All the Ways to Get Sued After a Data Breach

We’ve previously discussed the financial tsunami that a data breach triggers, citing a recent Deloitte study about how its effects can linger for several years. Within that fallout, there’s a tendency to associate any litigation with disgruntled consumers. But a recent class-action lawsuitfiled by employees at Seagate, a data-storage company, reminds us that subsequent litigation can come from within the organization. Historically, winning this type of suit has been a formidable endeavor, but as the nature and scope of breaches evolve, legal tides may be shifting.

In March, Seagate’s human-resources department fell victim to an email scam, in which phishers posed as the company’s CEO and requested sensitive documents. The HR team handed over those employee documents, and the thieves were soon exploiting social-security numbers, addresses, and wage records by filing fake tax returns (in some cases joint returns, affecting employees’ spouses, too). All told, the thieves made off with the data of 10,000 current and past employees.

No adequate security platform was in place; as such, those criminals haven’t been caught. The resulting lawsuit alleges that Seagate was negligent in safeguarding this information and failed to provide proper compensation to its employees—the victims of the leak.

This isn’t the first time employees have gone after their employers after breaches. In late 2014, current and former Sony employees sued the company for negligence stemming from the infamous hack early that year. Citing Sony’s history of data breaches (including a 2011 incident that compromised its PlayStation network), the class-action suit claims the company took no measures to protect their personal information, including medical records, from hackers. The settlement cost Sony as much as $8 million.

"As the nature and scope of breaches evolve, legal tides may be shifting."

That same year, Coca-Cola was also served by a former employee, stemming from the theft of 55 encrypted laptops containing the personal information of (allegedly) 74,000 employees. Coke attempted to have that suit thrown out, claiming it speculated about the identity theft’s potential for future harm. In late 2015, the judge dismissed seven of the 10 claims, but maintained that the employee had recourse to demand restitution.

According to Law360, which covers sizable litigation cases, there’s a cascading effect of post-breach litigation people fail to recognize. To that end, the publication outlined, a year ago, 5 different types of suits a company should anticipate encountering after a data breach. It is even more relevant today:

  1. Employees
    (See above) “While Coca-Cola’s breach stemmed from a traditional theft,” writes Law360. “Katten senior-counsel Christina Grigorian says, those claims are quite cutting-edge.”

  2. Consumers
    After its high-profile breach, Target doled out $10 million in a settlement to customers. Likewise, a class-action suit related to a 2013 breach was forged against Neiman Marcus; this January, the department-store giant lost a bid to toss out the suit. This ruling, wrote Fortune, “is a big deal because it lowers the bar for consumers who want to sue over such breaches. Until now, companies have been able to deflect many such lawsuits.” And Home Depot reached a $19.5 million deal to settle a class-action suit after 56 million pieces of personal information were compromised in its 2014 breach.

  3. Financial Institutions
    Following its hack, Target settled record-setting claims filed by banks and credit unions: as much as $20.25 million to banks and credit unions, $19.11 million to MasterCard issuers, and $67 million to Visa issuers. Meanwhile, Home Depot’s 2014 prompted a group of banks and credit unions to file a class-action suit one year later. They claim to have spent $150 million in card reissuance costs alone.

  4. Insurers
    Currently, the extent to which insurance must cover a breach remains hazy at best. One of Sony’s insurers, Zurich America, balked over the entertainment-electronics giant’s financial hit after its PlayStation hack in 2011. A judge determined that the policy covered the publication of private information, but this did not apply to hacking. They settled in April for an undisclosed amount. (It’s worth nothing that even when a policy kicks in, it’s not always enough to cover losses: Target, the new bellwether in breach liability, says it has spentat least $200 million out of pocket after a $90 million insurance reimbursement.)

  5. Shareholders
    Even the boardroom isn’t exempt from payback. A shareholder sued Wyndham Hotels for, reports SC Magazine, failing “to take reasonable steps to maintain their customers’ personal and financial information in a secure manner” throughout three breaches occurring between 2008 and 2010. That suit was thrown out, as was a derivative suit filed against 13 of Target’s officers and directors. However, Home Depot shareholders’ derivative suit against the company and a dozen of its officers and directors appears to be pending. The 2015 complaint also suggests that its security measures are “desperately out of date.” Lexology, a legal thought-leadership site, writes, “It is likely to lead to new law in the area of data privacy and security law, particularly concerning the roles of Officers and Directors.”

The above five lawsuit types, of course, still don’t account for fines. Depending on the industry an enterprise falls into, it faces action from: the U.S. Department of Health and Human Services (HIPAA violations), the FTC (inadequate or misleading security practices), Consumer Financial Protection Bureau (deceptive conduct), U.S. Department of Defense (data-breach reporting), FCC (privacy and data security), SEC (security safeguards), not to mention state Attorneys General (breach notification).

To state the obvious: Breaches are expensive. In a jaw-dropping story, Forbes estimates that Home Depot’s hack will cost the company a staggering $10 billion by decade’s end. Much of the litigation and fines surrounding them hinge simply on negligence. Building or optimizing an advanced security platform can end up being the most impactful investment your company makes.