Security experts have been warning us for years. As former FBI Director Robert Mueller said, “There are only two types of companies: those that have been hacked and those that will be.”
Data breaches are no longer rare events. In today’s digital environment, every company is at risk of being hacked. And if you’re hacked, you’re likely to face a class action lawsuit. Even companies that do “everything right” aren’t immune.
Class Action Risk is Universal
Every company, regardless of size, industry, or security maturity is a target. Well-known, well-financed companies across multiple industries have been caught up in significant lawsuits. In the past few years, the headlines have been relentless. From telecom giants to healthcare providers, no sector is immune.
In 2021, T-Mobile fell victim to a breach affecting approximately 100 million customers. A number of class action suits were filed, mostly alleging that T-Mobile negligence left customers open to identity theft.
Capital One agreed to a $190 million settlement after a 2019 breach impacting 106 million customers in the U.S. and Canada.
TikTok agreed to pay out $92 million to users who claimed that the social platform committed privacy violations. TikTok allegedly collected and stored user data without proper notice or request for consent.
Equifax had to pay out a whopping $380.5 million after a 2017 data breach that affected 147 million individuals. As part of the settlement, the company was also ordered to spend at least $1 billion to improve its security.
Healthcare institutions and related businesses are especially vulnerable to breaches and ensuing lawsuits. These breaches are problematic because not only is personal data and financial information stolen, but medical records are also compromised.
Patients of New Mexico’s San Juan Regional Medical Center filed a class action suit against the hospital after a 2020 data breach that exposed the private info of nearly 69,000 individuals.
Excellus Blue Cross Blue Shield paid a settlement to customers after they claimed the company waited too long to disclose a 2015 breach. The insurer admitted no wrongdoing but paid a $5.1 million fine to the Office of Civil Rights and the U.S. Department of Health and Human Services.
From Breach to Lawsuit: The Litigation Pipeline
A recognizable pattern has developed around security breaches. The breach occurs and customers/users are notified. Within weeks or even days, class action lawsuits (usually more than one) are filed. Plaintiffs alleged negligence, privacy violations, breach of contract, or other violations of data protection laws.
How does the average person involved in a breach act so quickly? Back in the day, opportunistic attorneys “chased ambulances” to find clients with potential injury lawsuits to file. In the 21st century, plaintiffs’ firms track breaches and aggressively recruit clients.
Why Settlements Dominate Over Going to Court
When a business suffers a breach, the damage ripples outward in a massive blast radius. Operations are interrupted, reputations are damaged, trust is eroded, and costs from breach remediation pile up quickly. The end goal of every action taken after a breach is a rapid return to business as usual.
With that goal in mind, businesses make cost-benefit calculations. When a class action suit looms, the legal fees and ongoing business disruptions have an unknown dollar figure associated with them. Choosing to settle outside of the courts usually has a fixed, known price. The cost may be painful in the short term, but resuming business as usual is often worth it.
And it’s not just internal decision-makers looking to settle. Cybersecurity insurers often push to stay out of court. For them, too, predictability is preferable to prolonged uncertainty.
The Slim Odds of a Dismissal
Recent cases against Blackbaud and a plaintiff in Arizona were dismissed by the courts. They serve as the rare example when fighting a class action suit may be worth the legal fees.
A $5 million suit involving over 150,000 class members was recently dismissed in the U.S. District Court for Arizona. The defendant was the victim of a debilitating ransomware attack carried out by a criminal gang. The court found that the plaintiffs had failed to demonstrate sufficient injuries to confer standing on the proposed class. The court also held that the plaintiffs failed to substantiate negligence claims or violation of the Arizona Consumer Fraud Act.
Cloud services provider Blackbaud suffered a data breach and ransomware attack in 2020 that exposed the data of more than 1.5 billion people. A federal court rejected a class action suit related to the incident because the plaintiffs failed to demonstrate ascertainability. This basically means that it was not administratively feasible to identify who belonged in the class. The lawsuit, as structured, could not move forward. Unfortunately for Blackbaud, some claims filed under the California Consumer Privacy Act (CCPA) were allowed to continue.
Practical Steps to Reduce Litigation Risk
Full dismissals are rare in data breach lawsuits. To strengthen your organization’s chances of avoiding a costly settlement or a protracted court case, a broad and deep approach is required. It also helps to have a paper trail to demonstrate that reasonable care has been taken.
Before a breach:
- Understand and comply with data protection laws (HIPAA, CCPA, GDPR, etc). Demonstrating compliance with recognized standards can be a critical defense in court.
- Conduct regular security audits and compliance reviews. Use internal teams or third-party assessors. Audit reports can prove that you weren’t negligent.
- Manage vendor/supply chain risks. Vet vendors for cybersecurity posture and include breach notification clauses in contracts.
During a breach:
- Execute a documented incident response plan. Clear steps reduce chaos, speed containment, and demonstrate due diligence to regulators.
- Engage legal counsel immediately. Early legal guidance ensures that you meet all reporting requirements.
- Be transparent with stakeholders. Speed of messaging matters. Delays in disclosure often form the basis of negligence claims.
After a breach:
- Conduct and document post-incident reviews. These records show what you learned from the event and that you took corrective action.
- Implement security improvements required by settlements before they’re mandated. Being proactive can mitigate damages and strengthen your public position.
Planning for the Inevitable
The odds of a hack are startlingly high. More than 80% of small and mid-size businesses experienced a breach of some kind in 2023. Ensuing lawsuits are likely and settlements are extremely common. Robust preparation and a well-executed response plan can limit both reputational and financial damage.
If you need help preparing for a breach, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
