“Big data breaches…potentially produce large class sizes, making such lawsuits attractive to plaintiffs’ lawyers,” write Sharon Klein and Jeff Vagle, attorneys at the Pepper Hamilton law firm, which has offices nationwide. “Companies that store or process personal information face an increasing risk of class action lawsuits based not only on the company’s use of that information, but also on the theft or misuse of that personal information due to data breach.”
They note that many states, such as California and Delaware, have liberal data breach laws that allow private rights of action for security incidents regardless of the likelihood of injury. That, in turn, has facilitated the rise of class-action lawsuits.
What’s more, the cost of the lawsuits can add significantly to the cost of a data breach for a company. A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.
In the Sony example, a class action lawsuit was recently dismissed after hackers compromised the PlayStation Network in April 2011. Plaintiffs brought negligence allegations among other charges. With millions affected, any awarded damages had the potential to fat outweigh the estimated $171 million that the breach itself cost the company – though fortunately for Sony, the case was dismissed.
Klein and Vagle also warned that lawsuits can put a company (if it’s not, say, the size of Sony) out of business. In one such case (company unnamed), plaintiffs sought damages of $5,000 per customer from the defendant, which could have resulted in possible damages totaling in the tens of billions of dollars – far more than the defendant company was worth.
There are steps businesses can take to prevent such a nightmare. First, of course, is to make suredata security measures are a priority. The second step is to monitor what actualy was done with the stolen data—who was actually hurt?
“In spite of these risks, companies may be able to avoid class certification if the plaintiffs fail to establish standing to bring suit on behalf of a class,” the attorneys noted. “A pivotal question for standing is establishing injury-in-fact, which has successfully prevented certification of many purported data breach class actions. Recent cases, however, have been breaking down the court’s resistance to class certifications, raising the stakes in data breach and privacy cases.”
Companies would do well to consider their liability, especially since the size and commonality of breaches are escalating. The Verizon DBIR identifies the loss of 174 million data records in 855 separate incidents in 2011 alone. And, the Ponemon Institute found that 90% of the companies and organizations surveyed in a recent study had had at least one data breach. Further, the advent of cloud computing and the housing of millions of records in central locations in data centers can mean enormous losses of data from a single breach, “which can equal very large classes of potential plaintiffs,” the attorneys concluded.