Data Breach Settlements: Why Are They Getting Bigger?
Although each data breach class action arises out of its own particular circumstances, there are a number of factors that seem to be contributing to these large settlements.
November 20, 2017 at 08:00 AM
8 minute read
In June 2017, Anthem, Inc. agreed to pay a record $115 million to settle class action lawsuits stemming from a 2015 data breach that involved the personal information of nearly 80 million of Anthem's customers. Although the Anthem settlement appears to be an outlier, there have been a number of other notable data breach settlements in the past few years. In 2016 and 2017, Home Depot settled the class action lawsuits based on the breach it had suffered for $19.5 million. Similarly, in 2015 and 2016, Target paid $10 million to settle the data breach class action lawsuits.
Are these settlements coincidental, or are they party of a trend that is likely to continue? Although each data breach class action arises out of its own particular circumstances, there are a number of factors that seem to be contributing to these large settlements.
First, overall, more data breach class actions appear to be proceeding past challenges at the pleadings stage, although there are some exceptions in certain circuits. Prior to the last two years, the vast majority of courts dismissed data breach lawsuits for lack of subject matter jurisdiction because plaintiffs failed to allege concrete injuries that established Article III standing. Despite the breaches, many plaintiffs (and proposed class members) were not actual victims of identity theft. Instead, these plaintiffs relied on allegations that the breaches subjected them to an increased risk of becoming identity theft victims. The courts typically found such allegations too speculative to constitute harm sufficient to meet the constitutional requirements for standing.
A few circuits with large population centers still adhere to this position. In 2017, the Second (Whalen v. Michaels Stores, Inc.,), Fourth (Beck v. McDonald) and Eighth (In re SuperValu, Inc. Customer Data Security Breach Litigation) Circuits all held that data breach plaintiffs must allege an actual injury in the form of successful fraudulent charges on their existing credit or debit card accounts or the opening of new fraudulent accounts based upon their stolen personal information to satisfy Article III's standing requirements to survive a motion to dismiss for lack of standing.
In contrast, the Sixth (Galara v. Nat. Mut. Ins. Co.), Seventh (Lewert v. PF Chang's China Bistro, Inc.) and D.C. (Attias v. CareFirst, Inc.) Circuits have adopted a broader interpretation of what is required to establish standing in data breach cases. These Circuits have found that allegations that the personal information of plaintiffs was stolen in a data breach resulting in a heightened risk of future identity theft and that plaintiffs incurred mitigation costs in response to that increased risk establish an injury sufficient to establish Article III standing. The Sixth and Seventh Circuits have also found that an offer by a company or organization to provide free identity fraud protection and credit monitoring services following a data breach can create an inference that the company recognizes that the risk of future harm from that breach is substantial. In these circuits, data breach complaints are more likely to be able to survive a motion to dismiss for lack of standing.
Second, the class sizes of persons affected by data breaches seems to have increased in recent years. Three of five largest data breaches of all time—Yahoo (3 billion user accounts), Adult Friend Finder (412.2 million accounts), and Equifax (personal information of 143 million accounts)—have occurred in the last two years. The more customer information that is involved in a breach will typically also increase the costs associated with that breach, including any settlement.
There are numerous reasons why the potential size of data breaches have grown. The amount of data online has grown exponentially in the past few years. More than 3.8 billion people are currently using the Internet. A 2016 IBM Marketing Cloud report estimates that these people are generating 2.5 quintillion bytes of electronic data every day. This staggering amount of available data (much of which organizations collect and store) greatly increases the scope of potential data breaches.
In addition, the potential sources of data breaches have also become more varied and advanced. Not only does the individual hacker continue to pose a threat, but the threat landscape has swelled to include criminal organizations, nation-states and ideologically-motivated hacktivists. Given the significant potential return from a data breach, many of these threats have devoted considerable resources to developing increasingly sophisticated hacking tools and techniques.
Third, as data breaches have become larger, so have the number of parties seeking some type of redress for those breaches. A company that has suffered a data breach of its customer information must now face not only class action lawsuits from those customers but also potential investigations and enforcement actions from the Federal Trade Commission (FTC) and/or state attorney general and consumer protection offices.
In settling investigations or actions based on data breaches, the FTC typically does not impose a monetary penalty on the company that has been breached. Instead, the company and FTC will agree to a consent order requiring the company to rectify any identified vulnerabilities or deficiencies, establish a comprehensive information security program and conduct annual or biannual assessments of its network security for a set period of time (which is usually 20 years). For example, after filing a complaint against Wyndham Worldwide Corp. for allegedly deficient security practices that purportedly led to three data breaches, the FTC did not fine Wyndham but instead settled the case with a consent order requiring Wyndham to establish a comprehensive security program designed to protect cardholder data, comply with Payment Card Industry (PCI) standards, and undergo third party security assessments for 20 years.
In contrast, state attorney general and consumer protection offices typically seek monetary penalties in addition to remedial action on the part of the company that has suffered the breach. For instance, Hilton Worldwide recently settled an investigation by the New York and Vermont attorney general offices by agreeing to pay $700,000, improve its monitoring for potential threats and adhere to PCI standards. The settlement amount usually rises if more states are involved. In one of the largest settlements with state attorney general offices, Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into the 2013 data breach that it suffered.
The latest entrant into the data breach settlement arena have been banks and credit unions, which have bring lawsuits to recoup the damages that they suffered from data breaches, such as the cost to issue new payment cards to customers. Target agreed to pay $39.4 million to resolve claims by banks and credit unions resulting from its 2013 data breach. Home Depot also agreed to pay $25 million to resolve a putative class action brought by financial institutions which were allegedly harmed by Home Depot's 2014 data breach. The presence of so many claimants may be producing pressure for companies to not only settle but settle for large dollar amounts.
Given the potential growth in the size of data breaches and corresponding settlements, the best thing that companies can do is to take preventative measures to increase the likelihood that breaches do not occur:
1. Companies should conduct frequent risk/security assessments and vulnerability scans/penetration testing to discover the deficiencies in their network security.
2. Companies should keep the operating system and other software on their systems constantly updated with the latest patches. Unpatched vulnerabilities in operating systems and software are a common entry point for malware.
3. Companies should vet the security of vendors that have access to the companies IT systems. As the Target breach demonstrated, vendors can introduce vulnerabilities that allow malicious actors access to corporate networks.
4. Companies should employ up-to-date and multiple antivirus programs to maximize the likelihood of preventing a malware infection.
5. Organizations should educate all employees that unauthorized network intrusion often rely on malicious email attachments or links in phishing emails. Companies should train their employees to verify the legitimacy of an email before opening an attachment or clicking on a link in the email. They should also be trained to confirm any unusual instructions they might receive in what seems to be a legitimate email.
6. Organizations should not enable any macros that originate from email attachments. If a user opens an email attachment and enables a macro from the attachment, embedded code may execute malware.
7. Organizations should consider using an advanced email filtering solution to keep suspicious or malicious files in a “demilitarized zone” off the company's network.
8. Finally, organizations may wish to use application whitelisting, which lists the legitimate applications that may be run on a system but blocks other unauthorized programs. An ounce of prevention may go a long way to prevent the payment of a big settlement.
Hanley Chew is Of Counsel in the Litigation Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and data driven companies. Tyler Newby is a Partner in the Litigation Group and Co-Chair of the Privacy & Cybersecurity Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and consumer-facing companies.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250