Looking at Data Breach and Class Action Exposure Through a Single Lens
- Class Action & Mass Tort
- 3 Mins
There has been a spike in data breach class actions this year. According to a study by Law.com Radar, the monthly average of data breach class actions was 44.5 from January through August. This figure is more than double of last year’s 20.6 monthly average. Data breaches have also been on an uptick. According to the Identity Theft Resource Center, there was an increase of 114 percent in reported data compromises from 2023 Q1 to Q2 reflecting the highest number of breaches ever during a quarter. These incidents are getting more costly each year. IBM reported in the 2023 Cost of a Data Breach report that the global average breach cost was $4.45 million, representing a 15 percent increase over three years.
But what do all these statistics mean and how should business leaders react? First, it is time to come to terms with the reality that any organization is fair game for an attack. They must pay attention to the data breach class action landscape. Next, instead of viewing these trends in isolation, it is time to unite them and look at the whole picture. Where significant data breaches occur, class action exposure increases exponentially. Lastly, organizations need to formulate a breach response plan that is proactive, accounts for risk mitigation, and factors in potential class action liability.
There are several factors contributing to the rise in data breaches. The obvious reason is that as the world continues to digitize more, there is more information out there to access. Bad actors are developing more sophisticated and strategic ways to target sensitive information, while organizations are simultaneously producing and storing a record amount of data. They are also figuring out how to use advanced technologies as a tool to intercept information.
For example, ransomware attacks have been trending in recent years with demands previously in the thousands now in the millions. Even if an organization saves money by paying the ransom, this is contributing to the bigger problem. Bad actors will keep perpetuating these attacks because they have gotten away with it in the past, while continuing to sophisticate their efforts. Other trending attack methods include phishing, multifactor authentication breaches, and malware.
Large-scale hacks have also contributed to the drastic uptick in breaches. The MOVEit hack resulting from a software vulnerability that began in May 2023 (and is still ongoing) is one of several recent events illustrating how widespread attacks can quickly place a large number of organizations at risk. Many MOVEit incidents involve over one million impacted contacts and the types of data impacted tend to be rich files with complete contact data, such as complete client or employee lists containing full PII sets. Events like this have the potential to create large class action lawsuits against the software creator and its customers. Affected individuals have already started filing lawsuits against organizations using MOVEit, thus highlighting the importance of not only having sound internal practices but also keeping apprised of third-party systems storing any business data.
The above coupled with more court education, regulatory rules, cyber insurance mandates, and media reporting on data breaches highlights how front and center this topic is currently. This has directly caused more class action activity that is costlier. Settlements are higher due to the number of affected consumers and public attention on breaches of all sizes. More class actions are being filed and courts are allowing certification. The Law.com Radar study found that from this January through June there were 246 data breach class actions, which is close to 2022’s grand total. Courts are even requiring defendants to turn over privileged investigative breach reports.
These circumstances place urgency on breached organizations to mitigate quickly and explain security gaps to save their reputation. To lessen risk, it is crucial to not only anticipate data breaches – but also the class actions that can follow.
Adapting and Acting
It is time to act. Having controls in place to mitigate breach risk is no longer an option. Organizations must review their security gaps regularly and make this an ongoing top initiative. Not putting enough prevention in place to avoid a breach or failing to quickly determine a breach cause and remediate it effectively are both contributing factors to the uptick in class actions. However, more are looking to invest in cyber preparedness as demonstrated in the IBM report where 51 percent of organizations said they plan to increase cybersecurity spending because of an internal breach.
But where to start? Keeping on top of the changing landscape will help improve policies and procedures related to managing threats and risks, but this is only the beginning of what needs to be done to have a robust and effective cyber readiness plan that also anticipates class action activity. What needs to be done will be unique to every organization. The goal should be to determine the best combination of security controls that fall within an organization’s risk tolerance. From training to threat detection software, mock breach exercises, and beyond – the possibilities are plentiful and flexible.
This is not a feat to tackle alone, so fear not. An outside consultant with not only cybersecurity capabilities, but also class action, is ideal. Look for an expert partner that can pinpoint cyber gaps and fix them by integrating new tools or information governance approaches; advise on what to include in an organization’s incident prevention and response programs; keep apprised on breach and class action trends; provide breach response services; and have staff available to handle class action administration in the event that one materializes after a breach.
By tapping into outside resources in addition to internal efforts, an organization will be in the best position to tackle data breaches that come their way – and any class actions that may follow. This will also reduce breach and class action risk in the first place, providing peace of mind and allowing organizations to maintain good cyber hygiene.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.