Keenan & Associates Data Breach Settles for $14M

Case Background

Keenan and Associates, a major insurance brokerage and consulting firm operating across California, found itself at the center of a significant class action lawsuit after a crippling security lapse exposed the personal information of countless individuals. The legal action began quickly after the company publicly confirmed in late September 2023 that an unauthorized criminal party had penetrated and compromised its internal computer systems.

Cause

The direct cause of the litigation was a severe data breach that the Defendant, Keenan and Associates, had confirmed. The Plaintiffs’ Second Amended Complaint, the core legal document detailing the allegations, asserted that the firm had not adopted reasonable and necessary measures to secure its network, where it stored vast amounts of highly sensitive data. This lack of appropriate protection, the Plaintiffs insisted, fell far short of industry standards and directly violated the company’s implied promise to protect the private information that had been entrusted to its care. The Complaint charged that the failure to invest in robust security was a cost-saving measure that put profit ahead of privacy.

Injury

The security failure resulted in catastrophic exposure for those affected. The information accessed was extremely sensitive; it reportedly included individuals’ names, addresses, dates of birth, Social Security Numbers, and detailed medical or health insurance records. The Plaintiffs argued that this widespread exposure immediately placed them at risk. They had already sustained immediate financial injuries, which stemmed from out-of-pocket costs to mitigate the breach’s damage, as well as the significant, ongoing threat of identity theft. Furthermore, the Plaintiffs cited severe emotional distress and anxiety that came from knowing their most private records were now vulnerable to malicious actors.

Damages Sought

The Plaintiffs, representing a massive group of affected individuals, had sought significant legal and financial relief from the Court. They pursued monetary compensation to cover the financial losses already incurred, including the substantial time they spent dealing with the consequences of the breach. Crucially, they also demanded that Keenan and Associates be compelled to provide free, long-term credit monitoring and identity theft protection services to the entire class. Finally, they requested that the Court mandate that Keenan immediately fund and implement comprehensive upgrades to its entire data security infrastructure, ensuring a much higher level of protection against any future incidents.

Key Arguments and Proceedings

The lawsuit, which commenced in the Superior Court of California, County of Los Angeles, proceeded through the initial phases of litigation at a brisk pace. The parties exchanged extensive documentation and legal arguments during a period of vigorous motion practice before they ultimately negotiated a comprehensive resolution, thus avoiding a lengthy trial.

Legal Representation

Plaintiff(s): Heath et al

·       Counsel for Plaintiff(s): Berry M. Anderson | Andrew W. Ferich | Haroutunian Gregory | Hart Yana | Samantha E. Holbrook | Benjamin F. Johns | Theodore W. Maya | Shub Jonathan | Bryan P. Thompson | Ryan J. Clarkson | Yana Hart | Tiara Avaness | Valter Malkhasyan | Adam Rosen | Tina Wolfson

The Defendant(s): Keenan and Associates

·       Counsel for Defendant(s):  John A. Vogt | Billeci Matthew Thomas

Key Arguments or Remarks by Counsel

The Second Amended Complaint, filed in September 2024, set a clear and aggressive strategy to hold Keenan and Associates fully accountable for what the Plaintiffs characterized as a completely avoidable and egregious security failure.

Claims

The legal claims that the Plaintiffs pursued targeted the company's core responsibilities concerning data handling and consumer protection, focusing on several distinct areas of corporate misconduct.

Negligence and Negligence Per Se: Plaintiffs' counsel had forcefully argued that Keenan owed a fundamental duty of care to the individuals whose private data they held. The firm, they asserted, had failed to implement reasonable data security measures, which constituted a direct breach of this duty. This lapse, they claimed, was the proximate cause of the breach and the resulting harm to the Plaintiffs.

Breach of Implied Contract: The legal team also pursued a claim based on contract law. They argued that when Keenan collected and stored the Plaintiffs' private information, it had entered into an implied contract to protect that data and keep it confidential. The breach, therefore, fundamentally violated this agreement, obligating the company to compensate the victims for the contractual failure.

Violations of California’s Unfair Competition Law: Finally, the Plaintiffs alleged that Keenan’s substandard security practices represented an unlawful, unfair, and fraudulent business action under California's Unfair Competition Law (UCL). They contended that Keenan had unfairly benefited by avoiding the necessary costs associated with implementing robust security measures, essentially gaining a competitive advantage at the direct expense of its clients' security.

Defense

Though the case did not proceed to trial, Keenan’s defense team aggressively challenged the Plaintiffs’ claims. While their full trial arguments remained theoretical, the defense typically maintained that the security incident was the result of highly sophisticated, criminal activity an attack that no reasonable security measure could have entirely prevented. Their attorneys likely contended that the company had maintained substantial protocols and argued that the incident was, in essence, an unforeseeable event beyond their control. Furthermore, the defense consistently challenged the Plaintiffs’ standing to sue, arguing that until a class member could prove specific, quantifiable financial losses directly caused by the breach, their claims for damages were merely speculative.

Settlement

The matter came to an end not with a verdict from a jury but through a comprehensive Stipulated Undertaking Re: Settlement that both sides had negotiated and signed on November 8, 2024. This resolution, however, remained subject to final approval by the Superior Court of California, County of Los Angeles, meaning the case technically remained open until the Court entered its Final Judgment.

The parties had agreed to a total settlement amount of $14,000,000. This sizable figure, which Keenan funded, secured either direct cash payments or reimbursement for specific costs that individuals had tracked in the aftermath of the breach. The settlement provided for two primary types of cash claims:

1. Reimbursement for Ordinary Losses: Class members could submit claims for documented out-of-pocket expenses up to a maximum amount to be determined by the Court, covering losses like bank fees, credit expenses, and costs associated with mitigating fraud.

2. Compensation for Lost Time and Extraordinary Losses: The fund also compensated individuals for documented extraordinary fraud losses (up to $10,000 per class member) and for the time they had spent dealing with the breach, such as freezing credit and investigating suspicious activity.

Crucially, the settlement also immediately obligated Keenan and Associates to fund and provide three years of credit monitoring and insurance services (CMIS) to the class members, directly addressing the Plaintiffs’ primary demand for long-term security protection. The negotiated resolution of this high-profile data breach case concluded the substantive legal battle, ensuring both financial recovery for the affected individuals and concrete commitments from the Defendant to implement significant enhancements to its future data security practices, pending the final approval of the Court.

Court documents are available upon request at jurimatic@exlitem.com