Data Breach Class-Action Suits to Become More Costly and Common

By: Arieanna Schweber | 3/17/2016

Data breaches are costly, and those costs are rising. Organizations today face a rising number of regulators issuing fines, above and beyond those at the State or Federal level or imposed by laws such as HIPAA and the GrahamLeach-Bliley Act. We’ve seen the FCC step up data security enforcement, as well as the SEC and FTC both stepping up their game. Given the global nature of many organizations, laws such as the EU GDPR even have their impact on US organizations.

Post-breach, whether an organization is found exempt of regulatory fines or not, they still face liabilities in the form of class-action suits. As we discussed earlier this year, class-action suits are now considered a “standard” post-breach experience for organizations. Examining a number of such lawsuits, SearchSecurity writer Olivia L. Eckerson notes a troubling trend: the costs of data breaches are on the rise.

None of the major data breach lawsuits have gone to trial, but many have resulted in expensive settlements paying out to customers, employees, banks or credit card companies. By examining these figures, when they are disclosed, it’s clear that the “financial costs of preventing and dealing with security incidents appears to be growing,” with these settlements on the rise.

Some class action suits take years to resolve, itself a costly procedure, others are dealt with quickly in an attempt to escape the media spotlight - this is particularly true if a company is obviously negligent in their security preparedness. The cost of the settlement appears to be higher when the value of the data stolen is higher; sensitive information such as names, addresses, Social security numbers and medical information would lead to a higher settlement than password data, for example. The largest pending class-action lawsuit is against extramarital affairs website Ashley Madison, which faces a $578 million suit from two Canadian law firms.

The recent settlement with AvMed, in which no ascertainable damage has occurred, sets the bar lower for class actions to proceed. The logic was that customers shouldn’t have to wait for fraud or identity theft in order to prove injuries, as it is “objectively reasonable” that such damages will occur following a breach. It’s likely that this will lead to even more class action lawsuits in the future.

Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.

Financial Services