A Texas woman has sued Goosehead Insurance Agency over a data breach that exposed sensitive customer information, alleging the company waited seven months to sound the alarm.
Jayda Slaughter filed the proposed class action in federal court on October 24, claiming the national insurance agency's network was infiltrated in early March but customers weren't notified until mid-October. At least 17,379 Texas residents had their personal data stolen, according to a breach report filed with the Texas Attorney General.
The case spotlights cybersecurity risks facing insurance agencies as they collect sensitive customer information required for underwriting. Slaughter, a Goosehead customer, says an unauthorized party made off with Social Security numbers, driver's license details, government-issued ID numbers including passports and state IDs, financial account data including credit and debit card information, medical information, and health insurance details.
The unauthorized party gained access to Goosehead's network environment on or about March 6 and exfiltrated data before the company discovered the breach on or about March 13, the lawsuit says. But affected customers didn't receive breach notifications until October 10—a gap Slaughter characterizes as inexcusable given the heightened fraud risks.
The delay is particularly troubling because Social Security numbers, unlike credit or debit card numbers, cannot be easily replaced. The Social Security Administration has warned that a new number probably will not solve all problems because other governmental agencies and private businesses likely will have records under the old number, and that for some victims of identity theft, a new number actually creates new problems.
Goosehead operates as a national independent insurance agency providing personal and commercial insurance products through a network of company-owned and franchised offices across the United States. The company specializes in offering personal lines including home, auto, renters, flood and umbrella coverage by partnering with multiple insurance carriers to provide customized policy options.
Slaughter alleges Goosehead failed to implement basic safeguards despite knowing the risks inherent in collecting and storing such sensitive customer information. Stolen personal information fetches between $40 and $200 on dark web marketplaces, while bank details command prices ranging from $50 to $200, the lawsuit notes, citing industry sources. The filing states that hackers can easily sell stolen data as there has been proliferation of open and anonymous cybercrime forums on the dark web that serve as a bustling marketplace.
The lawsuit points to Federal Trade Commission guidelines urging businesses to identify all connections to computers where sensitive information is stored, assess network vulnerabilities, deploy firewalls, monitor traffic for intrusion attempts, limit data access, and avoid retaining information longer than necessary. Failing to employ reasonable security measures violates Section 5 of the Federal Trade Commission Act, which prohibits unfair practices in commerce, Slaughter contends, characterizing this as negligence per se.
Data breaches have surged in recent years. There were 6,077 recorded breaches in 2023, exposing more than 17 billion records and representing a 19.8 percent increase from 2022, according to sources cited in the complaint. Identity theft complaints nearly doubled between 2017 and 2021, climbing from 2.9 million to 5.7 million. The year 2024 had the second-highest number of data compromises in the United States in a single year since such instances began being tracked in 2005.
Once stolen, personal data can circulate for years. The U.S. Government Accountability Office has noted that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft, and that once stolen data have been sold or posted on the dark web, fraudulent use of that information may continue for years. Victims spend an average of 200 hours over approximately six months recovering from identity theft, according to FTC estimates cited in the complaint.
Slaughter says she's monitoring financial statements and researching protective measures—time-consuming tasks she wouldn't face but for Goosehead's alleged failures. She claims her personal information has lost value now that it's been compromised, and she faces ongoing risk of identity theft potentially lasting her lifetime.
The lawsuit faults Goosehead for offering only limited credit monitoring rather than automatically enrolling breach victims in comprehensive protection services. Rather than automatic enrollment upon discovering the breach, the defendant merely sent instructions about actions customers could affirmatively take to protect themselves. Slaughter argues the response falls short given that victims of data breaches commonly face multiple years of ongoing identity theft and financial fraud, and the services fail to provide any compensation for the unauthorized release of private information.
She's seeking class certification on behalf of all individuals in the United States whose private information was compromised in the breach, advancing claims for negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment. The case asks a judge to order Goosehead to implement adequate security measures and submit to annual audits of those systems and monitoring procedures, and provide identity theft protective services to class members for their lifetimes.
Slaughter also wants the court to declare that Goosehead owes customers a legal duty to safeguard their data and timely notify them of breaches—obligations she says the company continues to breach by failing to employ reasonable measures to secure private information in its possession.
The data remains in Goosehead's systems, leaving customers vulnerable to additional breaches unless the agency implements stronger safeguards, the lawsuit warns. Slaughter and class members remain in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their information in the future.
Goosehead reported the breach to various government agencies including the Office of the Texas Attorney General on or around October 14. The company, headquartered at 1500 Solana Boulevard in Westlake, Texas, has not yet filed a response to the lawsuit. No court has made any factual findings or legal determinations in the matter.
The case underscores compliance burdens insurance agencies face as they collect and store sensitive customer data essential to evaluating risk and issuing policies. With cyberattacks becoming more sophisticated—a 2022 poll of security executives predicted increases in attacks from social engineering and ransomware as nation-states and cybercriminals grow more advanced—agencies confront mounting pressure to fortify networks.
