Lockton faces class action over November data breach

A proposed class of individuals whose personal identifying information was allegedly leaked following a November 2024 data breach sued Lockton Cos. LLC and one of its units in federal court in Kansas City for failing to follow industry standards, Federal Trade Commission guidelines and the Health Insurance Portability and Accountability Act of 1996.

The plaintiffs in Johnson v. Southeast Series of Lockton Companies LLC et al. say “criminals can commit a boundless litany of financial crimes” with unauthorized access to their PII and personal health information.

The plaintiffs say they were not informed about the data breach until March and that they “now suffer from a present and continuing risk of fraud and identity theft and must now constantly monitor their financial accounts.”

The plaintiffs accuse Lockton of negligence, negligence per se and unjust enrichment.

Representatives for the plaintiffs did not respond to requests for comment.

A spokesperson from Lockton said the “incident was contained within a few hours and did not affect our operations or ability to serve clients.”

The spokesperson also said the incident was not a ransomware attack, that the brokerage takes cybersecurity very seriously and that the incident was minor and quickly contained.

“We have implemented additional measures to ensure the continued safety and integrity of our systems,” the spokesperson said.