A deep understanding of data breach litigation is a critical component in developing the most effective data protection strategies.
The specter of data breaches looms larger than ever, posing unprecedented challenges to privacy, security, and corporate responsibility. As the Chief Innovator for Monjur and a seasoned litigator with over two decades of experience in navigating the intricate legal landscapes shaped by these incidents, I have witnessed the evolution of data breach litigation from its nascent stages to its current complexity, engaging firsthand with cases that have set significant legal precedents and reshaped our understanding of digital vulnerabilities.
Moreover, as a trusted advisor and litigator, I’ve led teams through the intricate dynamics of high-profile data breach cases, offering insights drawn from the front lines of legal battles. Our work has not only sought justice for those affected but has also contributed to the broader conversation about data security, consumer rights, and corporate accountability.
Data breaches have expanded over the past 20 years
It has been nearly two decades since hackers infiltrated the CardSystems Solutions database in June 2005, gaining access to records associated with 40 million credit cards and putting the world on notice that consumer data needed to be closely guarded. However, the likelihood of litigation aimed at holding CardSystems or the merchants that utilized their services was not mentioned in many of the reports that followed that early breach.
The news reports on the breach used language that was still fresh at the time, mentioning “security vulnerabilities,” “malicious code,” and “data in unencrypted form.” One report shared that American Express, one of the companies whose data was exposed as a result of the breach, was still debating whether or not it should inform its customers of the event.
Data breaches have become much more common in today’s world. Recent statistics show that more than 1,800 data breaches occurred in the US alone during 2022, exposing over 422 million records.
Litigation related to data breaches has also become much more common.
2013 Target Corporation Data Breach Litigation
In December 2013, Nearly a decade after the CardSystems Solutions event, Target announced a breach involving the exposure of 70 million customer records and another 40 million credit and debit card records, leading to a string of lawsuits, including a key case filed by 47 US states and the District of Columbia that Target ultimately settled for $18.5 million.
The litigation related to the Target breach and the decisions that flowed from it were groundbreaking in terms of consumer data protection. Most notably, it helped establish that merchants like Target are responsible for putting safeguards in place to protect consumer data, including payment information, and established that consumers affected by breaches could sue merchants who failed to safeguard their information. Court rulings in the Target case said the company’s negligence put consumers at risk of issues, including identity theft and unauthorized charges to their accounts.
The litigation also set expectations for timely breach disclosures. Media reports criticized Target for taking weeks to reveal the breach. The litigation reinforced legal requirements related to revealing the occurrence of a breach in a timely manner that most US states had in place at the time of the breach.
Finally, litigation also increased expectations regarding the systems and policies retailers should have in place to protect consumer data. In the wake of the breach, Target went to considerable lengths to improve its security efforts, including reissuing more secure cards, installing more secure POS terminals, and replacing senior leadership with security-savvy executives.
2017 Equifax Data Breach Litigation
The Equifax data breach, which occurred between May 2017 and July 2017, was monumental at the time. It affected 147 million users and involved the exposure of highly sensitive information, including social security numbers, birthdays, addresses, driver’s license numbers, and credit card numbers.
The litigation prompted by the Equifax breach included multi-district consumer class action lawsuits that were ultimately consolidated and heard in federal court in Atlanta, Georgia. The decision in the case resulted in a promise to provide $425 million in consumer restitution, which is still being disbursed.
The breach also resulted in action by the US Federal Trade Commission, Consumer Financial Protection Bureau, and all 50 US states to hold Equifax accountable for failing to secure its data network. The civil action resulted in an agreement by Equifax in 2019 to pay at least $575 million in damages.
Litigation prompted by the Equifax breach further evolved case law by upholding the argument that stolen data credentials can cause harm to consumers. Courts involved in the case agreed that breaches involving social security numbers, addresses, and other sensitive data posed a credible risk of identity theft and fraud to affected consumers.
Equifax litigation also established liability even when claimants could show no data misuse. Equifax was held accountable for damages in the case despite the lack of evidence that the stolen data had been used to commit fraud because the fact that the breach put consumers at risk of harm was considered sufficient.
2019 Capital One Breach Litigation
The Capital One data breach occurred in March and April 2019, affecting data related to over 100 million customers in the US and Canada. The data compromised included approximately 140,000 social security numbers and 80,000 bank account numbers. Capital One’s overall costs were estimated at $645 million, including a $190 million settlement with US regulators.
The Capital One litigation was notable for addressing data vulnerabilities associated with the then-emerging trend of cloud computing, showing courts would hold organizations responsible for securing data in the cloud and in private data centers. Part of the settlement in the case required Capital One to establish enhanced oversight procedures, including steps to improve encryption and access management.
The litigation was also the first data breach case to result in the conviction of an individual hacker. Paige A. Thompson was found guilty in June 2022 of hacking into cloud-based data storage accounts and stealing data involving Capital One’s customers and was sentenced to time served and five years of probation.
2023 MOVEit Litigation
The MOVEit data breach in May 2023 was unique for the extreme number of companies it affected. Consequently, when hackers found a way through MOVEit’s defenses, they gained access to data being transferred by virtually any company that relied on the program. Some reports say the fallout affected nearly 2,300 organizations.
Consumer reactions to the MOVEit breach spawned hundreds of lawsuits, targeting nearly 90 different companies that used the transfer program. As the lawsuits proliferated, it was ultimately decided to consolidate them into a single multidistrict litigation. Experts believe the outcome of the case could define how litigation involving unauthorized access of data through third-party vendors will be tried in the future.
2023 23andMe Litigation
When the genetic testing company 23andMe was the victim of a data breach in April 2023, it appeared to be a common case of unauthorized access to sensitive information. However, when the information showed up for sale on the dark web, the unique nature of the case emerged.
As reported in The New York Times, the hackers segmented the data in what appeared to be an effort to single out information related to 23andMe customers who had Chinese and Ashkenazi Jewish heritage. The class-action lawsuit filed in response to the breach includes among its accusations 23andMe’s failure to notify those customers who were specifically targeted by having their information included in “specially curated lists.”
Jay Edelson, a lawyer representing plaintiffs in the case, suggested the lawsuit will dramatically shift the course of future data breach litigation. Moving forward, he stated, a primary concern to assess in the wake of a breach will be whether stolen data will be used to “physically harass or harm people on a systematic, mass scale.” Edelson believes the case could raise the standard for the way businesses will be expected to respond to a breach.
Ramifications of Data Breach Litigation
Organizations facing data breach litigation must contend with a wide range of ramifications. Direct consequences if the organization is found liable could include legal penalties and other financial losses. IBM, in its “Cost of a Data Breach Report 2023,” set the global average cost of a data breach at $4.45 million.
In addition, organizations face indirect costs resulting from reputational damage, operational disruptions, and other fallout. A data breach can cause customers, vendors, and other stakeholders to question an organization’s trustworthiness. Rebuilding that trust can involve costly and time-consuming public relations initiatives.
The case law built up around data breaches shows that organizations can best prepare for potential litigation by developing a deep understanding of relevant laws and regulations and ensuring their compliance. Regular security audits, employee training, and security upgrades can help to ensure organizations are seen as responsible in their data security duties.
Data breach litigation has also shown organizations must be prepared to respond quickly and appropriately to breach events. An immediate response plan should be in effect that details the steps to be taken to contain the breach, investigate its cause and impact, and notify all stakeholders.
As the activity of cybercriminals has surged in recent years, so has litigation related to data breaches. Consequently, organizations and those who provide them with the legal council must continue monitoring relevant cases to ensure they are up-to-date on relevant case law. A deep understanding of data breach litigation is a critical component in developing the most effective data protection strategies.
Join the conversation!