The Class Action Litigation Consequences of Business Email Compromise Attacks
A look inside the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.
February 22, 2018 at 10:00 AM
8 minute read
In the past couple years, business email compromise (BEC) attacks have dramatically increased. As a result, corporate victims of BEC attacks have been increasingly subject to class action litigation on behalf of their employees or customers whose information may have been accessed or disclosed in the BEC attack. This article examines the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.
|Likelihood and Success of Litigation
BEC attacks can take many forms, but one of the most prevalent forms involves an email scam designed to obtain employee tax return information. These attacks, known as W-2 phishing attacks, have triggered the majority of the class action litigation relating to BEC attacks and therefore provide a useful basis for analyzing potential litigation from all forms of BEC attacks.
In a W-2 attack, a third-party typically sends company employees an email that appears to be from a company executive. The email will likely ask the employee to reply with the Form W-2 of every company employee, and the employee often complies with the request. Attackers seek employee W-2 forms because information such as the employee's Social Security number and tax withholding can be used to perpetrate fraud against company employees, including identity theft, the filing of fraudulent tax returns, and the opening of fake bank accounts or credit cards. Since 2016, over 375 companies have disclosed that they were the victims of successful W-2 attacks.
Despite the large number of apparently successful W-2 attacks, the total number of class action lawsuits stemming from W-2 attacks is relatively low—only 18 such lawsuits have been identified. While several factors might contribute to a decision to file (or not file) a lawsuit, all 18 of these cases have been filed since the beginning of 2016, suggesting that class action litigation resulting from BEC attacks might continue to become more frequent. Following public disclosure of a W-2 attack, companies can expect potential class action litigation to be filed relatively quickly (if filed at all), with over 40 percent of such cases being filed within six weeks of public disclosure.
Companies can also expect that class action litigation related to a W-2 attack will be filed in federal court, which has occurred in over 75 percent of such cases. Of these cases, courts have ruled on a motion to dismiss in only five cases, with other cases being in the early stages of litigation or having been voluntarily stayed, settled, or dismissed. Consistent with recent decisions in other types of class action data breach litigation, such as Attias v. CareFirst, Inc., the majority of courts that have ruled on a motion to dismiss in the W-2 class action context have found that the plaintiffs had Article III standing.
Notably, an increased risk of fraud or harm was found to be sufficient for standing, and plaintiffs were not always required to have pleaded any out-of-pocket losses. In the one instance where the court granted a motion to dismiss for lack of standing, the plaintiff's complaint had failed to adequately distinguish her injuries from those of the class. The plaintiff, however, promptly filed an amended complaint to address this error and the defendant elected to file an answer rather than another motion to dismiss. Thus, W-2 class action litigation is not likely to be easily dismissed on standing grounds.
After finding that plaintiffs had Article III standing, courts have examined whether plaintiffs have adequately pleaded their common law claims, such as negligence, breach of implied contract, and invasion of privacy, and their state statutory claims, such as laws regarding unfair and deceptive trade practices acts or unfair competition. In every W-2 class action involving a motion to dismiss, courts have found that plaintiffs have adequately pleaded at least one claim. The most common surviving causes of action are negligence and breach of implied contract, while courts have typically dismissed claims based on negligence per se, breach of contract, and invasion of privacy. Companies have thus had little success in dismissing such class actions in the early stages of litigation.
|Settlements
Five of the federal court class actions relating to W-2 attacks have either settled or are pending court approval of a proposed settlement. In addition to attorneys' fees, the settlements typically consist of two components: two years of identity theft protection services, and out-of-pocket costs incurred by class members, such as the cost of self-purchased identity theft protection, costs paid to accountants or attorneys to assist in resolving tax fraud, or overdraft fees paid to financial institutions as a result of the BEC attack. Settlement documents typically estimate that the value of the identity theft protection offer is $350 to $500 per person, based on what it would cost a consumer to purchase the same services directly from the identify theft protection vendor, although a company might be able to negotiate a lower cost per person for the hundreds or thousands of individuals whose information was the subject of the BEC attack.
Reimbursements for out-of-pocket costs are usually handled in one of two ways. In some cases, class members are allowed to seek reimbursement up to a fixed amount, which usually ranges from $3,500 to $5,000 per person. In other instances, the reimbursement of out-of-pocket costs is subject to a cap that varies based on the type of cost at issue. For example, the settlement of Whitehead v. Advance Stores Company Inc. provided up to $750 for those individuals who were a victim of tax fraud and paid a tax preparer or attorney to notify the IRS or assist in resolving the tax fraud. That same settlement provided up to $1,250 for victims of identity theft who experienced unreimbursed payment card charges or who otherwise paid fees to a financial institution due to the BEC attack.
These settlement costs suggest that companies could pay tens of millions to settle a W-2 class action. For example, in Castillo v. Seagate Technology LLC, Seagate's reported exposure from the identity theft protection offer alone was reported to be $5.75 million, based on the retail cost of providing two years of identity theft protection to all potential class members (~$480 per person multiplied by 12,000 potential class members). If potential out-of-pocket costs are also included, Seagate's total potential exposure from the settlement would increase by an additional $42 million ($3,500 per person multiplied by 12,000 potential class members).
Despite gaudy maximum settlement values, companies that are victims of W-2 attacks are unlikely to pay the maximum allowed under a settlement agreement. This is because settlements typically require class members to sign-up for the identity theft protection services and to submit documentation of their out-of-pocket expenses, and in each case the rate of class member participation is typically quite low. As an example, the Advance Stores settlement yielded claims from only 39 class members (and 9 class members opted-out), out of a possible 101,400 affected individuals. Likewise, one of the largest credit card data breaches ever involved a class of over 100 million cardholders, but resulted in the submission of only 290 claims, 11 of which the company estimated were valid (In re: Heartland Payment Systems, Inc. Customer Data Security Breach Litigation). In addition to low participation rates, another reason companies usually do not pay the maximum allowed by a settlement is because the dollar amount of the out-of-pocket claims in W-2 and data breach cases is usually far below the maximum allowed by settlement agreements.
|Conclusion
Successful BEC attacks, such as W-2 attacks, are more likely than ever to trigger class action litigation. Such litigation is likely to be filed in federal court and companies have not experienced much success in dismissing such suits in their early stages. Settlements typically include high costs per class member, but such costs might be mitigated by a low rate of participation in the settlement by class members.
Even though several other W-2 class actions are currently pending, these trends appear unlikely to reverse themselves in the near-term. Consequently, companies should consider enhancing employee training and technological tools to detect and prevent successful BEC attacks. In addition, companies should consider obtaining cybersecurity insurance to cover the investigation, remediation, litigation, and/or settlement costs from a successful BEC attack.
Sunil Shenoi, Seth Traxler and Gianni Cutri are partners at Kirkland & Ellis LLP and advise clients on a variety of data security issues, including responding to data security incidents, representing clients in data security litigation, and counseling clients on data security diligence..
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250