The financial cost of a data breach is becoming clearer, and the picture isn't pretty for enterprises.
A number of recent enterprise data breaches have resulted in class-action lawsuits, and those data breach lawsuits have revealed a troubling trend about the rising costs of security failures in today's world. To this point, none of the major data breach lawsuits have gone to trial. While some are still pending, many others have resulted in expensive settlements that saw the enterprise in question paying out millions of dollars to the plaintiffs -- whether they are customers, employees, banks or credit card companies.
The data breach settlements, like all legal settlements, don't render any judgments about who was to blame or any substantial details about the incidents themselves. But the settlements offer hints at how much these class-action lawsuits may contribute to data breach costs in the near future, with liability depending on what was breached, who was affected and what type of information was exposed.
Whether hackers are mining for credit card numbers in poorly guarded point-of-sale systems or searching for personally identifiable information (PII) in the next vulnerable technology, such as the Internet of Things (IoT), the influx of data breaches continues and the lawsuits show no signs of slowing down. As enterprise security improves at a snail's pace, the financial costs of preventing and dealing with security incidents appears to be growing, as the data breach settlements have reached staggering levels.
SearchSecurity took a closer look at the rash of data breach lawsuits and settlements to see why enterprises have largely found themselves on the losing end of these legal battles, and what it means for the future of enterprise security.
The root of data breach lawsuits
A company is never 100% protected from cybercriminals, hackers and nation-state actors, even with proper security measures, but there is a fine line for enterprises to walk. Experts said enterprises must make significant efforts to secure their infrastructure, and protect customer and employee data, or face the consequences in court.
Dave Chatfield, president of security risk assessment firm NetDiligence, based in Philadelphia, said when it comes to information security, there are simply no guarantees.
"Security consultants are there to move clients up the practice curve and get them to the point where the likelihood of a breach will become much less over time," Chatfield said. "But I don't think you'll get any security vendor who will say, 'We will guarantee you'll never be breached.'"
Dave Chatfieldpresident of NetDiligence
However, it's important to note that companies such as Target were at fault because their information security programs were inadequate. Security reporter Brian Krebs acquired an internal report that revealed the weaknesses found within Target's IT systems. The Verizon security consultants who performed the investigation were able to crack 86% of Target's passwords, which gave them access to internal networks. Many systems were outdated or missing security patches, and by exploiting apparent vulnerabilities "from an unauthenticated standpoint," the consultants gained full access to the network that contained all sensitive data.
Many of the major data breaches that have occurred within the past few years have faced class-action lawsuits and then settled, never facing time in court. Chatfield said that's likely because the company that was breached has no defense, like in the case of Target, and settling allows the company to move forward quickly and maybe escape the media spotlight.
"We've been waiting for a number of years for one of these class actions to work its way through the court and trial process, but there are lots of incentives on all sides to avoid that outcome, simply because it is the most unpredictable outcome," Chatfield said. "It's more efficient to deal with those issues privately than bringing them to court."
Data breach lawsuits: A new precedent?
In addition, class-action data breaches have a high rate of settlement, because the plaintiffs are required to show a "substantial risk that [the customers] will suffer harm as a result of a breach," according to Matthew Nelson, an information governance attorney at Symantec, based in Mountain View, Calif. But having a payment card stolen isn't enough to support a lawsuit, because the damage that the customers are alleging can't be too speculative.
However, a precedent was potentially set in the Neiman Marcus data breach case this year. Plaintiffs in the case argued that having their financial data stolen was evidence enough that they were in imminent risk of concrete injuries as a result of the 2013 breach. Originally, a U.S. District Court judge threw out the lawsuit, arguing that because the unauthorized credit card charges would be reimbursed for affected customers, the plaintiffs did not show sufficient injury or risk to injury.
But, this summer, a panel of judges in the 7th U.S. Circuit Court of Appeals overturned that decision and allowed the Neiman Marcus data breach lawsuit to move forward. The panel's decision stated that it was an "objectively reasonable likelihood" that injuries would occur from having personal and financial data stolen, and that reimbursements for fraudulent credit card charges did not protect the plaintiffs from other potential injuries, such as identity theft. Nelson said the decision in the 7th Circuit Court could have a major impact on data breach lawsuits.
"The court let the class action move forward, because the customers shouldn't be required to wait until the hacker commits identity theft or credit card fraud in order for the plaintiff to have standing," Nelson said. "It's objectively reasonable that damages will occur."
The precedent set in the Circuit Court could mean more data breach lawsuits will be filed in the future -- regardless of whether or not the customer or employee data has been exploited -- leading to even higher data breach costs for enterprises.
Comparing the cost of data breaches
As if the prospect of more data breach lawsuits wasn't enough, enterprise data breaches themselves are becoming a common and even expected occurrence. When companies are negligent in protecting the customer's personal data, it gives cybercriminals an easy leg up. But experts said targeted attacks on major enterprises are harder to detect and prevent.
"The techniques used by the bad guys are becoming more sophisticated. The threat is constantly evolving," Nelson said. "For example, in our Internet Security Threat Report, zero-day vulnerabilities were at an all-time high. Once the bad guys are in the network, they stay there undetected for a longer period of time, which means they can do more damage."
Furthermore, data breach lawsuits can be extremely costly, because the more sensitive the data, the larger the settlement. In some cases, the settlement figures aren't disclosed. For example, the class-action lawsuit regarding the Adobe data breach in 2013, which saw 38 million customer usernames, email addresses, encrypted passwords and encrypted credit card numbers stolen, was settled this summer for an undisclosed amount. Adobe paid $1.2 million in legal fees as part of the settlement, but the actual amount paid to customers is unknown.
Other settlements are public, and by looking at recently settled data breach lawsuits -- ranging in company size and industry -- there appears to be a correlation between what types of information was stolen and the amount of the settlement. For example, the LinkedIn data breach in 2012, which saw encrypted passwords for 6.5 million users stolen -- and later compromised by hackers -- resulted in the social networking company paying a settlement of $1.25 million, which was devoted strictly to 800,000 LinkedIn premium subscribers.
Meanwhile, a health insurance provider, AvMed Inc., last year settled a class-action data breach lawsuit for $3 million after the personal information of 460,000 individuals was stolen. AvMed settled for more than twice as much as LinkedIn, even though the number of affected customers was almost half. Why? The data stolen from AvMed included sensitive PII, such as customers' names, addresses, Social Security numbers and medical information.
"There's definitely a correlation between the value of the data stolen and the settlement amount," Nelson said.
Some class-action data breach lawsuits are filed on behalf of customers. Others, as you'll see below, are filed by banks, credit card companies and the federal government. Here's a list of recent data breach settlements:
- The LinkedIn data breach affected 6 million users, whose usernames and passwords were compromised. The $1.25 million settlement fund only applied to the 800,000 individuals with premium subscriptions.
- In the AvMed data breach, more than 1 million Social Security numbers and health records were compromised. The company settled for $3.1 million.
- The Target data breach in 2013 affected over 100 million customers, whose credit card numbers, names, address, email address and phone numbers were stolen. The retail giant settled a customer class-action lawsuit for $10 million.
- Target also settled two related lawsuits with credit card companies MasterCard and Visa for $39 million and $67 million, respectively. The settlement covers the costs of fraudulent charges that were reimbursed by banks and other financial services companies that issued the affected credit and debit cards.
- Wyndham Hotels and Resorts this month agreed to settle a U.S. Federal Trade Commission lawsuit related to three separate data breaches that repeatedly exposed customers' credit card information. Instead of paying a settlement fee, the hotel company agreed to conduct annual IT security audits -- including audits for PCI DSS compliance -- for the next 20 years.
- Stanford University Hospital and Clinics settled a class-action lawsuit for $4.1 million after 20,000 patients' health records were compromised in a 2011 data breach.
- The Sony PlayStation Network data breach in 2011 affected 77 million users, and exposed customer names and addresses, login credentials and encrypted credit card numbers. Sony settled for $15 million, but the company denied any wrongdoing.
- Sony Pictures Entertainment suffered a major breach in late 2014, which exposed sensitive employee information, such as PII, salaries, criminal background checks, performance reviews and internal communications. The studio recently settled a lawsuit filed by former employees for $8 million.
- Online ticketing vendor Vendini Inc. settled a class-action lawsuit for $3 million last year after credit card information, email addresses, phone numbers and PII of an undisclosed number of customers were compromised in 2013 data breach.
- Supermarket chain Schnuck Markets Inc. suffered a data breach in late 2012, which exposed credit card information of 2.4 million customers. The company agreed to settle the lawsuit for $2.1 million.
A few pending lawsuits include Home Depot, Neiman Marcus, Excellus BlueCross BlueShield, Community Health Systems Inc., and the U.S. Office of Personnel Management. Currently, Avid Life Media Inc., which owns the extramarital affairs website Ashley Madison, faces a $578 million class-action lawsuit from two Canadian law firms due to the now infamous breach of Ashley Madison this year. The fallout has been extreme, with unconfirmed reports of suicides, along with public embarrassment, blackmail attempts and divorces related to the exposed information. Given the size of the lawsuit, it could run Ashley Madison into bankruptcy.
The price of data
Since data breaches are a commonality now, credit card customers are getting used to replacing cards once a year or every two years. Credit card and debit card numbers have a finite lifetime, because when they are compromised, credit card companies and customers waste no time in replacing them.
"The lifetime value of those cards is steadily decreasing over time, while the value of Social Security numbers, driver's license numbers or healthcare records last much longer," Chatfield said. "That kind of data is the kind of data that a criminal can just sit on and utilize at a later point in time. The accuracy of that data is not going to diminish over time."
Even the price of personally identifiable information on the black market is plateauing these days. According to TrendMicro's 2015 report, Follow the Data: Dissecting Data Breaches and Debunking Myths, the average price of PII has fallen this year from around $4 in 2014 to $1 per line, where each line contains a name, a full address, a date of birth, a Social Security number and other information.
This is most likely due to an oversupply of PII from the growing influx of data breaches in recent years. The more data breaches means there is more data is available, which, inevitably, depresses the prices.
Christopher Budd, a threat communications manager at Trend Micro Inc., based in Irving, Texas, noted that with a lower demand for PII, hackers will want data that is more accessible, intrusive and valuable. The "Target" type data breach that we've seen for the past few years will subside and the cybercriminals will move on to new forms of data, such as information related to IoT devices, he said, because this data is less secure.
It's not just companies that are at risk, because now, there is a growing market for the IoT with consumer devices. "IoT is certainly the next frontier for privacy data breaches," Chatfield said. "The potential is there. If we were having the same conversation in 2018, I won't be surprised if that will be the hot topic of the conversation."
IoT introduces a stream of data, new devices and traffic that is all interconnected with personal devices at home, such as lights, security cameras, thermostats, baby monitors, door locks, air-quality monitors, activity levels and more. Unfortunately, since people are so focused on the nifty new gadgets, they don't think about safety. IoT is growing at an exponential pace and security standards cannot keep up.
"There's a rush to develop new technology," Nelson said, "but sometimes, the security checks and balances aren't keeping up with the technology development."
Still, everything that contains any kind of personal information has a price on it. TrendMicro's report listed data and its price on the black market. For example, mobile phone accounts in the U.S. are available for up to $14. Compromised accounts on PayPal, eBay, Facebook, FedEx, Netflix and Amazon are available for purchase on the black market. Most recently, Uber is growingly popular because it can be charged with "phantom rides." Mature accounts on PayPal and eBay -- which means it has years of transaction history -- sell for up to $300, because they are "less likely to be flagged for suspicious transactions." Login credentials for bank accounts are more expensive, and are between $200 and $500. Credit reports are also available to purchase for $25. Scanned documents, such as passports and drivers' licenses, run between $10 and $35.
Chatfield acknowledged a decreased need for PII on the black market and said there is a growing demand for intellectual property. "Particularly in China and Russia, the nature of intellectual property from various sectors of the world is becoming a more important target than just credit card numbers."
The cost of data breaches, aside from lawsuit settlements, is expensive. It includes lawyer fees, employees working overtime, installing new security software, media control, loss of brand value, cybersecurity insurance rates and loss of revenue. With the number of data breach lawsuits increasing each year, it's likely that there will be a point when a lawsuit will go to trial and potentially jeopardize the future of the company. Even for those companies that invest heavily in cybersecurity, it's hard work to keep up with requirements, compliance measures and emerging threats in an industry that's constantly changing. And with those moving targets, it will be difficult -- if not impossible -- for enterprise to ensure they won't face any legal action in the event of a breach.
"If you can say we did A, B, C and D, then everyone could agree you met the minimum requirements for security. But there is no single list out there that says you need to do these things," Budd said. "Lacking that, in any sort of analysis, there is a degree to which you are getting into a realm of opinion, rather than consensus."
Learn why data breach notifications may be futile.
Learn how to deal with the aftermath of a data breach.