Settlement trends in data breach litigation
August 2014 | EXPERT BRIEFING | DATA PRIVACY
On Friday 13 June 2014, Sony Computer Entertainment America agreed to provide as much as $15m to a class of PlayStation Network users who alleged they suffered actual financial harm resulting from the theft of personal information. The settlement continues the trend of companies facing significant litigation expense to resolve data breach litigation. Companies are under unprecedented pressure to settle these cases, not just because they involve staggering defense costs, but also because of the significant adverse publicity ongoing privacy litigation inevitably involves. Following the widely reported data breach by Target Stores, profit fell by 16 percent, though not all of that is attributable to the breach. Still, a data breach can be hard enough on a company’s reputation; ongoing litigation is worse.
In the wake of a data breach, most companies take measures (such as providing prompt notices and complimentary identity theft protection services) to protect affected individuals, and such measures can go a long way to minimise reputational harm and regulatory attention. In an empirical study of data breach litigation conducted last year, the authors found that offering credit monitoring was an effective way to avoid data breach litigation, finding the odds of being sued “over 6 times lower when the firm provides free credit monitoring to those affected by the breach”. Post-breach, companies want to focus on addressing any internal security or compliance issues, and have little desire to publicly argue over the circumstances of the breach with a class of plaintiffs. Given that, and the ongoing expense and exposure to reputational damage, a company is strongly motivated to explore settlement quickly in data breach litigation. In the referenced empirical study, the authors were only able to find two cases involving data breaches that made it to trial.
Not all cases are settled, however. Many cases are dismissed, or summary judgment is awarded to the defendant. The inability of plaintiffs to quantify damages resulting from actual harm serves as a basis for dismissal in many cases (after all, as a general rule the potential for injury is not enough to establish standing for a lawsuit and ‘mere loss of data’ is not enough). But in cases that survive a motion to dismiss and that will involve a lengthy period of expensive discovery, a defendant will likely seek a settlement. The objective will be to buy as much peace as possible for the lowest amount necessary. The challenge is placing a value on the plaintiffs’ claim notwithstanding the lack of any actual quantifiable harm. This is particularly true in the present federal court environment in which judges are closely scrutinising proposed class action settlements.
In the Sony Playstation litigation, Sony’s offer of free identity theft protection following the breach did not prevent the litigation. Nonetheless, free credit monitoring is a part of the proposed settlement. In the proposed settlement, persons who accepted Sony’s offer of free identity theft protection are allowed to select one Sony product or service subject to a total value cap of $4m. Class members who did not accept the free identity theft protection are given the option to choose two products or services offered by Sony, up to an amount totaling $6m. So-called ‘coupon’ settlements in which consumers receive ‘coupons’ for discounted or free products from a defendant while the plaintiffs’ attorneys receive large fee awards are frowned upon in federal court these days. The plaintiffs’ attorneys in the Sony case are seeking approval of $2.75m in fees. Whether the Sony settlement receives court approval remains to be seen.
The multi-pronged structure of the Sony settlement is reflective of other large data breach class action settlements. For example, in the earlier Schnucks settlement, the defendants agreed to pay up to $10 for each payment card involved that had unauthorised charges posted and later reversed, as well as any unreimbursed expenses incurred by each class member and compensation for time spent dealing with the breach up to $175, up to $10,000 for each class member who suffered from identity theft as a result of the breach (with a total cap of $300,000), and up to $635,000 in attorneys’ fees.
The dollar value of the settlements in data breach litigation so far is generally high. Sony’s agreement is reported to be worth $15m and will resolve the claims of as many as 31 million customers if approved. AvMed settled for $3m to resolve claims of approximately 1.2 million class members. Netflix agreed to pay $9m for a class estimated to include ‘tens of millions’of members. Google and Facebook settled for $8.5m and $9.5m respectively. Companies facing data breach claims are thus looking at significant settlements if they are unable to resolve the cases as a matter of law.
One way to leverage the value of a class action settlement without increasing the cash outlay is to include agreed injunctive relief. Most data breach class settlements include some form of injunctive relief. Agreeing to change policies and procedures, or to increase data security in concrete ways, will go a long way toward convincing a judge that a settlement should be approved, especially in cases that do not involve actual monetary loss by class members.
Companies experiencing a data breach are well-advised to get out ahead of likely litigation following the discovery of a breach and offer recompense to injured consumers and free credit monitoring to those who have not suffered any actual harm. Notification and credit monitoring are not inexpensive; in the settlement of the TJ Maxx data breach litigation the parties estimated the value of free credit monitoring to a class of 45 million as $177m. Still, offering free credit monitoring prior to litigation both reduces the likelihood of a lawsuit and provides settlement leverage if a case is filed anyway.
To get even farther ahead, a company should consider negotiating a notification and credit monitoring ‘stand by’ agreement with a service provider even before any breach occurs, as part of a company’s security incident response plan. A company should consult with its cyber insurance broker (if the company has ‘event management’ cyber insurance, also a good idea) for suggestions or requirements as to the appropriate choice of such a service provider. Having this agreement in place avoids the distraction of simultaneously negotiating a major contract while also focusing on investigating and responding to the breach.
Notably, offering a benefit prior to the filing of a lawsuit can also help support an opposition to contested class certification as well as provide leverage in subsequent settlement negotiations. Anything the company can do to highlight the differences among groups of potentially affected consumers is helpful. For example, a group of persons who accept credit monitoring are differently situated than other groups of persons.
If litigation proceeds to a settlement, in most cases a defendant should seek to settle with as broadly defined a class as possible. The goal is to obtain as much finality as possible for the lowest possible cost. Good class action defence counsel will think like a plaintiff and craft a class definition in such a way as to block any further litigation.
Thomas J. Cunningham and Bart Huffman are partners, and Charles M. Salmon is an associate, at Locke Lord LLP. Mr Cunningham can be contacted on +1 (312) 443 1731or by email: firstname.lastname@example.org. Mr Huffman can be contacted on +1 (512) 305 4746 or by email: email@example.com. Mr Salmon can be contacted on +1 (512) 305 4722 or by email: firstname.lastname@example.org.
© Financier Worldwide
Thomas J. Cunningham, Bart Huffman and Charles M. Salmon
Locke Lord LLP