Recent Data Breach at Mercer Advisors Leads to Class-Action Lawsuit
A data breach last month has landed Mercer Advisors in court with a putative class-action suit that contends the prolific RIA acquirer failed to adequately protect private client data.
Details of the Lawsuit
Paul Berger of Washington, D.C. sued Mercer in the U.S. District Court for the District of Colorado on Monday following a data breach in mid-February. A cybercrime group known as ShinyHunters later claimed on the “dark web” that it had obtained access to roughly 5.7 million individual records containing client names, full or partial Social Security Numbers, emergency contact details and other information.
According to the suit, ShinyHunters demanded a ransom in return for not releasing the information. When Mercer refused to pay, the hackers released the client information on the dark web. Berger’s suit seeks class action status so others allegedly harmed in a similar way can join.
Berger’s lawyers did not respond to requests for comment. Mercer declined to comment for this article.
Regulators’ push to protect client data
Protecting private investor data has been a priority for industry regulators in recent years. The Securities and Exchange Commission, for instance, adopted changes in 2024 giving firms additional obligations under a federal privacy rule known as Regulation S-P. The biggest change gives investment advisors, brokers and other affected firms 30 days to tell clients of any data security lapse that might trigger “a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
Denver-based Mercer, which has more than $96 billion in client assets and more than 1,550 employees, isn’t the only prominent wealth manager to have suffered a data breach in recent months. In January, the fintech and robo advisor Betterment confirmed that it had suffered an attack that exposed customer names and email addresses. ShinyHunters also claimed responsibility for that breach.
Other financial firms targeted in widely reported recent attacks include Edelman Financial Engines and Pathstone Family Office.
Allegations in the Lawsuit
Berger’s suit against Mercer contends the breach exposed him to harm and occurred because Mercer did not follow industry standards designed to protect client data. The suit alleges Mercer failed to ensure the personal information it held was encrypted, to monitor for and remediate vulnerabilities in its cybersecurity systems and to ensure employees had access to private data only if they used multifactor authentication — a system often requiring users to verify their identities through at least two separate devices. The suit accuses Mercer of negligence, unjust enrichment and breach of an implied contract.
For more information, you can read the full article here.
