Ross scheduled the final approval hearing for Thursday, April 4.

Plan sponsors, which provide Employee Retirement Security Act-regulated retirement plans and other benefits must consult the Department of Labor’s Cybersecurity Program Best Practices, if they have not previously, adds Oringer.

The parties have agreed to use legal services provider Epiq as the claims and settlement administrator.

The opt-out and objection deadlines have passed. Some 102 individuals have opted out of the settlement. No objections to the settlement have been received by the settlement administrator, but two objections have been submitted to the court and entered on the docket.

The court previously granted preliminary approval of the proposed settlement in September 2023.

The original complaint was filed in U.S. District Court for the for the Northern District of Georgia, Atlanta Division, in 2022.  

Justin Sherwood, the lead plaintiff in the case alleged Horizon Actuarial Services LLC, a provider of actuarial and administrative services to retirement plans and other client types, failed to properly secure and safeguard sensitive personally identifiable information provided by and belonging to its customers.

The complaint alleged Horizon experienced a data security incident in November 2021 during which unauthorized third parties gained access to its network and file server.

Horizon investigated the cause, scope of the incident and determined that files containing plaintiffs and settlement class members’ names, address, Social Security numbers, benefit plan enrollment data and dates of birth were accessed without authorization and reported stolen. 

Representatives of Horizon did not respond to a request for comment; nor did attorneys for the plaintiffs and defendant.