Sage Home Loans settles with data breach victims

Sage Home Loans has agreed to pay consumers impacted by a data breach last December.

The lender will provide $925,000 for customers who it had personal identifiable information on at the time of the incident, according to a court filing by plaintiffs last week. The proposed settlement in the class action complaint is pending approval by a South Carolina federal judge.

The class spans 135,000 consumers. The company notified 28,018 customers and 986 current and former employees that their PII may have been compromised. 

"The settlement will provide the settlement class members with substantial relief — that precisely addresses the harms inflicted by the data incident — without the risk of delay from protracted litigation," wrote attorneys for plaintiffs in an Oct. 11 unopposed motion for preliminary settlement approval. 

Neither the mortgage lender nor attorneys for both parties responded to immediate requests for comment Tuesday morning. 

The agreement is a relatively swift ending to the litigation commonly filed by data breach victims following a disclosed incident. Some mortgage players, like Loandepot, moved quickly to settle claims following cyber attacks, while others, including servicers entangled in a massive hack, are fighting protracted lawsuits

Three former mortgage customers led the February complaint against Sage, accusing it of negligence and failing to use reasonable security procedures in suffering the cybersecurity incident last year. Plaintiffs claim unidentified assailants acquired files the lender shared with a third party containing unencrypted PII. 

Sage has revealed few details about the incident, stating it discovered suspicious activity on a Lenox legacy network. The company was formerly known as Lenox Financial Mortgage Corp., also doing business as Weslend Financial, before changing its name to Sage last November. 

The pending agreement fund will provide up to $1,500 per class member for losses "fairly traceable" to the hack, according to last week's filing. Sage will comp members up to $125 for time they spent remedying issues related to the breach, or an alternative cash payment of $50. 

Attorneys for the class will also file an application for fees up to 33.33% of the settlement fund. The three class representatives are also in line to receive $5,000 awards. The data breach-related payments will be subject to proportional increase if clams don't exhaust the entire fund, and can conversely decrease if claims exhaust the fund. 

There's no evidence to suggest the near-million dollar payout will put Sage in danger of insolvency, plaintiffs wrote. 

As part of the agreement, Sage will also provide to the class action attorneys a "security attestation" describing security measures the lender will implement as part of the deal. Plaintiffs requested numerous cybersecurity protocols the company should introduce, such as penetration testing and third party security assessments for 10 years. It's unclear which measures Sage already has, or plans to implement.

For reprint and licensing requests for this article, click here.
Law and legal issues Cyber security Fraud
MORE FROM NATIONAL MORTGAGE NEWS