In an age where data is widely available and almost everything is stored online, data breaches are becoming more common, and the outcomes of cases involving data breaches are unpredictable. Data involved in a breach can range from financial data, such as credit card numbers, to health data, such as treatments and medical history. Based on previous settlements reached, stolen health data typically has the most extensive damages due to the incredibly personal nature of the data, while stolen credit card data has the least damages. It is a lot easier to cancel and replace a credit card than it is to replace identifying information such as a Social Security number. When there is a breach of identifying information, continued alertness is necessary to prevent identity theft, adding to the costs.
The Type of Data in a Data Breach Matters
There are two cases that illustrate the disparity between settlements involving different types of data. An infamous hacker who goes by the name “Cumbajohnny” was responsible for hacking both T.J Maxx and Heartland Payment Systems. Data for approximately 130 million credit and debit cards was stolen from Heartland, and more than 45 million credit card5s were affected from the T.J Maxx breach. However, the Heartland settlement was $500,000, despite involving the breach of three times the amount of data. The T.J Maxx settlement was valued at $6.1 million. The court’s value was based on the type of data breached; Cumbajohnny and his cohort stole identification information from at least 450,000 customers of T.J Maxx, including Social Security and driver’s license numbers. Although the nominal value of credit card information was larger for Heartland, considering the threat of identity theft, the real value of the 455,000 people affected from T.J Maxx was much greater. In fact, eighty-six percent of the T.J Maxx settlement was from the much smaller number of identifying information stolen, and the other fourteen percent is attributed to the 45 million stolen card records.
Although identifying information is valuable in settlements, medical records often add the most value to a data breach settlement because they contain deeply personal information. For example, the breach of Advocate Health Care included unencrypted medical records, affecting 4.03 million patients. The case settled for $5.55 million, remaining the largest HIPAA settlement to date. This case exemplifies the need to keep up with the swiftly-evolving digital landscape to protect clients’ information. It may also demonstrate legislative attention to particularly personal and sensitive data. Due to the variation and uniqueness of each data breach case, it is important to evaluate the types of compromised data.
Identify Theft Also Important Factor
Generally, cases with elements identity theft will be stronger because it is difficult to prove standing without it. Some jurisdictions require the plaintiff to have suffered from identity theft to have standing. It can be difficult to prove that the hacker had malicious intention and/or sold the data they stole, and until they do sell it, some jurisdictions will not give the class standing. For large data breach cases, such as the T.J Maxx settlement, the plaintiff’s attorneys must be prepared to litigate the case under the standing rules of the federal court in any district because many cases filed all over the country can be consolidated into one federal district court for multidistrict litigation.
The value of data breach cases does not only include the monetary value of the breach. Protection against future losses, such as improved digital security and credit monitoring, are important to preventing identity theft and ensuring the affected company isn’t breached again. It can be beneficial to the plaintiff if the company at fault had a previous breach and did not take proper measures to increase their security.
What Happened After the Breach?
Before initiating a case, it is valuable to research what a company has already done after experiencing a breach. Oftentimes, the company will offer one-year free credit-monitoring for customers who experience ongoing credit risk. While credit-monitoring is helpful for preventing a breach, some companies may only monitor one of the three credit bureaus (Equifax, Experian, and TransUnion) to keep costs low, leaving customers vulnerable to fraudulent activity that shows up on other bureau’s credit reports.
Researching if the company bulked up its security after a breach is also useful. It can be difficult to find exactly what the company did in the aftermath because the discovery may not be accessible. Cybersecurity blogs can come in handy to get technical details of how the hacker was able to get into the company’s system in the first place and learn what, if anything, the company did to improve security. If there is a lot of room for security or credit-monitoring improvement, the value of the settlement may be greater, however the court can enforce this by either raising the dollar value of the settlement or mandating the company increases security. For example, after the Target data breach, which affected 41 million customers, the settlement required Target to employ a chief officer who manages security, to actively monitor its systems for security events, provide security training to its employees for five years, and perform routine security assessments. The case settled for $18.5 million, but the injunctive relief was much greater.
Third Party Vendors Can Play Role
Determining if the company or a third-party vendor is at fault for the breach can be challenging. The company experiencing the data breach often claims they have the most up-to-date security systems, however discovery usually reveals gaps that the hackers used to get in and out with the data. If a third-party could be responsible, it would be best to establish the relationship between the company and the vendor as soon as possible and determine if the vendor is primarily responsible for the breach.
An example where the vendor was unmistakably at fault is the case of the Stanford Hospital data breach. The hospital’s business associate (BA), Multi-Specialty Collection Services, LLC, posted 20,000 patients’ emergency room records, including hospital account numbers, billing charges, and emergency room admission and discharge dates, to a student homework website asking how to graph the patients’ data. Stanford Hospital properly encrypted the records before sending them to the vendor, but they were still responsible for paying the administration costs of the $4 million settlement. The hospital also agreed to train its vendors on how to most effectively protect patient data. Since vendors are typically smaller entities, they likely have fewer resources, and this could affect the settlement amount.