How and why data breach lawsuits are settled
For all of the talk about data breach class action lawsuits, virtually none of them reach a courtroom. Here's why and how data breach lawsuits almost always end in settlements.
Editor's note: This is part two of a series on data breach lawsuits. Part one examines how the value of personal data is assessed for lawsuits.
When it comes to class action data breach lawsuits, it's a near certainty they'll be settled before they ever reach a courtroom.
Despite the rising number of data breaches and resulting lawsuits, Morgan & Morgan attorney John Yanchunis, who leads the class action team there, said that as far as he knows, there hasn't been a case taken to trial yet.
Yanchunis' firm has handled plaintiffs' claims for a number of major cases, including Equifax and Yahoo. The firm is also currently suing Facebook for the Cambridge Analytica scandal. The reason companies settle, he said, is that "there are tremendous risks to a company facing a data breach to take a case to trial. I think for one thing, the potential for damages -- the public perception that a company doesn't care about the privacy of consumers and therefore are willing to say 'go try it.' I think that's bad public relations."
David Berger, partner at Gibbs Law Group LLP, has also worked on several data breach lawsuits, including Equifax, and said in general, only about 2% of overall lawsuits go to trial in the federal court system. He also said data breach lawsuits are relatively new territory.
"You're still looking at a relatively small sample size when you're looking at litigated data breach cases," Berger said. "It's a new area of practice and there just aren't that many that really get that far."
Avoiding risk
Berger agreed with Yanchunis' point that breached companies want to avoid potentially making a bad PR situation even worse in a public trial, adding that it would not look good to see it get out that a company has poor security. He said he's seen "appalling security lapses" at the companies that have been breached, and those lapses are usually easy even for non-technical people to understand.
"Often, data breach defendants like to portray themselves as the victims of criminal acts, and there certainly have been [cases like that]. But I have yet to see a situation where I've gotten into a case I say, 'Oh my gosh, how did these hackers ever break in?' That is not my experience at all, and I've been around the block on these cases," Berger said. "The hackers are looking for low-hanging fruit, and the companies that get breached are the ones that have poor security so there's a lot of risk for them to continue because their executives and directors and higher-ups who make decisions about settling cases do not want to see the bad press that's going to come their way."
But the benefit of settling data breach lawsuits doesn't just apply to defendants. Berger said plaintiffs also face potential risk with class certification motions, which are approved by a judge to allow multiple claims against a breached organization to be group into a class action lawsuit.
"It's true that a lot of data breach cases are settled before the class is certified. And as part of the settlement the parties will ask that the court certify the class and then approve the settlement. And I think the reason they settle at that point is that there are huge risks for both sides going forward," Berger said. "It's a new area of law. Very few cases have gone to class certification and so there's a lot of uncertainty in what the courts are likely to rule. If you lose a class certification motion, it definitely reduces the value of the case and the value of any recovery you can get dramatically. Similarly, if the motion is granted, it increases that value, and it's kind of a good risk point."
As an example, Yanchunis cited Cambridge Analytica lawsuit against Facebook, which he said could potentially be the first such suit to go to court. "We've briefed a motion for class certification," he said. "The judge also has indicated that this decision has been upheld that he won't consider settlement until he decides class certification."
How settlements work
Both plaintiffs and defendants in data breach lawsuits are incentivized to settle. How, then, do they determine how much money to settle for? Yanchunis said that it's a question of the type of the information that was exposed or stolen, how it was taken and how the company responded to the data breach.
In other words, stolen credit card numbers may result in different damages than stolen W-2s or stolen passwords, and even the same types of data may produce different damages depending on the scale of the breach and the security lapses of the organization. (See part one of this series for more on how the value of personal data is assessed.)
Data breach settlements also differ depending on whether or not there is a cap on damages. Sometimes, there's a capped fund for victims, meaning that a company will only have to pay up to a certain amount and the fund (say $300 million) is divided between everyone in the class action suit. In other cases, there may be no cap, so a company would have to pay a certain amount of money per affected individual, no matter how much that ends up being.
"If it is a capped fund, it is based on, again, experience in knowing that in the wake of a data breach, people in a certain percentage are affected, so we try to measure that based on the amount of expected injury to a percentage of the class," Yanchunis said. "In the cases where there are no caps, merely it's the form of relief and the company will agree to pay whatever the damages ultimately claimed by the consumers are."
Data breach settlements as deterrents
It can be expensive to settle a data breach lawsuit. For example, Equifax's 2017 data breach exposed the personal data of nearly 150 million people, and both security experts and the U.S. government have roundly criticized the credit rating agency for its weak security practices. The class action lawsuit against Equifax resulted in damages and penalties to the tune of several hundred million dollars; the company could pay as much as $700 million to resolve legal action from consumers, the U.S. Federal Trade Commission and states attorney generals.
Still, it's unclear how much Equifax's security posture has improved in the aftermath of the breach, and while the financial penalties were steep, the company's stock price has rebounded to a five-year high in August. In light of such cases, privacy and security professionals say the settlements -- even expensive ones -- don't do much to prevent future data breaches.
"We have said that we don't think the Equifax settlement will deter future breaches," a spokesperson for the Electronic Frontier Foundation (EFF) said.
The spokesperson also referenced a blog post by the EFF that argued better privacy laws, not data breach lawsuits, are better deterrents for lax data security. "There is no comprehensive federal privacy law, much less one with the kind of teeth that could push companies to invest in information security the way they invest in, say, compliance with securities law," EFF wrote in the post.
Digital Guardian senior threat hunter Harlan Carvey agreed and said legislation would likely be the most expeditious way to deter future breaches and incentivize enterprises to better protect users' personal data.
"In our litigious society, the quickest way to effect change is through legislation. Should someone take steps to secure the personally-identifiable data on which they built their business model? Yes. Do they, without legislation requiring them to do so? No," Carvey said. "As sad as it is to say this, the cost associated with a breach, just in fines alone, needs to be significant enough that the preferred solution is to take a proactive stance."
Carvey pointed to Equifax, which posted $3.36 billion in 2017 revenue, as an example of how small regulatory fines can be for large enterprises. "Had they been subject to GDPR, the fine, just for the breach, would've been on the order of $134 million," Carvey said. "$134 million versus installing a patch, or changing network device passwords from the default -- is that enough to affect change?"