The New Wave of Data Breach Settlements

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/the-new-wave-of-data-breach-settlements-15765/

4.8 million. 10 million. 15 million. 25 million. Before 2014, these large
numbers were likely to represent the number of individuals affected by a
data breach. Today, they are the dollar figures that companies must spend
to put a breach in the past—and that’s just the cost of settlement. Lately,
companies have far exceeded these amounts—by the hundreds of millions of
dollars—before a settlement is even proposed.

Proof of Damages

Data breach settlements come in a wide variety of dollar amounts. Recently,
class action lawsuits and regulatory actions by the Federal Communications
Commissions (FCC) have produced increasingly large settlements and fines. A
major hurdle facing class action plaintiffs seeking settlements in data
breach litigation has been the inability to prove damages. But the recent
settlement structure being used in courts today is demolishing this hurdle,
and while it’s capped, courts are now considering damages such as “lost
time” to protect against possible future financial harm as a basis on which
a plaintiff may recover.  Although proving damages to a class as a whole is
still burdensome for plaintiffs, the willingness of courts to accept
plaintiffs’ individualized damages alongside consumers’ documentation of
any damages elevates settlement amounts.  Moreover, with the increasing
reliance on technology, these damages are more likely to be automatically
recorded—meaning that plaintiffs do not need to be as shrewd with
documentation.

The Structure of Data Breach Settlements

The new wave of data breach settlements are often structured so that a
company must put a set amount in an escrow account. The amount is first
offered to plaintiffs that have documented damages. This often include
damages such as charges to stolen credit or debit accounts resulting from
the breach, higher interest rates on plaintiffs’ accounts due to
unauthorized charges, costs related to checking and correcting plaintiffs’
credit reports, time off work to remedy the results from the breach, and
fees associated with replacement of accounts or identification cards.
Plaintiffs are still required to show “reasonable documentation” relating
to one of the aforementioned expenses in order to be eligible to recover
their damages. Some courts have capped these damages per plaintiff.

In some cases, once all plaintiffs with documented damages have been paid,
consumers without damages or reasonable documentation will sign a form and
split the remaining funds. While the remaining funds may be a small amount
on an individual scale (depending on the class size of individuals exposed
to the breach), it may be a large amount for companies. As courts continue
to take into consideration the number of class members before approving a
proposed settlement amount, the amounts companies must pay out has been on
the upswing.

Regulatory Action: The Federal Communications Commission

As for regulatory actions, the FCC is now fining companies massive amounts
for data breaches.  The FCC has clearly stated that it has only begun to
exercise its power in this area and it will not take any data breach
lightly or at a low cost to the company. As FCC Chairman Tom Wheeler stated
last week, the Commission is now openly exercising its “full authority
against companies that fail to safeguard the personal information of their
customers.”  As data breaches continue to be on the rise, companies should
expect to face regulatory action resulting in fines .

Nonmonetary Damages

The new wave of data breach settlements aren’t always focused on monetary
damages. Data breach settlements often impose nonmonetary measures on
companies, including

requirements to strengthen electronic security to better protect customers’
data or to take preventive actions to secure data,
mandatory security training for employees,
appointment of C-suite level security officer positions,
documentation of written security policies and programs, and
payment for continuous credit monitoring for customers.


After complying with these mandatory settlement measures, companies are
faced with permanent costs to maintain the new status quo, even after the
litigation is settled.

Related Litigation From Financial Institutions

Companies faced with data breach litigation also face separate lawsuits
from each financial institution affected by the breach, thus leaving
companies open to a multitude of lawsuits stemming from each data breach.
These lawsuits focus on the expenses banks and other financial institutions
are facing related to data breaches, as banks and credit card companies
often absorb the costs of identity theft and data breach related costs.
Recently, companies have settled these suits for upwards of $20 million.
However, these settlements come only after months of lengthy negotiations,
producing even more legal fees.

How to Control Costs Related to Data Breaches

There are steps companies can take to decrease or even eliminate some of
these costs before a breach occurs. Proactive and preventive measures on
the front end act as an insurance policy in the unfortunate event of a data
breach. And while the future of data breach litigation remains uncertain,
two things remain inevitable: the increasingly astronomical costs
associated with defending the breach and the increasingly low patience of
courts and the FCC towards companies that choose not to strategically and
aggressively take preventive measures towards securing data prior to a
breach. Implementation of data policies, security precautions, and training
prior to a breach are vital for a company’s success in today’s
litigation-friendly climate. When it comes to handling data breach
litigation and settlements, you must catch the wave before the wave catches
you.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!