We spend a lot of time helping our clients estimate the very real costs of dealing with data breaches. Notifying customers about the breach? $1/record. Offering credit monitoring to impacted customers? $10/person with a 10 percent to 20 percent take-up rate. Reimbursing banks for the cost of re-issuing credit cards? $3/card.
There are a number of calculators offered by cyber liability insurers that do a reasonable job of predicting those costs based on the number and type of records that a company might lose.
Prior to 2014, however, there was very little data on the cost of resolving lawsuits by those customers following a breach. That’s because prior to 2014, virtually every consumer lawsuit arising out of a data breach had been thrown out of court.
Without a legal victory, plaintiffs did not have the leverage to win settlements in other cases. We began to wonder if plaintiffs would stop bothering to sue companies in the wake of data breaches.
We didn’t have to wonder for very long. The year 2014 brought six notable settlements in data breach cases, a troubling development for companies trying to estimate their risk exposure. Now that a few companies have settled, plaintiffs will be emboldened to bring more suits.
Let’s take a brief look at these six cases that involved victim settlements: AvMed (FL), Stanford University (CA), Schnucks (MO), Sony (NY), Vendini (CA) and LinkedIn (CA).
In the AvMed case, more than 1 million Social Security numbers and health records were compromised due to two stolen, unencrypted laptops – not an internal data breach. This resulted in a $3.1 million settlement fund.
The 460,000 individuals will receive $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement explains that amount represents what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment.
Those who were victims of identity theft as a result could pursue additional monetary reimbursement.
Stanford Hospital & Clinics
Twenty thousand health records were impacted in this case, which was recently settled for $4.1 million. Stanford and its HIPAA business associate, Multi-Specialty Collection Services LLC, were charged with misuse of data when patient information was discovered on a website that enables students to pay for schoolwork aid.
In California, the Confidentiality of Medical Information Act allows patients to bring action against entities that have compromised patient records and seek nominal damages of $1,000 without any proof of damage.
In this case, patients will receive $100 each. In addition, the hospital will have to fund a 2-year program to train its vendors on how to protect patient records.
Schnuck Markets Inc.
A 2012 to 2013 cyber attack left malicious code on Schnucks’ computer systems, allowing hackers to obtain magnetic strip data for more than 2.4 million credit and debit cards. The resulting class action litigation was settled for $2.1 million in August 2014.
Data breach victims are entitled to up to $200 in reimbursement for out-of-pocket expenses and lost time due to the breach. Those who suffered extraordinary monetary losses could receive up to $10,000.
This online ticket seller created a $3 million settlement fund to resolve litigation with 3 million victims of a 2013 data breach. Individuals can claim reimbursement for identity theft losses up to $3,000, and be compensated for unreimbursed expenses related to the breach of up to $1,000.
From the lawsuit’s website FAQs:
The Action alleges that Vendini allowed unauthorized third-party access to its databases and to customers’ Personal Identification Information (defined as including names, mailing addresses, e-mail address, phone numbers, and credit card numbers and expiration dates.)
Sony’s highly public 2011 battle with hacktivist groups led to a data breach involving 77 million users of their PlayStation Network. Although a California federal judge significantly narrowed plaintiffs’ claims in the resulting class action litigation, Sony ultimately agreed to settle the remaining claims for $15 million.
LinkedIn’s 2012 data breach resulted in user names and passwords being compromised for more than 6 million users. But the $1.25 million settlement fund only applies to the 800,000 individuals who had a paid for a premium subscription to LinkedIn, and they can claim up to $50 each.
A California court initially dismissed the litigation in 2013, on the basis that the plaintiffs had not shown the victims suffered any economic harm. Plaintiffs then re-filed the case, alleging that LinkedIn made misrepresentations about the level of security in their product. LinkedIn decided to settle after failing to get the amended complaint dismissed.
The following figure shows data breach class actions and settlements involving payment to breach victims:
The Real Winners? Plaintiffs’ Attorneys
With many of the settlements outlined here, my guess is that we will see very few people claim the money. The amounts are too small to bother with in some cases, or it will be difficult for people to document expenses related to the breach. But the money will still be paid into the settlement fund, regardless.
What happens to that money if it goes unclaimed? In most settlement funds, unclaimed dollars are donated to charity. In the case of Vendini, the funds will be distributed “to charities whose primary mission is aimed at protecting consumers’ privacy on the Internet.”
For LinkedIn, it will be divided among the Center for Democracy & Technology; World Privacy Forum and Carnegie Mellon CyLab Usable Privacy and Security Laboratory.
Of course, the lawyers will get their slice, too. The Schnucks attorneys will get up to $635,000 plus expenses. The Sony attorneys will do even better – up to $2.75 million. Those numbers will help fund future cases against the next companies unlucky enough to experience a highly public data breach.
Implications for Insurance Coverage
These new cases are establishing a baseline for what data breach class action litigation might cost to resolve, and is starting to lend some statistical weight to the estimates for settlement costs in data breach models.
In evaluating your total exposure to a data breach, it’s no longer safe to discount the possibility that you might have to spend millions to settle class action litigation, on top of the millions you spend responding to the breach and dealing with regulators.
As we’ve discussed in previous Cyber 101 posts, cyber insurance will cover both categories of costs. So if you are already buying cyber insurance, the question now becomes, “Do we have enough?”
And if you are not buying cyber insurance, be aware that the risk you are self-insuring may now be significantly larger.