In our forthcoming report on protecting applications, we commissioned Ponemon to conduct a large global survey of security professionals about application security. One question we asked was about the estimated financial impact of a cyber-attack that resulted in the leakage of personally identifiable information (PII) about customers, consumers, or employees. Of the 3,135 responses we received, the most popular range chosen by 24% of respondents was $500,001 to $1,000,000. Ponemon extrapolated the future value of breaches at $6.56 million. This doesn’t take into account company size, or the count of breached records, two elements that are the biggest factors in breach costs. Based on the settlement costs we profile in this article, which do not cover the organizations breach remediation costs, compliance fines, or legal fees, we believe organizations are drastically under estimating their true breach costs.
What do breach costs consist of? They can include anything from incident response investigation costs, remediation costs, reputation damage, loss of sales, operational downtime, and compliance penalties. Another significant cost that hasn’t historically been a major contributor to breach costs but is now becoming more and more frequent, is lawsuits. We decided to get some hard numbers to compare to our survey responses. Lawsuit settlements for large data breaches are public knowledge, so we compiled this review of data breach lawsuits resulting from cyber-attacks.
The most common source of monetary damages in lawsuits comes from class action lawsuits, where a single plaintiff sues on behalf of a class of injured parties. Usually the suit represents all of the breached users in a single lawsuit. Other times, separate lawsuits are combined into a single class action lawsuit. Here is a summary of some of the more notable class action lawsuits from the past few years:
Medical information of nearly 20,000 Stanford Hospital emergency room patients was published online1
Violation of the Confidentiality of Medical Information Act
St. Joseph Health System
Breach of 31,800 patient health records 2
Violation of the Confidentiality of Medical Information Act (CMIA); negligence, violation of the California Unfair Competition Law, California Business and Professionals Code
Cyber-criminals published 6.5 million user passwords online
Premium subscribers purchased service with the understanding that LinkedIn offered industry-standard security
Malware compromised 42 million payment cards & names and addresses of 61 million customers4
Banks lawsuit to compensate for losses
Events ticket seller website hacked; customer names, contact information, and payment card information were stolen5
Allowed customer information to be put at risk
Breach of the retailer’s computer systems6
Inadequate security systems
Breach compromised the credit card data of approximately 350,000 customers7
Violation of state unfair business practice statutes, invasion of privacy, state data breach acts, unjust enrichment, breach of implied contract, and negligence
Breach of point-of-sale systems by payment card stealing malware8
Failure to implement adequate protection
Employees personal information exposed in a massive data breach9
Negligence and privacy violations
Use of unsecured web addresses caused- data exposure10
Failure to take reasonable steps to keep its users’ data secure.
Tampa General Hospital
Former employees inappropriately accessed patient information11
Negligence, breach of fiduciary duty, breach of implied contract, violation of the Florida Deceptive and Unfair Trade Practices Act
PNI Digital Media
$250 per person
Hackers used malware to capture user information on PNI servers12
Reimbursement for losses
Breach of 80 million current and former U.S. customers and employees13
Negligence, failure to provide adequate and timely notice
data breach exposed 36 million accounts14
Poor security and deceptive business practices
Scammed out of current and past employees’ W-2 forms15
Class action suits by data breach victims aren’t the only lawsuits that impact breached organizations. States Attorneys General have also filed and won legal settlements on behalf of their citizens whose information was breached. Some “repeat customers” like Target and Ashley Madison received more financial judgements as a result of the same large breach.
Nationwide Mutual Insurance
Breach affecting more than 1.2 million individuals because of failure to apply a critical security patch16
32 states and the District of Columbia
Malware compromised 42 million payment cards & names and addresses of 61 million customers17
47 states and the District of Columbia
Breach of Adobe public-facing servers to steal customer data18
15 state attorneys general
Cottage Health System
2 breaches exposed 55,000 patients’ data because of lack of encryption, password protection, or firewall19
Data breach of 350,000 payment cards; defendant lacked reasonable data security and waited too long to report20
New York and Vermont
Data breach exposed 36 million accounts
13 states plus the District of Columbia
At the national level, the Federal Trade Commission (FTC) has never been shy about stepping up with its own lawsuits against organizations that fail to protect customer data. Again, we see repeats, like Ashley Madison.
Data breach exposed 36 million accounts21
Deceived consumers and failed to protect; defendants assured users their personal information was private and securely protected
Unauthorized party accessed VTech customers, 6.4 million children and 4.9 million adults22, 23
Failed to provide direct notice to parents or obtain verifiable consent from parents as required under the Children’s Online Privacy Protection Act (COPPA)
Publicly held companies can also be subject to shareholder lawsuits. Yahoo got hit with an $80 million data breach-related securities class action lawsuit24 for negligence and failing to protect and inform consumers. Shareholders were especially angry since this breach cut $350M from the sale price to Verizon.25
These are just a few examples; many more lawsuits are adjudicating now. In the coming months and years, we can look forward to resolution of the following lawsuits:
As you can see, there are many justifications for a data breach lawsuit, including breach of contract, negligence, breach of covenant of good faith, unfair competition (breached organization is spending less than its peers’ standard on cyber-defense), misrepresentation or deceptive acts (related to cyber-defense practices), breach of fiduciary duty, and violation of state breach notification laws.
It’s been said that bulls do not win bullfights, people do; and people do not win people fights, lawyers do.26 Even if an organization does well in a lawsuit settlement, there are still attorney fees to consider. Adobe racked up $1.18 million in legal fees27 while Ashley Madison spent $3.7 million on its defense.28 Target takes the prize with a whopping $202 million in legal fees and related costs associated with its breach.29 Indeed, lawyers are even more expensive than security personnel! With breaches breaking out everywhere, it pays to support your legal team with a solid plan for dealing with liability and a good foundational security posture. Even if you aren’t at fault, if you get hit with a breach, you can expect a lawsuit, or lawsuits, to come your way.
More to come in our Application Protection Report July 25th
The perspective to write this article was actually derived from a Ponemon survey we conducted for an upcoming security flagship report. We asked security pros to estimate the potential damage of a breach, and decided to chase down some hard numbers to compare against their estimates. Be on the lookout for more in-depth analysis and findings to come in our Application Protection Report, which will be published here on F5 Labs on July 25, 2018!