EvilCorporations.com • Riggs et al. v. TriStar Insurance Group, Inc. • 4 min read

Your Data Was Their Problem. Your $1M Was Their Solution.

In November 2022, TriStar Insurance Group allowed a data breach to happen. Personal information belonging to their own customers was exposed. Those customers sued. TriStar agreed to pay $1 million to settle the lawsuit and, critically, admitted nothing. This is the story of how a company turns a security failure into a capped liability, funnels affected people through a claims process that limits how much any one person can recover, and walks away with its reputation intact and its legal exposure erased.

The Non-Financial Ledger

There is a particular kind of violation that happens when a company holding your private information loses it to unknown hands. You did not choose to hand your data to TriStar out of trust or goodwill. You handed it over because you needed insurance, because it was required, because the transaction left you no alternative. You gave them your information because they asked for it, and they accepted the obligation to protect it.

When that breach happened in November 2022, the people on the other end were not abstractions. They were customers who now had to spend their own time figuring out what was taken, checking their credit reports, monitoring their accounts, wondering whether something fraudulent was already in motion under their name. The anxiety that follows a data breach is real and it does not resolve cleanly. You cannot un-expose your Social Security number. You cannot undo the period of vulnerability. You cannot get back the hours you spent trying to determine your own risk level after someone else’s failure.

The legal system’s answer to this is a claims process. Fill out the form, document your losses, wait for a check. That process is real and it is better than nothing. But it cannot restore what was taken, which was the confidence that a company entrusted with your information was doing the bare minimum to keep it safe. The settlement does not require TriStar to admit that it failed. It does not require an apology. It does not require a public accounting of exactly what went wrong and how many people were exposed to what specific data. It requires a payment, then silence.

The Settlement Isn’t Justice

A $1 million settlement fund sounds significant until you understand how class action data breach payouts actually work in practice.

• The $1 million total must be shared across every class member who submits a valid claim. The more people who file, the smaller each individual recovery becomes. This is a structural feature of class action settlements, not a bug, and it serves the defendant’s interest by capping total exposure at a single fixed number.
• Attorneys’ fees and administrative costs are drawn from the same fund before any class member receives a dollar. In typical class action settlements, these costs can consume a substantial portion of the total pool, leaving less for the people who were actually harmed.
• TriStar agreed to the settlement without admitting wrongdoing. This means the company is not on record as having done anything wrong. No finding of negligence. No acknowledgment of a specific security failure. Nothing in the settlement record that forces a public reckoning with what actually happened to customers’ data.
• There is no source-documented figure for what TriStar earned in premiums or revenue during the period of the breach, so a direct profit-to-penalty ratio cannot be calculated here. What is documented is that a $1 million settlement removes legal liability for an insurance company, a type of business whose entire product is the management of other people’s risk.

Profit-Maximization at All Costs

TriStar’s settlement structure reveals a financial logic that prioritizes liability containment over genuine accountability to the people harmed.

• By settling for $1 million and requiring no admission of wrongdoing, TriStar capped its entire legal exposure from the breach at a single, predetermined figure. This is cheaper, faster, and reputationally cleaner than contesting liability at trial.
• Insurance companies are in the business of quantifying and pricing risk. The decision to settle rather than fight is itself a risk calculation: the settlement cost was assessed as lower than the cost of continued litigation, potential trial judgment, and reputational damage from a public finding of negligence.
• The affected customers, by contrast, had no comparable negotiating power. They could participate in the class action or opt out; they could not individually negotiate the terms of the fund or compel a higher payout based on their specific documented losses.

Public Deception

Insurance companies sell a product built entirely on the promise of protection. The implicit claim is that your information, your policy, and your relationship with the company are secure.

• What was implied: TriStar, as an insurance company, holds itself out as a professional manager of sensitive personal and financial data. The business model depends on customers trusting the company with that data.
• What the breach documented: In November 2022, that trust was broken. Customer data was exposed. The security infrastructure that was supposed to protect it did not.
• What the settlement allows: TriStar resolved this without ever being required to state publicly what went wrong, which systems failed, or how many customers were affected at what level of detail.

Societal Impact Mapping

Public Health: The Stress Economy of Data Exposure

Data breaches at insurance companies carry a specific harm profile because of the type of information these companies hold.

• Insurance companies routinely collect sensitive personal data including names, addresses, dates of birth, Social Security numbers, and health or financial information depending on policy type. Exposure of any subset of this information creates real risk of identity theft, fraudulent account opening, and medical record manipulation.
• The psychological burden on breach victims is documented across public health research: sustained monitoring anxiety, loss of trust in institutions, and time-consuming remediation activity that falls entirely on the individual rather than the company that lost the data.
• People who cannot afford to pay for credit monitoring or identity theft protection services are disproportionately exposed. The settlement offers some reimbursement for these costs, but only for those who know about the settlement, understand the process, and submit a valid claim in time.

Economic Inequality: Who Bears the Cost of Corporate Negligence

The financial burden of a data breach is not distributed equally across the affected population.

• Wealthier customers are more likely to have existing credit monitoring services, fraud alerts, and the professional relationships (attorneys, financial advisors) to respond effectively to a breach. Lower-income customers are more likely to bear the full weight of monitoring, remediation, and potential fraud loss on their own.
• The claims process itself creates an access barrier. Submitting documentation of out-of-pocket losses requires keeping records, understanding legal deadlines, and navigating administrative forms. These are tasks that take time, literacy, and a level of institutional familiarity that is not evenly distributed.
• TriStar, meanwhile, is a corporation with dedicated legal counsel that negotiated the settlement terms. The information asymmetry between the company and individual claimants is total. The company knew exactly what was in the settlement; individual class members were informed after the fact.

The “Cost of a Life” Metric

This Is the System Working as Intended

The outcome of Riggs et al. v. TriStar Insurance Group is not a failure of the legal system. It is the legal system performing exactly as designed for corporate defendants with sufficient resources to settle.

• The class action mechanism was created to aggregate small individual claims into a viable lawsuit. It works. It produced a $1 million fund. But the same mechanism that makes litigation viable also caps individual recovery and channels settlement authority to attorneys rather than individual class members.
• The “no admission of wrongdoing” clause is standard settlement language, not an anomaly. It exists because courts allow it and corporations routinely demand it. The result is a system where liability can be purchased without accountability, and where the public record contains no finding of what actually went wrong.
• TriStar is an insurance company. Its entire business is built on understanding and pricing risk. The breach and subsequent settlement can be modeled as a cost of doing business: a foreseeable liability that was priced, managed, and resolved within a predictable financial range. The customers whose data was exposed were not part of that calculation.
• Data breach settlements of this type are common across the industry. The recurrence of the pattern across companies and years is evidence that the current penalty structure does not create a sufficient deterrent. A $1 million settlement is survivable for an insurance company. The exposure of customer data was survivable for TriStar. The same cannot be said for the customers.

What a Legitimate Fix Looks Like

The core structural failure this case exposes: data breach penalties in the United States are capped by settlement negotiation rather than scaled to the actual harm caused or the financial capacity of the defendant, which means large companies can price data security negligence as a manageable operating cost rather than an existential compliance risk.

Regulatory Track

• Federal financial regulators and state insurance commissioners should require insurers to disclose the number of affected individuals in any breach within a mandatory reporting window, along with the specific data categories exposed. Non-disclosure or delayed disclosure should carry automatic per-day penalties that begin accruing immediately.
• Minimum per-person breach penalties should be established, scaled to the sensitivity of the data category exposed, so that a company holding Social Security numbers or health data faces a higher floor liability than one holding only email addresses. This prevents $1 million from being an adequate resolution for a large-scale breach.
• Regulators should require post-settlement security audits conducted by independent third parties, with findings made public. TriStar’s settlement contains no documented requirement that the company fix whatever allowed the breach to happen. That omission is a systemic failure, not a one-company problem.

Legislative Track

• Congress should pass comprehensive federal data breach legislation that establishes a private right of action with statutory damages, meaning individuals can recover a minimum sum per violation without having to document specific out-of-pocket losses. The current model, which requires victims to prove and document individual harm, advantages well-resourced defendants against low-resource claimants.
• Settlement structures that include no-admission-of-wrongdoing clauses in cases involving consumer data should be subject to judicial scrutiny for fairness. Courts should be required to make an affirmative finding that the settlement is in the interest of class members, not merely that it is not objectionable.
• Legislation should require that attorneys’ fees in data breach class actions be capped as a percentage of the fund only after a minimum per-class-member distribution threshold is met, preventing scenarios where legal fees consume the majority of a settlement fund before individual claimants are compensated.

Corporate Governance Track

• TriStar’s board should be required to publicly report on what specific security controls were absent or failed in November 2022, what remediation steps were taken, and what the current state of data security infrastructure is. This is information policyholders are entitled to as a matter of basic transparency.
• Executive compensation at insurance companies that suffer data breaches should be subject to clawback provisions if a breach is later found to have resulted from deferred security investment or inadequate staffing of cybersecurity functions. Making breach-related liability personal for executives changes the incentive structure in a way that settlement funds paid by the corporation do not.
• Insurance companies should be required to carry dedicated cyber liability coverage that is separate from general operating reserves, sized to cover realistic breach remediation costs for their customer population. This is a general industry standard; the absence of such a requirement creates the conditions for underfunded settlements like this one.

What Now?

If you are a TriStar Insurance Group customer and believe you were affected by the November 2022 data breach, the settlement claims process is your documented path to partial recovery. Start there. Then go further.

Watchlist: Regulatory Bodies With Jurisdiction

• FTC (Federal Trade Commission): Primary federal authority over data security practices for non-banking entities. File a complaint at ftc.gov/complaint if you believe your data was mishandled.
• Your State Insurance Commissioner: Insurance companies are regulated at the state level. Your state commissioner has authority over TriStar’s licensing and compliance. A formal complaint creates a paper trail that regulators are required to act on.
• CFPB (Consumer Financial Protection Bureau): If the breach affected financial data, the CFPB accepts consumer complaints at consumerfinance.gov and tracks patterns across companies and industries.
• State Attorney General: Most state AGs have consumer protection divisions that handle data breach complaints. A volume of complaints from the same company triggers investigation capacity that an individual lawsuit cannot.

Organize and Resist

• If you received a settlement notice, read it in full before the deadline and file a claim even if your individual loss feels small. Low claim rates make it easier for corporations to pocket settlement funds through unclaimed residuals and cy pres distributions that go to charities rather than back to you.
• Connect with local digital rights and consumer advocacy organizations. Groups like the Electronic Frontier Foundation (EFF) and state-level consumer law centers track data breach patterns and advocate for stronger legislation. Your individual case becomes part of their evidence base.
• Talk to your neighbors, coworkers, and community members who may also be TriStar customers. Settlement notices often go ignored because people do not recognize them as legitimate. Spreading awareness directly increases the number of people who successfully file claims.
• Contact your federal representatives and demand co-sponsorship of comprehensive federal data privacy and breach penalty legislation. Corporate lobbying against such legislation is well-funded and ongoing. Constituent contact is one of the few documented counterweights.