At the 2017 NetDiligence® Cyber Risk & Privacy Liability Forum in Santa Monica, CA, a panel discussed trends in cyber class action claims and regulatory investigations with an emphasis on settlement strategies. The panel included:
- Douglas Meal – Partner, Ropes & Gray LLP
- Ari Schwartz – Partner, Edelson PC
- Gene Fishel – Senior Assistant Attorney General, Commonwealth of Virginia
There are certain thresholds that must be met in order for any class action and regulatory investigation to be settled. In particular, the courts will look at the fairness of the settlement and whether protections are put into place to prevent future similar harm from occurring. Attorneys for both parties need to work together in order to reach an agreement to settle these claims. Settlement requires cooperation between competing parties.
From a plaintiff’s attorney perspective, he feels most cyber class action settlements have been bad deals for members of the class. Their attorneys make millions in fees and the class members receive credit monitoring services. He feels part of the problem is there are so many people that are potential claimants in a class action cyber case that attorneys simply look to maximize their fee. They have no strategy for the litigation itself, but instead are just focused on growing the class to increase the size of their fees. There tends to be more effort put into the distribution of the attorney fees than the class action suit itself. A “good” class action cyber security settlement will start with strong class certification strategies. This includes pleading the right theories (breach of contract, unjust enrichment, etc). It also needs to focus on the potential for identity theft not whether identify theft actually occurred.
From a defense attorney’s standpoint, a “good” cyber security class action settlement cost less than the anticipated litigation costs for taking a claim through the courts. Ultimately, the gauge of a good settlement from the defense standpoint is a client that is happy with the outcome. These cyber security class action cases tend to involve large companies in a public service industry such as retailers. They want to get the case resolved, out of the press, and to move forward with a focus on their customer service and business growth. Getting a happy client can be a big challenge as they may feel they did nothing wrong and that the breach was no fault of their own and settlement is admitting fault. It’s important to educate your client that settlement is not admitting fault but instead it is a compromise to end the litigation at lower costs than the potential exposures.
An emerging trend in cyber security class action suits is filing the suit based on identified cyber security vulnerabilities. Plaintiff firms hire cyber experts that search for holes in the systems companies have. When then find an issue, the suit is filed under seal to prevent disclosure of the vulnerability. The focus is on getting the problem fixed before it becomes a problem and results in a bigger issue. These claims tend to resolve quickly and ultimately the company settling saves lots of money by preventing a breach.
Another trend is examining whether data collected by the Internet of Things (IoT) is being used properly. Do consumers know their data is being used? Attorneys literally have companies testing IoT devices in labs to analyze what happens with the data they produce.
Another interesting trend is that two cities have files suits against Equifax because of their recent breach. Usually regulatory enforcement actions were only filed by state and federal attorney generals. However, local laws allowed the cities of Chicago and San Francisco to file separate litigation in this particular case on behalf of consumers in their cities.
There are multiple potential areas for regulatory litigation including federal, state, and non-U.S. agencies. These different regulatory bodies will have differing objectives and authority. There are currently 40 states that have cyber security and data reporting regulations. Regulators are monitoring whether companies comply with their notification requirements to consumers in the event a breach occurs. These breaches do not have to be large to trigger reporting and notification requirements. You could have a breach that involves just a few individuals and the requirements are the same as they would have been in a breach with millions of records.
Another issue regulators look at is whether the company took appropriate steps to protect the information that they had for consumers. Were they following industry best practices, or where they careless? The regulator’s goal is the protection of the consumer and companies that are not following best practices can be hit with significant penalties.
Most of the enforcement actions tend to be focused on personally identifiable information breaches, not credit card numbers. Consumers are much more at risk if their social security number is disclosed than if their credit card number gets out because there are laws already in place to protect consumers from credit card fraud. You often do not hear about these enforcement actions because they are small, but that doesn’t mean they are not taking place. One regulator said they have seen over 600,000 breach reports year to date, almost double what they saw in all of 2016.