[BreachExchange] Data Breaches Prove Costly for Major Businesses

[Audrey McNeil]

https://www.jdsupra.com/legalnews/data-breaches-prove-
costly-for-major-42445/

In an age where data is widely available and almost everything is stored
online, data breaches are becoming more common, and the outcomes of cases
involving data breaches are unpredictable. Data involved in a breach can
range from financial data, such as credit card numbers, to health data,
such as treatments and medical history. Based on previous settlements
reached, stolen health data typically has the most extensive damages due to
the incredibly personal nature of the data, while stolen credit card data
has the least damages. It is a lot easier to cancel and replace a credit
card than it is to replace identifying information such as a Social
Security number. When there is a breach of identifying information,
continued alertness is necessary to prevent identity theft, adding to the
costs.

The Type of Data in a Data Breach Matters

There are two cases that illustrate the disparity between settlements
involving different types of data. An infamous hacker who goes by the name
“Cumbajohnny” was responsible for hacking both T.J Maxx and Heartland
Payment Systems. Data for approximately 130 million credit and debit cards
was stolen from Heartland, and more than 45 million credit cards were
affected from the T.J Maxx breach. However, the Heartland settlement was
$500,000, despite involving the breach of three times the amount of data.
The T.J Maxx settlement was valued at $6.1 million. The court’s value was
based on the type of data breached; Cumbajohnny and his cohort stole
identification information from at least 450,000 customers of T.J Maxx,
including Social Security and driver’s license numbers. Although the
nominal value of credit card information was larger for Heartland,
considering the threat of identity theft, the real value of the 455,000
people affected from T.J Maxx was much greater. In fact, eighty-six percent
of the T.J Maxx settlement was from the much smaller number of identifying
information stolen, and the other fourteen percent is attributed to the 45
million stolen card records.

Although identifying information is valuable in settlements, medical
records often add the most value to a data breach settlement because they
contain deeply personal information. For example, the breach of Advocate
Health Care included unencrypted medical records, affecting 4.03 million
patients. The case settled for $5.55 million, remaining the largest HIPAA
settlement to date. This case exemplifies the need to keep up with the
swiftly-evolving digital landscape to protect clients’ information. It may
also demonstrate legislative attention to particularly personal and
sensitive data. Due to the variation and uniqueness of each data breach
case, it is important to evaluate the types of compromised data.

Identify Theft Also Important Factor

Generally, cases with elements identity theft will be stronger because it
is difficult to prove standing without it. Some jurisdictions require the
plaintiff to have suffered from identity theft to have standing. It can be
difficult to prove that the hacker had malicious intention and/or sold the
data they stole, and until they do sell it, some jurisdictions will not
give the class standing. For large data breach cases, such as the T.J Maxx
settlement, the plaintiff’s attorneys must be prepared to litigate the case
under the standing rules of the federal court in any district because many
cases filed all over the country can be consolidated into one federal
district court for multidistrict litigation.

The value of data breach cases does not only include the monetary value of
the breach. Protection against future losses, such as improved digital
security and credit monitoring, are important to preventing identity theft
and ensuring the affected company isn’t breached again. It can be
beneficial to the plaintiff if the company at fault had a previous breach
and did not take proper measures to increase their security.

What Happened After the Breach?

Before initiating a case, it is valuable to research what a company has
already done after experiencing a breach. Oftentimes, the company will
offer one-year free credit-monitoring for customers who experience ongoing
credit risk. While credit-monitoring is helpful for preventing a breach,
some companies may only monitor one of the three credit bureaus (Equifax,
Experian, and TransUnion) to keep costs low, leaving customers vulnerable
to fraudulent activity that shows up on other bureau’s credit reports.

Researching if the company bulked up its security after a breach is also
useful. It can be difficult to find exactly what the company did in the
aftermath because the discovery may not be accessible. Cybersecurity blogs
can come in handy to get technical details of how the hacker was able to
get into the company’s system in the first place and learn what, if
anything, the company did to improve security. If there is a lot of room
for security or credit-monitoring improvement, the value of the settlement
may be greater, however the court can enforce this by either raising the
dollar value of the settlement or mandating the company increases security.
For example, after the Target data breach, which affected 41 million
customers, the settlement required Target to employ a chief officer who
manages security, to actively monitor its systems for security events,
provide security training to its employees for five years, and perform
routine security assessments. The case settled for $18.5 million, but the
injunctive relief was much greater.

Third Party Vendors Can Play Role

Determining if the company or a third-party vendor is at fault for the
breach can be challenging. The company experiencing the data breach often
claims they have the most up-to-date security systems, however discovery
usually reveals gaps that the hackers used to get in and out with the data.
If a third-party could be responsible, it would be best to establish the
relationship between the company and the vendor as soon as possible and
determine if the vendor is primarily responsible for the breach.

An example where the vendor was unmistakably at fault is the case of the
Stanford Hospital data breach. The hospital’s business associate (BA),
Multi-Specialty Collection Services, LLC, posted 20,000 patients’ emergency
room records, including hospital account numbers, billing charges, and
emergency room admission and discharge dates, to a student homework website
asking how to graph the patients’ data. Stanford Hospital properly
encrypted the records before sending them to the vendor, but they were
still responsible for paying the administration costs of the $4 million
settlement. The hospital also agreed to train its vendors on how to most
effectively protect patient data. Since vendors are typically smaller
entities, they likely have fewer resources, and this could affect the
settlement amount.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180629/85ec8f0c/attachment.html>