In our forthcoming report on protecting applications, we commissioned Ponemon to conduct a large global survey of security professionals about application security. One question we asked was about the estimated financial impact of a cyber-attack that resulted in the leakage of personally identifiable information (PII) about customers, consumers, or employees. Of the 3,135 responses we received, the most popular range chosen by 24% of respondents was $500,001 to $1,000,000. Ponemon extrapolated the future value of breaches at $6.56 million. This doesn’t take into account company size, or the count of breached records, two elements that are the biggest factors in breach costs. Based on the settlement costs we profile in this article, which do not cover the organizations breach remediation costs, compliance fines, or legal fees, we believe organizations are drastically under estimating their true breach costs.
Figure 1: Cost of confidential data breach - F5 Ponemon security survey
What do breach costs consist of? They can include anything from incident response investigation costs, remediation costs, reputation damage, loss of sales, operational downtime, and compliance penalties. Another significant cost that hasn’t historically been a major contributor to breach costs but is now becoming more and more frequent, is lawsuits. We decided to get some hard numbers to compare to our survey responses. Lawsuit settlements for large data breaches are public knowledge, so we compiled this review of data breach lawsuits resulting from cyber-attacks.
Class Action Lawsuits
The most common source of monetary damages in lawsuits comes from class action lawsuits, where a single plaintiff sues on behalf of a class of injured parties. Usually the suit represents all of the breached users in a single lawsuit. Other times, separate lawsuits are combined into a single class action lawsuit. Here is a summary of some of the more notable class action lawsuits from the past few years:
|Stanford Hospital||$4.1 million||2010||Medical information of nearly 20,000 Stanford Hospital emergency room patients was published online1||Violation of the Confidentiality of Medical Information Act|
|St. Joseph Health System||$3 million||2012||Breach of 31,800 patient health records 2||Violation of the Confidentiality of Medical Information Act (CMIA); negligence, violation of the California Unfair Competition Law, California Business and Professionals Code|
|$1.25 million||2012||Cyber-criminals published 6.5 million user passwords online||Premium subscribers purchased service with the understanding that LinkedIn offered industry-standard security|
|Target||$39 million||2013||Malware compromised 42 million payment cards & names and addresses of 61 million customers4||Banks lawsuit to compensate for losses|
|Vendini||$3 million||2013||Events ticket seller website hacked; customer names, contact information, and payment card information were stolen5||Allowed customer information to be put at risk|
|MAPCO Express||$1.9 million||2013||Breach of the retailer’s computer systems6||Inadequate security systems|
|Neiman Marcus||$1.6 million||2013||Breach compromised the credit card data of approximately 350,000 customers7||Violation of state unfair business practice statutes, invasion of privacy, state data breach acts, unjust enrichment, breach of implied contract, and negligence|
|Home Depot||$13 million||2014||Breach of point-of-sale systems by payment card stealing malware8||Failure to implement adequate protection|
|Sony||$8 million||2014||Employees personal information exposed in a massive data breach9||Negligence and privacy violations|
|Yapstone||$4.9 million||2014||Use of unsecured web addresses caused- data exposure10||Failure to take reasonable steps to keep its users’ data secure.|
|Tampa General Hospital||$10,000||2014||Former employees inappropriately accessed patient information11||Negligence, breach of fiduciary duty, breach of implied contract, violation of the Florida Deceptive and Unfair Trade Practices Act|
|PNI Digital Media||$250 per person||2014||Hackers used malware to capture user information on PNI servers12||Reimbursement for losses|
|Anthem, Inc.||$115 million||2015||Breach of 80 million current and former U.S. customers and employees13||Negligence, failure to provide adequate and timely notice|
|Ashley Madison||$11.2 million||2016||data breach exposed 36 million accounts14||Poor security and deceptive business practices|
|Seagate Technology||$5.75 million||2016||Scammed out of current and past employees’ W-2 forms15||Negligence|
States Attorneys General Lawsuits
Class action suits by data breach victims aren’t the only lawsuits that impact breached organizations. States Attorneys General have also filed and won legal settlements on behalf of their citizens whose information was breached. Some “repeat customers” like Target and Ashley Madison received more financial judgements as a result of the same large breach.
|Defendant||Settlement||Year||Breach case||Attorney(s) General|
|Nationwide Mutual Insurance||$5.5 million||2012||Breach affecting more than 1.2 million individuals because of failure to apply a critical security patch16||32 states and the District of Columbia|
|Target||$18.5 million||2013||Malware compromised 42 million payment cards & names and addresses of 61 million customers17||47 states and the District of Columbia|
|Adobe||$1 million||2013||Breach of Adobe public-facing servers to steal customer data18||15 state attorneys general|
|Cottage Health System||$2 million||2013, 2015||2 breaches exposed 55,000 patients’ data because of lack of encryption, password protection, or firewall19||California|
|Hilton||$700,000||2015||Data breach of 350,000 payment cards; defendant lacked reasonable data security and waited too long to report20||New York and Vermont|
|Ashley Madison||$11.2 million||2016||Data breach exposed 36 million accounts||13 states plus the District of Columbia|
Federal Trade Commission Lawsuits
At the national level, the Federal Trade Commission (FTC) has never been shy about stepping up with its own lawsuits against organizations that fail to protect customer data. Again, we see repeats, like Ashley Madison.
|Ashley Madison||$1.6 million||2016||Data breach exposed 36 million accounts21||Deceived consumers and failed to protect; defendants assured users their personal information was private and securely protected|
|Vtech||$650,000||2015||Unauthorized party accessed VTech customers, 6.4 million children and 4.9 million adults22, 23||Failed to provide direct notice to parents or obtain verifiable consent from parents as required under the Children’s Online Privacy Protection Act (COPPA)|
Publicly held companies can also be subject to shareholder lawsuits. Yahoo got hit with an $80 million data breach-related securities class action lawsuit24 for negligence and failing to protect and inform consumers. Shareholders were especially angry since this breach cut $350M from the sale price to Verizon.25
Future Pending Lawsuits
These are just a few examples; many more lawsuits are adjudicating now. In the coming months and years, we can look forward to resolution of the following lawsuits:
- Arby’s — class action lawsuit regarding POS malware and failure to properly secure its customers’ payment card data
- CareFirst — lawsuit for 2014 compromise of approximately 1.1 million customers’ data
- Chipotle — lawsuit regarding a 2017 data breach in which the company failed to adequately protect personally identifiable information
- Equifax — An unprecedented 50-state class-action lawsuit tied to the 2017 breach of 145.5 million individuals’ data
- Forever 21 — lawsuit for 2017 breach of payment card data due to encryption being turned off on some POS devices
- GameStop — class action lawsuit for deceptive trade of consumer shopping data exposed on the company’s online store between August 10,2016 and February 9, 2017
- GameStop — class action lawsuit for the 2016 theft of payment card data under inadequate cybersecurity
- Intercontinental Hotels — class action lawsuit related to 2017 POS malware infection
- P.F. Chang — class action lawsuit for exposure of 7 million payment cards in 2014
- Sonic restaurants — class action lawsuit alleging negligence regarding a point-of-sale (POS) hack that exposed customer payment card data
- Sprouts natural foods store chain — class action lawsuit relating to a phishing scam and the loss of employee W-2 information
- Sunrun — class action lawsuit for 2017 hack into the company’s payroll system, leaking thousands of employee’s financial data
- Tempur Sealy — class action lawsuit regarding malware infection in 2016 that stole payment card data at hosting provider Aptos’ platform
- Uber — lawsuit alleging substantial negligence in the loss of data of 50 million customers and 7 million drivers
Assume Breach—and Have Good Lawyers on Retainer
As you can see, there are many justifications for a data breach lawsuit, including breach of contract, negligence, breach of covenant of good faith, unfair competition (breached organization is spending less than its peers’ standard on cyber-defense), misrepresentation or deceptive acts (related to cyber-defense practices), breach of fiduciary duty, and violation of state breach notification laws.
It’s been said that bulls do not win bullfights, people do; and people do not win people fights, lawyers do.26 Even if an organization does well in a lawsuit settlement, there are still attorney fees to consider. Adobe racked up $1.18 million in legal fees27 while Ashley Madison spent $3.7 million on its defense.28 Target takes the prize with a whopping $202 million in legal fees and related costs associated with its breach.29 Indeed, lawyers are even more expensive than security personnel! With breaches breaking out everywhere, it pays to support your legal team with a solid plan for dealing with liability and a good foundational security posture. Even if you aren’t at fault, if you get hit with a breach, you can expect a lawsuit, or lawsuits, to come your way.
More to come in our Application Protection Report July 25th
The perspective to write this article was actually derived from a Ponemon survey we conducted for an upcoming security flagship report. We asked security pros to estimate the potential damage of a breach, and decided to chase down some hard numbers to compare against their estimates. Be on the lookout for more in-depth analysis and findings to come in our Application Protection Report, which will be published here on F5 Labs on July 25, 2018!