What Boards Need to Know About Data Breach Class Actions

What are the most important questions to ask about cybersecurity lawsuit protection?

Data breach class actions are rapidly increasing, with over 2,000 cases filed in 2023, tripling the number from 2022. The year 2024 is on pace to eclipData breach class actions are rapidly increasing, with over 2,000 cases filed in 2023, tripling the number from 2022. The year 2024 is on pace to eclipse that record. High-profile cases like the $52 million penalty that Marriott agreed to pay in October 2024 highlight the regulatory scrutiny and legal challenges companies face. A Capitology study of 28 cases showed an average stock price drop of 7.27% following the announcement of a data breach. Financial companies saw a 17% decrease within the first 16 trading days following the announcement of a breach. As part of framing their oversight duties and the key questions to ask management teams and advisors, boards should understand aspects of the class action litigation by purported victims of a data breach.  

Understanding Data Breach Class Actions

Class actions typically allege that a company failed to implement adequate cybersecurity measures, deceived consumers about their cybersecurity defenses, or failed to provide timely notifications to those whose data was compromised during a breach. Common legal claims include negligence, breach of contract, invasion of privacy, and unjust enrichment. Industries handling highly confidential data, such as financial institutions and healthcare providers, are primary targets.

Legal defenses once the class action is filed include:

- Advertisement -
  • Standing. Plaintiffs must prove actual injury or substantial risk of harm. This is often a critical issue in data breach cases.
  • Arbitration provisions. Many companies use arbitration clauses to prevent class actions brought by employees or customers.
  • Substantive defenses. Compliance with industry standards and expert testimony can be used to defend against claims.

The following are strategies for defending data breach class actions:

  • Early case assessment. Evaluate potential defenses, likelihood of plaintiff success and expected damages. This assessment is essential to evaluate settlement opportunities. The board should ask management to provide a copy of the assessment for their review, generally as an attorney-client privileged communication.
  • Motions to dismiss. Argue lack of standing and arbitration clauses to dismiss cases early.
  • Summary judgment. Use discovery to highlight the lack of actual damages and breach of standard of care.
  • Class certification. Challenge the commonality and adequacy of named plaintiffs.
Best Practices for Preventing and Managing Data Breaches
Implement robust cybersecurity measures. Invest in technology and training.
Incident response planning. Develop and test an incident response plan.
Vendor management. Ensure third-party vendors comply with cybersecurity standards.
Regular audits and assessments. Conduct regular security audits and assessments.
Cyber insurance. A robust policy can limit the company's exposure.

Settlement Strategy

Less than 5% of class actions go to trial. The rest are resolved by dispositive motions or are settled. Plaintiffs' counsel pursues these cases to recover legal fees, so a settlement that gets them paid without the risk of a total loss is appealing.

Sometimes it is possible to settle early with the named plaintiffs without pursuing class certification. While this does not resolve all claims related to the data breach, it may provide a quick and affordable resolution. Because such settlements are typically private, with only the dismissal being filed with the court, it is difficult to gauge the range of such individual settlements.

Class-wide settlements offer the defendant company closure since the settlement is binding on all class members who have not opted out of the settlement. Settlements that involve the entire class require class certification and court approval, so we have data about the range of settlements approved by the courts in data breach class actions. An August 21, 2024, article published by the Harvard Law School Forum on Corporate Governance reported that 2024 is proving to be a banner year, with over $560 million in settlements as of publication.

Class size is an important factor in total damages, since per-person damages are typically small. Here are seven representative settlements, in descending order based on the settlement amount:

In re Equifax Inc.

  • Total settlement: $380,000,000
  • Attorney fees: $77,500,000
  • Class size: 147,000,000 ($2.58 per member)

In re T-Mobile

  • Total settlement: $350,000,000
  • Attorney fees: 22% rejected on appeal
  • Class size: 76,600,000 ($4.56 per member)

In re Yahoo! Inc.

  • Total settlement: $117,500,000
  • Attorney fees: $22,763,000
  • Class size: 194,000,000 ($0.61 per member)

In re Anthem Inc.

  • Total settlement: $115,000,000
  • Attorney fees: $37,950,000
  • Class size: 79,150,000 ($3 per member)

In re Home Depot, Inc.

  • Total settlement: $27,200,000
  • Attorney fees: $11,700,000
  • Class size: 52,000,000 ($0.52 per member)

In re Target Corp.

  • Total settlement: $10,000,000
  • Attorney fees: $3,000,000
  • Class size: 100,000,000 ($10 per member)

Lamie v. LendingTree LLC

  • Total settlement: $875,000
  • Attorney Fees: $291,667.67
  • Class Size: 69,142 ($12.65 per member)

These settlements reflect a range of per member payout from 50 cents to $12.65. Smaller class sizes will typically have larger per-member settlements. Attorneys' fees of roughly 30% appear to be the norm. 

The board will likely need to approve the settlement. The directors should review the early case assessment, which evaluates liability and provides information on class size. This information, coupled with research on similar settlements and advice from experienced class action counsel, can guide the board in providing settlement instructions to management. The exercise can also help establish appropriate reserves in the event settlement is not successful.

Key Questions

Data breach class actions pose significant litigation risks. As board members, it is essential to retain experienced counsel to assess cases, prepare defenses and evaluate settlement options. Here are some key questions to ask once a lawsuit has been filed:

  • How many individuals had data compromised in the breach (an estimate of class size)?
  • Did the company comply with the various regulatory notification requirements?
  • Have the class members alleged any actual damages? What are they?
  • What cyber insurance coverage do we have?
  • What outside legal counsel has been retained? What are their qualifications?
  • What lessons did we learn? How can we reduce the risk of future incidents?

By understanding the legal landscape and implementing best practices, companies can better protect themselves against the growing threat of data breach class actions.

About the Author(s)

Mark Henriques

Mark Henriques is a partner with Womble Bond Dickinson.


This is your 1st of 5 free articles this month.

Introductory offer: Unlimited digital access for $20/month
4
Articles Remaining
Already a subscriber? Please sign in here.

Related Articles

Navigate the Boardroom

Sign up for the Directors & Boards weekly newsletter for the latest news, trends and analysis impacting public company boardrooms.