Submit a Case Find a Neutral

Best Practices for Efficiently and Effectively Settling Data Breach Claims

Best Practices for Efficiently and Effectively Settling Data Breach Claims

Source: InsideCounsel.com
Date: October 27, 2014

Cathy Yanni

Resolution Centers


Best Practices for Efficiently and Effectively Settling Data Breach Claims Claims can effectively be resolved by creating the proper settlement process and securing court involvement early on. by Cathy y anni cybersecurity and privacy business insights for law department leaders Reprinted with permission from InsideCounsel October 27, 2014 Target, Home Depot, JPMorgan Chase and a number of other retailers, financial institutions and health care providers have all been victims of data breach. Defined as an invasion of privacy of an internal database that is breached, data breaches result in consumers’ sensitive and confidential information being lost or stolen. There seems to be no end in sight, and even smaller companies are increasingly suffering intrusions of their databases. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost of a data breach to a company was $3.5 million, 15 percent more than what it cost the previous year. Inevitably, once there has been a data breach, some sort of litigation is filed. Cases can be filed in state and federal courts, and many state court systems, such as California, have a coordinated proceeding provision so that multiple cases can be assigned to one judge. In federal court, data breach cases are often filed as class actions and multi-district litigation (MDL). Federal courts have been hostile to utilizing class action statutes, since the U.S. Constitution requires “injury in fact” that is “concrete and particularized.” Plaintiffs seeking class action statutes often find it difficult to obtain certification. Federal Rules of Civil Procedure 23(b) mandates that questions of law or fact common to class members predominate over questions affecting only individual members. So MDL has become the most effective tool to resolve these claims. As an example, the Target case has been transferred to Federal Judge Paul Magnuson as a MDL. After the litigation filing, consideration should be given to the timing of settlement discussions. As a starting point, a detailed chronology should be developed and can be used as an exhibit to the mediation brief. When was there notice to affected customers? Efficient response to the data breach and damage containment has been shown to reduce the cost of breach significantly. Under the right circumstances, an effective mediation can be held before class certification. In the case of a MDL or consolidated state litigation, the plaintiff ’s steering committee and the lead defendants can meet to decide if the timing is right to begin settlement discussions. One of the first avenues of exploration is whether or not there is applicable insurance to help fund a settlement. Insurers have developed policies of insurance that cover data breaches. If there is no specific policy, a business’s comprehensive and general liability (CGL), directors’ and officers’ liability (D&O) and crime coverage, often included in fidelity policies, might apply. Obviously the litigation needs to be tendered to the insurer and, once a mediation is set, coverage counsel and representatives from the insurers should attend the session. A settlement process needs to be designed to accommodate a variety of unique circumstances in play with data breach disputes. Ascertainability is an issue for obtaining certification and makes it difficult to determine who is a member of the class. Identifying class members must be taken into account with any mediation process. In data breaches where financial information and/or social security numbers have been stolen, it is common for the settlement to provide for 1-2 years of identity theft monitoring. Monitoring can be expensive and can cost as much $20 per year, per class member. In large data breaches, such as the JPMorgan Chase where it is estimated that 76 million households and seven million businesses were affected, this can result in astronomical sums. Therefore credit monitoring for all plaintiffs is cost prohibitive. As a solution, class members may have to verify that they were harmed, or class members can obtain identity fraud monitoring if it is affirmatively requested. Many of the settlements involve an aggregate cap for the total settlement and an individual cap on a per person basis. For example, a person could have a cap of $25,000 and the entire settlement have a cap of $25 million. Generally, the defendant pays all reasonable and actual incurred costs for notice, claims administration, settlement website and claims process assistance. There can also be a tier for larger payments for victims who can show extraordinary injury. Defendants also generally agree to implement corrective measures to enhance its security measures to reduce the risk of data loss or theft. Parties can utilize cy pres, but as a result of recent federal cases, thought needs to be given to the selection of the recipient of the funds, usually non-profit or educational organizations. The selected recipient’s activities must be sufficiently related to the subject matter of the lawsuit. Another challenge to settlement is the claim for attorneys’ fees. Attorneys’ fees must be reasonable and the parties must show the fees incurred were allowable, and reasonably necessary to the conduct of the October 27, 2014 Reprinted with permission from InsideCounsel Cathy Yanni is a JAMS neutral with a practice that includes mediation, Special Master/Discovery Referee, arbitration, and class action settlement administration. She has successfully mediated, arbitrated, or acted as Special Master/Discovery Referee in more than 1,000 matters. She can be reached at cyanni@jamsadr.com. cybersecurity and privacy litigation, and that they were reasonable in amount. Parties can arrive at an agreed- upon amount as a result of the mediation. They can also reserve the right to file a motion before the court for fees. Another method may be to have the mediator make a recommendation to the court regarding the amount of fees. All these cases, whether they are state court coordinated proceedings, federal class actions or MDLs, must be approved by the court. Judges are taking an active role in reviewing the settlement, including cy pres designations and attorneys’ fees. Counsel must demonstrate that the negotiations were at an arm’s length and resulted in a settlement that was fair and reasonable. Any claimed attorneys’ fees must be supported by detailed declarations that support the claim for fees. By creating the proper settlement process and securing court involvement early on, these claims can be resolved efficiently and effectively.
Best Practices for Efficiently and Effectively Settling Data Breach Claims Claims can effectively be resolved by creating the proper settlement process and securing court involvement early on. by Cathy Yanni cybersecurity and privacy business insights for law department leaders Reprinted with permission from InsideCounsel October 27, 2014 Target, Home Depot, JPMorgan Chase and a number of other retailers, financial institutions and health care providers have all been victims of data breach. Defined as an invasion of privacy of an internal database that is breached, data breaches result in consumers' sensitive and confidential information being lost or stolen. There seems to be no end in sight, and even smaller companies are increasingly suffering intrusions of their databases. According to the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost of a data breach to a company was $3.5 million, 15 percent more than what it cost the previous year. Inevitably, once there has been a data breach, some sort of litigation is filed. Cases can be filed in state and federal courts, and many state court systems, such as California, have a coordinated proceeding provision so that multiple cases can be assigned to one judge. In federal court, data breach cases are often filed as class actions and multi-district litigation (MDL). Federal courts have been hostile to utilizing class action statutes, since the U.S. Constitution requires "injury in fact" that is "concrete and particularized." Plaintiffs seeking class action statutes often find it difficult to obtain certification. Federal Rules of Civil Procedure 23(b) mandates that questions of law or fact common to class members predominate over questions affecting only individual members. So MDL has become the most effective tool to resolve these claims. As an example, the Target case has been transferred to Federal Judge Paul Magnuson as a MDL. After the litigation filing, consideration should be given to the timing of settlement discussions. As a starting point, a detailed chronology should be developed and can be used as an exhibit to the mediation brief. When was there notice to affected customers? Efficient response to the data breach and damage containment has been shown to reduce the cost of breach significantly. Under the right circumstances, an effective mediation can be held before class certification. In the case of a MDL or consolidated state litigation, the plaintiff 's steering committee and the lead defendants can meet to decide if the timing is right to begin settlement discussions. One of the first avenues of exploration is whether or not there is applicable insurance to help fund a settlement. Insurers have developed policies of insurance that cover data breaches. If there is no specific policy, a business's comprehensive and general liability (CGL), directors' and officers' liability (D&O) and crime coverage, often included in fidelity policies, might apply. Obviously the litigation needs to be tendered to the insurer and, once a mediation is set, coverage counsel and representatives from the insurers should attend the session. A settlement process needs to be designed to accommodate a variety of unique circumstances in play with data breach disputes. Ascertainability is an issue for obtaining certification and makes it difficult to determine who is a member of the class. Identifying class members must be taken into account with any mediation process. In data breaches where financial information and/or social security numbers have been stolen, it is common for the settlement to provide for 1-2 years of identity theft monitoring. Monitoring can be expensive and can cost as much $20 per year, per class member. In large data breaches, such as the JPMorgan Chase where it is estimated that 76 million households and seven million businesses were affected, this can result in astronomical sums. Therefore credit monitoring for all plaintiffs is cost prohibitive. As a solution, class members may have to verify that they were harmed, or class members can obtain identity fraud monitoring if it is affirmatively requested. Many of the settlements involve an aggregate cap for the total settlement and an individual cap on a per person basis. For example, a person could have a cap of $25,000 and the entire settlement have a cap of $25 million. Generally, the defendant pays all reasonable and actual incurred costs for notice, claims administration, settlement website and claims process assistance. There can also be a tier for larger payments for victims who can show extraordinary injury. Defendants also generally agree to implement corrective measures to enhance its security measures to reduce the risk of data loss or theft. Parties can utilize cy pres, but as a result of recent federal cases, thought needs to be given to the selection of the recipient of the funds, usually non-profit or educational organizations. The selected recipient's activities must be sufficiently related to the subject matter of the lawsuit. Another challenge to settlement is the claim for attorneys' fees. Attorneys' fees must be reasonable and the parties must show the fees incurred were allowable, and reasonably necessary to the conduct of the October 27, 2014 Reprinted with permission from InsideCounsel Cathy Yanni is a JAMS neutral with a practice that includes mediation, Special Master/Discovery Referee, arbitration, and class action settlement administration. She has successfully mediated, arbitrated, or acted as Special Master/Discovery Referee in more than 1,000 matters. She can be reached at cyanni@jamsadr.com. cybersecurity and privacy litigation, and that they were reasonable in amount. Parties can arrive at an agreedupon amount as a result of the mediation. They can also reserve the right to file a motion before the court for fees. Another method may be to have the mediator make a recommendation to the court regarding the amount of fees. All these cases, whether they are state court coordinated proceedings, federal class actions or MDLs, must be approved by the court. Judges are taking an active role in reviewing the settlement, including cy pres designations and attorneys' fees. Counsel must demonstrate that the negotiations were at an arm's length and resulted in a settlement that was fair and reasonable. Any claimed attorneys' fees must be supported by detailed declarations that support the claim for fees. By creating the proper settlement process and securing court involvement early on, these claims can be resolved efficiently and effectively.