4.8 million. 10 million. 15 million. 25 million. Before 2014, these large numbers were likely to represent the number of individuals affected by a data breach. Today, they are the dollar figures that companies must spend to put a breach in the past—and that’s just the cost of settlement. Lately, companies have far exceeded these amounts—by the hundreds of millions of dollars—before a settlement is even proposed.
Proof of Damages
Data breach settlements come in a wide variety of dollar amounts. Recently, class action lawsuits and regulatory actions by the Federal Communications Commissions (FCC) have produced increasingly large settlements and fines. A major hurdle facing class action plaintiffs seeking settlements in data breach litigation has been the inability to prove damages. But the recent settlement structure being used in courts today is demolishing this hurdle, and while it’s capped, courts are now considering damages such as “lost time” to protect against possible future financial harm as a basis on which a plaintiff may recover. Although proving damages to a class as a whole is still burdensome for plaintiffs, the willingness of courts to accept plaintiffs’ individualized damages alongside consumers’ documentation of any damages elevates settlement amounts. Moreover, with the increasing reliance on technology, these damages are more likely to be automatically recorded—meaning that plaintiffs do not need to be as shrewd with documentation.
The Structure of Data Breach Settlements
The new wave of data breach settlements are often structured so that a company must put a set amount in an escrow account. The amount is first offered to plaintiffs that have documented damages. This often include damages such as charges to stolen credit or debit accounts resulting from the breach, higher interest rates on plaintiffs’ accounts due to unauthorized charges, costs related to checking and correcting plaintiffs’ credit reports, time off work to remedy the results from the breach, and fees associated with replacement of accounts or identification cards. Plaintiffs are still required to show “reasonable documentation” relating to one of the aforementioned expenses in order to be eligible to recover their damages. Some courts have capped these damages per plaintiff.
In some cases, once all plaintiffs with documented damages have been paid, consumers without damages or reasonable documentation will sign a form and split the remaining funds. While the remaining funds may be a small amount on an individual scale (depending on the class size of individuals exposed to the breach), it may be a large amount for companies. As courts continue to take into consideration the number of class members before approving a proposed settlement amount, the amounts companies must pay out has been on the upswing.
Regulatory Action: The Federal Communications Commission
As for regulatory actions, the FCC is now fining companies massive amounts for data breaches. The FCC has clearly stated that it has only begun to exercise its power in this area and it will not take any data breach lightly or at a low cost to the company. As FCC Chairman Tom Wheeler stated last week, the Commission is now openly exercising its “full authority against companies that fail to safeguard the personal information of their customers.” As data breaches continue to be on the rise, companies should expect to face regulatory action resulting in fines .
The new wave of data breach settlements aren’t always focused on monetary damages. Data breach settlements often impose nonmonetary measures on companies, including
- requirements to strengthen electronic security to better protect customers’ data or to take preventive actions to secure data,
- mandatory security training for employees,
- appointment of C-suite level security officer positions,
- documentation of written security policies and programs, and
- payment for continuous credit monitoring for customers.
After complying with these mandatory settlement measures, companies are faced with permanent costs to maintain the new status quo, even after the litigation is settled.
Related Litigation From Financial Institutions
Companies faced with data breach litigation also face separate lawsuits from each financial institution affected by the breach, thus leaving companies open to a multitude of lawsuits stemming from each data breach. These lawsuits focus on the expenses banks and other financial institutions are facing related to data breaches, as banks and credit card companies often absorb the costs of identity theft and data breach related costs. Recently, companies have settled these suits for upwards of $20 million. However, these settlements come only after months of lengthy negotiations, producing even more legal fees.
How to Control Costs Related to Data Breaches
There are steps companies can take to decrease or even eliminate some of these costs before a breach occurs. Proactive and preventive measures on the front end act as an insurance policy in the unfortunate event of a data breach. And while the future of data breach litigation remains uncertain, two things remain inevitable: the increasingly astronomical costs associated with defending the breach and the increasingly low patience of courts and the FCC towards companies that choose not to strategically and aggressively take preventive measures towards securing data prior to a breach. Implementation of data policies, security precautions, and training prior to a breach are vital for a company’s success in today’s litigation-friendly climate. When it comes to handling data breach litigation and settlements, you must catch the wave before the wave catches you.
Ashley Prickett Cuttino is a shareholder in the Greenville office of Ogletree Deakins.
Madi A. Bakker is an associate in the Greenville office of Ogletree Deakins.