The rise in the number of class action lawsuits that follow a data breach has become a new and troubling concern for businesses, as ransomware attacks and other cybersecurity threats become increasingly sophisticated. Corporate executives now need to be mindful of the risk of legal action against their businesses, as a survey of in-house litigation leaders found that cybersecurity and data protection issues will be top drivers of new disputes in the coming years.
In 2020, a class action lawsuit arising from a cyberattack at credit-rating company Equifax resulted in a $700 million settlement, with $425 million designated to compensate consumers. Other data breach class action lawsuits have resulted in substantial settlements, with Capital One reaching a $190 million settlement, Uber agreeing to pay $148 million, and most recently, T-Mobile agreeing to pay $350 million to resolve claims that it failed to prevent a data breach affecting 76 million Americans.
The recent high settlements highlight the critical importance of prioritizing cybersecurity, says Mike Morgan, Partner and U.S. Head of Global Privacy and Cybersecurity at law firm McDermott Will & Emery. “Cybersecurity breaches are a risk to all organizations, and that’s been true for many years,” he says. “But over time, the extent of the risk has grown significantly.”
With the growing number of class action lawsuits, boards must take action to strengthen their commitment to cybersecurity, protecting themselves against legal action and preparing for a shifting legal landscape.
In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require public companies to make standardized disclosures on cybersecurity strategy, risk management, incident reporting, and governance, and to disclose board members with expertise in security.
The importance of the board in cybersecurity cannot be overemphasized. The board controls the resources required to ensure that its organization has adequate IT and information security functions, and it also encourages a culture of openness and frank discussions about cybersecurity maturity, says Morgan. Culture often starts with the board and a C-suite determination that cybersecurity matters, he adds.
As uses of AI and data become more powerful, boards should expect to lead more discussions about the controls they have in place for protection, says Morgan. The new SEC rules require companies to develop and maintain “reasonable” cybersecurity practices, and this gray area will likely be a topic of future lawsuits.
“In the course of those discussions, there will be debates about what standards should be applied to determine what’s reasonable or not, and to what extent the question of reasonableness is determined by the path of attack versus an organization’s overall cybersecurity,” he says.
As data breach cases and the number of large data breach class action settlements continue to grow, decision-makers will need to recognize the risks from inadequate security, Morgan concludes. “That means there will need to be more discussions about these issues,” he adds, and businesses will need to act with urgency.