As the number of data breaches continues to increase, so too do the costs. After a breach occurs, companies typically expend significant sums conducting investigations, notifying customers and regulators, and engaging in public relations. They incur additional expenses enhancing security and providing identity protection services to victims. And then, of course, there are legal fees, involving both litigation and compliance, which can add up to more than half the total cost of a data breach. These numbers can be substantial, particularly in the context of class actions.
One recent example is health insurance giant Anthem, Inc., which agreed to a class action settlement worth $115 million. The underlying litigation stemmed from a 2015 data breach—one of the largest in the world—in which hackers gained access to Anthem’s system and accessed nearly 80 million records that included Social Security numbers, addresses, email addresses, and other personal information. After the breach, over 100 lawsuits were filed and eventually centralized in the U.S. District Court for the Northern District of California. Plaintiffs alleged that Anthem, its affiliates, and certain Blue Cross entities violated consumer protection laws by failing to protect their data. On June 23, plaintiffs moved for preliminary approval of a class action settlement. Pursuant to the agreement, Anthem agreed to triple the amount it spends on information security and implement certain security measures. A $115 million settlement fund will also be set up, with $15 million set aside for out-of-pocket costs suffered by class members. The rest of the settlement funds will be used to provide two years of credit monitoring to victims of the breach, extending beyond the two years of protection Anthem originally offered after the breach occurred, while class members who already have credit monitoring can receive cash compensation instead. Plaintiffs can additionally seek up to one-third of the settlement fund for attorneys’ fees. The motion for preliminary approval of the settlement is currently set for August 17.
In addition to the threat of class action litigation, companies suffering data breaches also face the risk of regulatory action. Even investigations can be costly. In May, Target paid $18.5 million to 47 states and Washington, DC to resolve an investigation into the retailer after the 2013 data breach that affected more than 41 million accounts and exposed customer’s credit card information. The states’ investigation determined that hackers installed malware in Target’s system that enabled them to capture customer data in real time as payment cards were used. Target subsequently faced lawsuits by both consumers and financial institutions, and it has reportedly spent over $200 million on legal fees and other expenses since that time. Pursuant to the recent settlement agreement, each state received various amounts based on population, with California receiving the most at $1.4 million. The agreement also requires Target to implement various new security measures and segregate cardholder data in its network. Alabama, Wisconsin, and Wyoming were not part of the settlement. A statement by the states’ attorneys general touted the settlement as the largest multistate deal reached in a data breach case—although, as the cost of data breaches continues to rise, that statistic may not last.