Class Action Filed in the Wake of Sovos 2023 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Sovos Compliance, LLC faces a proposed class action over a May 2023 data breach that reportedly affected more than 215,000 individuals.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 48-page case, the data breach was a “foreseeable” result of Sovos’s failure to properly safeguard the sensitive information entrusted to it, which belongs to its clients’ customers. The lawsuit reports that data impacted by the breach included names, addresses, dates of birth, Social Security numbers, driver’s license numbers and account numbers.

The complaint says that contrary to Sovos’s privacy policy, which promises that the company has “put in place appropriate physical, electronic and managerial procedures” to protect data from unauthorized disclosure, hackers were able to access files that contained customers’ unencrypted, unredacted information between May 27 and 30 of this year.

In its August 25 notice letter, Sovos, a Massachusetts-based software company that provides regulatory compliance services to its clients, revealed that the files were compromised during a widespread attack against MOVEit, a popular file transfer tool.

Per the case, the defendant failed to “exercise due diligence in selecting its IT vendors or deciding with whom it would share sensitive [personally identifiable information]” and had a responsibility to “audit, monitor, and ensure the integrity of its vendor’s systems.”

The case says that the plaintiff—a victim of the data breach who entrusted her information to Sovos through her affiliation with one of its clients, Pacific Premier Bank—believes cybercriminals have sold her stolen data on the dark web as a result of the incident. Like other affected individuals, the woman now faces an “imminent” and “ongoing” risk of identity theft and fraud, the complaint contends.

The suit goes on to criticize the defendant’s offer of 24 months of identity monitoring and theft resolution services, claiming that the measure fails to adequately compensate victims, who will be forced to pay out of pocket for these services for years after the offer expires.

What’s more, Sovos’s failure to inform affected individuals of critical facts surrounding the incident has severely diminished class members’ ability to mitigate the harms caused by the exposure of their data, the suit says.

The lawsuit looks to represent anyone in the United States whose personal information was compromised in the data breach experienced by Sovos Compliance, LLC.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.