It is not a coincidence that data breach class actions do not go to trial. Both sides face an uncertain legal landscape. Despite the hundreds of class actions filed, important areas of data breach law are unsettled, including a deep circuit split on whether the risk of future harm meets the Article III standing requirements. Plaintiffs bear the burden of showing how they can prove class‑wide harm caused by the breach to certify a class, a very high burden that has defeated class certification in cases that have made it that far. Even if they can overcome this hurdle, Plaintiffs then have to prove the defendant failed to establish reasonable security measures, despite the lack of uniform standards and cyber criminals’ ever-evolving methods for obtaining unauthorized access.
For defendants, it can be very expensive to win. And, as in all class actions, even a very small possibility of an adverse judgment can create enormous risk depending on the size of the class. Defendants also face continuing reputational risk due to press attention on the litigation.
Given these risks and the uncertain legal landscape, defendants should keep settlement on the radar even as they litigate data breach class actions aggressively. We set out below six core questions defendants should answer to assess the parameters of settlement in a particular data breach class action.
The number of impacted individuals and the potential harm caused by the types of unlawfully accessed information are important inputs to determining the scope and costs of a possible settlement. The impact of class size on settlement scope is straightforward. The type of impacted data affects the analysis of potential harm to consumers from potential misuse. On one end of the scale is credit card data, for which potential harm is relatively low. Consumers can protect themselves from misuse by requesting a new card, credit card issuers can place a fraud alert on the account to detect unauthorized use, and, importantly, federal law sets a $50 cap on liability for unauthorized charges as long as consumers report the fraud to their credit card company.
On the other end of the scale is sensitive personal data, such as social security numbers, which cyber criminals may be able to exploit through identity theft schemes. Sensitive health data also may create a significant risk of harm.
These factors are what separate resolutions in the range of $2.1 million from those in the range of $115 million. This example of a smaller settlement involved unauthorized access to an estimated 2.5 million credit and debit cardholders; the larger settlement involved unauthorized access of social security numbers, health data, and other sensitive personal information of an estimated 79 million consumers.
Data breach class action settlements typically include two types of benefits to putative class members: 1) reimbursement of out-of-pocket costs incurred due to the data breach; and 2) credit monitoring services for some number of years. Some settlements also provide for cash payments to putative class members who request it and do not seek reimbursement for actual losses.
Out-of-Pocket Cost Reimbursement. Putative class members who seek reimbursement typically have to submit claims supported by documentation. Consistent with defendants’ arguments that few, if any, impacted consumers suffer harm caused by the breach, claims rates in data breach settlements are exceedingly low. Plaintiff’s counsel in the Anthem data breach action reported that of the 79 million consumers potentially impacted by the data breach, only 6,809 people (or less than .01%) submitted reimbursement claims. So, costs of out-of-pocket reimbursement typically are minimal compared to the costs of other settlement components.
Credit Monitoring. Putative class members typically can request credit monitoring and fraud resolution services or an extension of those services. Credit monitoring companies offer these services in bulk at much lower costs than those offered for an individual plan.
Alternative Cash Payments. Some settlements allow putative class members to request a flat fee payment as a form of alternate compensation.
Settlements with alternative cash payments tend to be structured as a common fund. Under this approach, the defendant pays a certain, set amount to cover all of the costs of the settlement, including benefits to the putative class members, notice and administration costs, and attorney’s fees and costs. Settlements without this option typically will require defendants to pay the cost of the various components of the settlement up to a specified cap, but do not establish or require payment of a fund.
Data breach settlements typically include a commitment from the defendant to implement and maintain changes to its data security practices to strengthen protection of putative class members’ information for a specified time period. These costs may be significant, but they also may be costs incorporated into overall security initiatives that would occur regardless of the class action litigation.
The law in the jurisdiction where the case will be litigated and prior rulings of the assigned judge may put one of the sides in a stronger negotiating position.
The amount of attorney’s fees in a data breach class action will be based, in large part, on the answers to the questions discussed above. Experienced defense counsel who have litigated and negotiated settlements in similar data breach class actions can provide a ballpark range of expected attorney’s fees.
The nature and scope of defendant’s cyber insurance coverage will determine how much of the litigation and settlement costs the defendant will pay. Insurers generally will expect to be kept in the loop on settlement discussions and may ask to participate in any mediation. Insurers also will have to approve any settlement if the policy provides coverage.
Given the evolving legal landscape and the likely desire for certainty in assessing the cost of a class action claim, these questions may assist in-house counsel in determining when and how to focus attention on possible resolution of these claims.
This article in our “Beyond the Breach” series was authored by Tiffany Cheung, co-chair of Morrison & Foerster’s global Litigation Department, former co-chair of the firm’s Class Actions + Mass Torts practice group, and a member of its Privacy + Data Security practice group.