data breach cybersecurity

In June 2017, Anthem, Inc. agreed to pay a record $115 million to settle class action lawsuits stemming from a 2015 data breach that involved the personal information of nearly 80 million of Anthem's customers. Although the Anthem settlement appears to be an outlier, there have been a number of other notable data breach settlements in the past few years. In 2016 and 2017, Home Depot settled the class action lawsuits based on the breach it had suffered for $19.5 million. Similarly, in 2015 and 2016, Target paid $10 million to settle the data breach class action lawsuits.

Are these settlements coincidental, or are they party of a trend that is likely to continue? Although each data breach class action arises out of its own particular circumstances, there are a number of factors that seem to be contributing to these large settlements.

First, overall, more data breach class actions appear to be proceeding past challenges at the pleadings stage, although there are some exceptions in certain circuits. Prior to the last two years, the vast majority of courts dismissed data breach lawsuits for lack of subject matter jurisdiction because plaintiffs failed to allege concrete injuries that established Article III standing. Despite the breaches, many plaintiffs (and proposed class members) were not actual victims of identity theft. Instead, these plaintiffs relied on allegations that the breaches subjected them to an increased risk of becoming identity theft victims. The courts typically found such allegations too speculative to constitute harm sufficient to meet the constitutional requirements for standing.

A few circuits with large population centers still adhere to this position. In 2017, the Second (Whalen v. Michaels Stores, Inc.,), Fourth (Beck v. McDonald) and Eighth (In re SuperValu, Inc. Customer Data Security Breach Litigation) Circuits all held that data breach plaintiffs must allege an actual injury in the form of successful fraudulent charges on their existing credit or debit card accounts or the opening of new fraudulent accounts based upon their stolen personal information to satisfy Article III's standing requirements to survive a motion to dismiss for lack of standing.

In contrast, the Sixth (Galara v. Nat. Mut. Ins. Co.), Seventh (Lewert v. PF Chang's China Bistro, Inc.) and D.C. (Attias v. CareFirst, Inc.) Circuits have adopted a broader interpretation of what is required to establish standing in data breach cases. These Circuits have found that allegations that the personal information of plaintiffs was stolen in a data breach resulting in a heightened risk of future identity theft and that plaintiffs incurred mitigation costs in response to that increased risk establish an injury sufficient to establish Article III standing. The Sixth and Seventh Circuits have also found that an offer by a company or organization to provide free identity fraud protection and credit monitoring services following a data breach can create an inference that the company recognizes that the risk of future harm from that breach is substantial. In these circuits, data breach complaints are more likely to be able to survive a motion to dismiss for lack of standing.

Second, the class sizes of persons affected by data breaches seems to have increased in recent years. Three of five largest data breaches of all time—Yahoo (3 billion user accounts), Adult Friend Finder (412.2 million accounts), and Equifax (personal information of 143 million accounts)—have occurred in the last two years. The more customer information that is involved in a breach will typically also increase the costs associated with that breach, including any settlement.

There are numerous reasons why the potential size of data breaches have grown. The amount of data online has grown exponentially in the past few years. More than 3.8 billion people are currently using the Internet. A 2016 IBM Marketing Cloud report estimates that these people are generating 2.5 quintillion bytes of electronic data every day. This staggering amount of available data (much of which organizations collect and store) greatly increases the scope of potential data breaches.

In addition, the potential sources of data breaches have also become more varied and advanced. Not only does the individual hacker continue to pose a threat, but the threat landscape has swelled to include criminal organizations, nation-states and ideologically-motivated hacktivists. Given the significant potential return from a data breach, many of these threats have devoted considerable resources to developing increasingly sophisticated hacking tools and techniques.

Third, as data breaches have become larger, so have the number of parties seeking some type of redress for those breaches. A company that has suffered a data breach of its customer information must now face not only class action lawsuits from those customers but also potential investigations and enforcement actions from the Federal Trade Commission (FTC) and/or state attorney general and consumer protection offices.

In settling investigations or actions based on data breaches, the FTC typically does not impose a monetary penalty on the company that has been breached. Instead, the company and FTC will agree to a consent order requiring the company to rectify any identified vulnerabilities or deficiencies, establish a comprehensive information security program and conduct annual or biannual assessments of its network security for a set period of time (which is usually 20 years). For example, after filing a complaint against Wyndham Worldwide Corp. for allegedly deficient security practices that purportedly led to three data breaches, the FTC did not fine Wyndham but instead settled the case with a consent order requiring Wyndham to establish a comprehensive security program designed to protect cardholder data, comply with Payment Card Industry (PCI) standards, and undergo third party security assessments for 20 years.

In contrast, state attorney general and consumer protection offices typically seek monetary penalties in addition to remedial action on the part of the company that has suffered the breach. For instance, Hilton Worldwide recently settled an investigation by the New York and Vermont attorney general offices by agreeing to pay $700,000, improve its monitoring for potential threats and adhere to PCI standards. The settlement amount usually rises if more states are involved. In one of the largest settlements with state attorney general offices, Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into the 2013 data breach that it suffered.

The latest entrant into the data breach settlement arena have been banks and credit unions, which have bring lawsuits to recoup the damages that they suffered from data breaches, such as the cost to issue new payment cards to customers. Target agreed to pay $39.4 million to resolve claims by banks and credit unions resulting from its 2013 data breach. Home Depot also agreed to pay $25 million to resolve a putative class action brought by financial institutions which were allegedly harmed by Home Depot's 2014 data breach. The presence of so many claimants may be producing pressure for companies to not only settle but settle for large dollar amounts.

Given the potential growth in the size of data breaches and corresponding settlements, the best thing that companies can do is to take preventative measures to increase the likelihood that breaches do not occur:

1. Companies should conduct frequent risk/security assessments and vulnerability scans/penetration testing to discover the deficiencies in their network security.

2. Companies should keep the operating system and other software on their systems constantly updated with the latest patches. Unpatched vulnerabilities in operating systems and software are a common entry point for malware.

3. Companies should vet the security of vendors that have access to the companies IT systems. As the Target breach demonstrated, vendors can introduce vulnerabilities that allow malicious actors access to corporate networks.

4. Companies should employ up-to-date and multiple antivirus programs to maximize the likelihood of preventing a malware infection.

5. Organizations should educate all employees that unauthorized network intrusion often rely on malicious email attachments or links in phishing emails. Companies should train their employees to verify the legitimacy of an email before opening an attachment or clicking on a link in the email. They should also be trained to confirm any unusual instructions they might receive in what seems to be a legitimate email.

6. Organizations should not enable any macros that originate from email attachments. If a user opens an email attachment and enables a macro from the attachment, embedded code may execute malware.

7. Organizations should consider using an advanced email filtering solution to keep suspicious or malicious files in a “demilitarized zone” off the company's network.

8. Finally, organizations may wish to use application whitelisting, which lists the legitimate applications that may be run on a system but blocks other unauthorized programs. An ounce of prevention may go a long way to prevent the payment of a big settlement.

Hanley Chew is Of Counsel in the Litigation Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and data driven companies. Tyler Newby is a Partner in the Litigation Group and Co-Chair of the Privacy & Cybersecurity Group with Fenwick & West. He focuses his practice on privacy and data security litigation, counseling and investigations, as well as intellectual property and commercial disputes affecting high technology and consumer-facing companies.