CISO
May 02, 2018

Breach Costs Are Rising with the Prevalence of Lawsuits

blog
8 min. read
By Ray Pompon

In our forthcoming report on protecting applications, we commissioned Ponemon to conduct a large global survey of security professionals about application security. One question we asked was about the estimated financial impact of a cyber-attack that resulted in the leakage of personally identifiable information (PII) about customers, consumers, or employees. Of the 3,135 responses we received, the most popular range chosen by 24% of respondents was $500,001 to $1,000,000. Ponemon extrapolated the future value of breaches at $6.56 million. This doesn’t take into account company size, or the count of breached records, two elements that are the biggest factors in breach costs. Based on the settlement costs we profile in this article, which do not cover the organizations breach remediation costs, compliance fines, or legal fees, we believe organizations are drastically under estimating their true breach costs.

 

Figure 1: Cost of confidential data breach - F5 Ponemon security survey

Figure 1: Cost of confidential data breach - F5 Ponemon security survey

 

What do breach costs consist of? They can include anything from incident response investigation costs, remediation costs, reputation damage, loss of sales, operational downtime, and compliance penalties. Another significant cost that hasn’t historically been a major contributor to breach costs but is now becoming more and more frequent, is lawsuits. We decided to get some hard numbers to compare to our survey responses. Lawsuit settlements for large data breaches are public knowledge, so we compiled this review of data breach lawsuits resulting from cyber-attacks.

Class Action Lawsuits

The most common source of monetary damages in lawsuits comes from class action lawsuits, where a single plaintiff sues on behalf of a class of injured parties. Usually the suit represents all of the breached users in a single lawsuit. Other times, separate lawsuits are combined into a single class action lawsuit. Here is a summary of some of the more notable class action lawsuits from the past few years:

 

 

 

 

Defendant Settlement Year Breach case Justification
Stanford Hospital $4.1 million 2010 Medical information of nearly 20,000 Stanford Hospital emergency room patients was published online1 Violation of the Confidentiality of Medical Information Act
St. Joseph Health System $3 million 2012 Breach of 31,800 patient health records 2 Violation of the Confidentiality of Medical Information Act (CMIA); negligence, violation of the California Unfair Competition Law, California Business and Professionals Code
LinkedIn $1.25 million 2012 Cyber-criminals published 6.5 million user passwords online Premium subscribers purchased service with the understanding that LinkedIn offered industry-standard security
Target $39 million 2013 Malware compromised 42 million payment cards & names and addresses of 61 million customers4 Banks lawsuit to compensate for losses
Vendini $3 million 2013 Events ticket seller website hacked; customer names, contact information, and payment card information were stolen5 Allowed customer information to be put at risk
MAPCO Express $1.9 million 2013 Breach of the retailer’s computer systems6 Inadequate security systems
Neiman Marcus $1.6 million 2013 Breach compromised the credit card data of approximately 350,000 customers7 Violation of state unfair business practice statutes, invasion of privacy, state data breach acts, unjust enrichment, breach of implied contract, and negligence
Home Depot $13 million 2014 Breach of point-of-sale systems by payment card stealing malware8 Failure to implement adequate protection
Sony $8 million 2014 Employees personal information exposed in a massive data breach9 Negligence and privacy violations
Yapstone $4.9 million 2014 Use of unsecured web addresses caused- data exposure10 Failure to take reasonable steps to keep its users’ data secure.
Tampa General Hospital $10,000 2014 Former employees inappropriately accessed patient information11 Negligence, breach of fiduciary duty, breach of implied contract, violation of the Florida Deceptive and Unfair Trade Practices Act
PNI Digital Media $250 per person 2014 Hackers used malware to capture user information on PNI servers12 Reimbursement for losses
Anthem, Inc. $115 million 2015 Breach of 80 million current and former U.S. customers and employees13 Negligence, failure to provide adequate and timely notice
Ashley Madison $11.2 million 2016 data breach exposed 36 million accounts14 Poor security and deceptive business practices
Seagate Technology $5.75 million 2016 Scammed out of current and past employees’ W-2 forms15 Negligence

 

 

 

 

States Attorneys General Lawsuits

Class action suits by data breach victims aren’t the only lawsuits that impact breached organizations. States Attorneys General have also filed and won legal settlements on behalf of their citizens whose information was breached. Some “repeat customers” like Target and Ashley Madison received more financial judgements as a result of the same large breach.

 

 

 

 

Defendant Settlement Year Breach case Attorney(s) General
Nationwide Mutual Insurance $5.5 million 2012 Breach affecting more than 1.2 million individuals because of failure to apply a critical security patch16 32 states and the District of Columbia
Target $18.5 million 2013 Malware compromised 42 million payment cards & names and addresses of 61 million customers17 47 states and the District of Columbia
Adobe $1 million 2013 Breach of Adobe public-facing servers to steal customer data18 15 state attorneys general
Cottage Health System $2 million 2013, 2015 2 breaches exposed 55,000 patients’ data because of lack of encryption, password protection, or firewall19 California
Hilton $700,000 2015 Data breach of 350,000 payment cards; defendant lacked reasonable data security and waited too long to report20 New York and Vermont
Ashley Madison $11.2 million 2016 Data breach exposed 36 million accounts 13 states plus the District of Columbia

 

 

 

 

 

 

 

 

Federal Trade Commission Lawsuits

At the national level, the Federal Trade Commission (FTC) has never been shy about stepping up with its own lawsuits against organizations that fail to protect customer data. Again, we see repeats, like Ashley Madison.

 

 

 

 

Defendant Settlement Year Breach case Reason
Ashley Madison $1.6 million 2016 Data breach exposed 36 million accounts21 Deceived consumers and failed to protect; defendants assured users their personal information was private and securely protected
Vtech $650,000 2015 Unauthorized party accessed VTech customers, 6.4 million children and 4.9 million adults22, 23 Failed to provide direct notice to parents or obtain verifiable consent from parents as required under the Children’s Online Privacy Protection Act (COPPA)

 

 

 

 

 

 

 

 

Shareholder Lawsuits

Publicly held companies can also be subject to shareholder lawsuits. Yahoo got hit with an $80 million data breach-related securities class action lawsuit24 for negligence and failing to protect and inform consumers. Shareholders were especially angry since this breach cut $350M from the sale price to Verizon.25

Future Pending Lawsuits

These are just a few examples; many more lawsuits are adjudicating now. In the coming months and years, we can look forward to resolution of the following lawsuits:

  • Arby’s — class action lawsuit regarding POS malware and failure to properly secure its customers’ payment card data
  • CareFirst — lawsuit for 2014 compromise of approximately 1.1 million customers’ data
  • Chipotle — lawsuit regarding a 2017 data breach in which the company failed to adequately protect personally identifiable information
  • Equifax — An unprecedented 50-state class-action lawsuit tied to the 2017 breach of 145.5 million individuals’ data
  • Forever 21 — lawsuit for 2017 breach of payment card data due to encryption being turned off on some POS devices
  • GameStop — class action lawsuit for deceptive trade of consumer shopping data exposed on the company’s online store between August 10,2016 and February 9, 2017
  • GameStop — class action lawsuit for the 2016 theft of payment card data under inadequate cybersecurity
  • Intercontinental Hotels — class action lawsuit related to 2017 POS malware infection
  • P.F. Chang — class action lawsuit for exposure of 7 million payment cards in 2014
  • Sonic restaurants — class action lawsuit alleging negligence regarding a point-of-sale (POS) hack that exposed customer payment card data
  • Sprouts natural foods store chain — class action lawsuit relating to a phishing scam and the loss of employee W-2 information
  • Sunrun —  class action lawsuit for 2017 hack into the company’s payroll system, leaking thousands of employee’s financial data
  • Tempur Sealy — class action lawsuit regarding malware infection in 2016 that stole payment card data at hosting provider Aptos’ platform
  • Uber — lawsuit alleging substantial negligence in the loss of data of 50 million customers and 7 million drivers

Assume Breach—and Have Good Lawyers on Retainer

As you can see, there are many justifications for a data breach lawsuit, including breach of contract, negligence, breach of covenant of good faith, unfair competition (breached organization is spending less than its peers’ standard on cyber-defense), misrepresentation or deceptive acts (related to cyber-defense practices), breach of fiduciary duty, and violation of state breach notification laws.

It’s been said that bulls do not win bullfights, people do; and people do not win people fights, lawyers do.26 Even if an organization does well in a lawsuit settlement, there are still attorney fees to consider. Adobe racked up $1.18 million in legal fees27 while Ashley Madison spent $3.7 million on its defense.28 Target takes the prize with a whopping $202 million in legal fees and related costs associated with its breach.29 Indeed, lawyers are even more expensive than security personnel! With breaches breaking out everywhere, it pays to support your legal team with a solid plan for dealing with liability and a good foundational security posture. Even if you aren’t at fault, if you get hit with a breach, you can expect a lawsuit, or lawsuits, to come your way.

More to come in our Application Protection Report July 25th

The perspective to write this article was actually derived from a Ponemon survey we conducted for an upcoming security flagship report. We asked security pros to estimate the potential damage of a breach, and decided to chase down some hard numbers to compare against their estimates. Be on the lookout for more in-depth analysis and findings to come in our Application Protection Report, which will be published here on F5 Labs on July 25, 2018!

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.