With ransomware attacks and other cybersecurity threats becoming more sophisticated, companies face a new, troubling concern: the rise in class action lawsuits that follow a data breach.
As if the production delays and reputational damage from such attacks aren’t bad enough, now executives must also consider the risk of winding up in court. A recent survey of in-house litigation leaders from global corporations found that cybersecurity and data protection issues will be top drivers of new disputes over the next few years.
Along with the climbing number of class action lawsuits is the soaring price tag of settlements. In 2020, one of the most high-profile and expensive cases—a cyberattack at credit-ratings company Equifax—resulted in a class action lawsuit that awarded a $700 million settlement, $425 million of which was earmarked to compensate consumers.
Other data breach class action lawsuits have also drawn substantial settlements: Capital One reached a $190 million settlement stemming from a massive 2019 data breach; Uber agreed to pay $148 million to settle civil litigation tied to a 2016 data breach; and most recently, T-Mobile agreed to pay $350 million to resolve claims that it failed to prevent a data breach that affected 76 million Americans. (The deadline for those individuals to file a claim was in January.)
Such sums make it clear, if it wasn’t already, that prioritizing cybersecurity is more critical than ever, notes Mike Morgan, partner and U.S. head of global privacy and cybersecurity at global law firm McDermott Will & Emery. “Cybersecurity breaches are a risk to all organizations, and that’s been true for many years,” he says. “But over time, the extent of the risk has grown significantly.”
And savvy boards are taking notice.
A confluence of events has dropped cybersecurity on the doorsteps of boards, says corporate governance expert Cynthia Clark, author of Giving Voice to Values in the Boardroom and professor of management at Bentley University. “There’s been this convergence of really disjointed fields that are amplifying one another—AI, machine learning, robotics, nanotechnology, biotechnology—which have really created an awareness of cybersecurity at the board level,” she says. “But I think there’s a bit of a gap between awareness of and responsibility for it on a board.”
The following actions can help boards fortify their commitment to cybersecurity, protect against class action lawsuits, and prepare for a changing legal landscape.
Establish strong cybersecurity expertise on the board
In March 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require public companies to make standardized disclosures on cybersecurity strategy, risk management, incident reporting, and governance. These rules would also require public companies to disclose board members who have expertise in security as well as the nature of that expertise.
I do expect there to be lots of litigation and regulatory enforcement actions that center around the question of whether or not a particular entity has reasonable cybersecurity.
A recent Wall Street Journal survey of 1,000 of the Russell 3000 companies found that just under 15% have disclosed having a director with cybersecurity expertise. Clark says this is an example of the disconnect between the awareness that cybersecurity is an important issue and responsibility for it within boards.
“Boards can bridge that gap by recognizing the pervasiveness of cybersecurity,” she says. “They need to actively seek out people with this experience, and there are plenty of those people around.” These individuals must understand regulatory requirements, the difference between privacy and security, and have expert communication skills, she adds. Being able to discuss how these matters affect the organization’s business model is crucial today, as is the need to distill cybersecurity information in moments of crisis.
SEC Chair Gary Gensler says that investors want to know more about how issuers are managing the growing cybersecurity risks. “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” noted Gensler in an SEC press release. “If [the proposal was] adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Disclosing the cybersecurity expertise could influence whether a class action lawsuit is brought upon an organization—a well-rounded board, for example, could negate claims of negligence should a breach occur, while a lack of cybersecurity expertise on a board could factor into filing a class action lawsuit.
Drive a culture of cybersecurity
The importance of the board in matters of cybersecurity can’t be underscored enough, Morgan says. The board controls the resources that are required to ensure that its organization has adequate IT and information security functions, and it’s also the entity that encourages a culture of openness and frank discussions about its cybersecurity maturity, he says.
“Culture often starts with the board and a C-suite determination that cybersecurity really matters. If that determination is pushed down through the organization—to legal, risk, contracts, and sales operations, for example—it empowers those functions to be more assertive,” he says. “Over time, you’ll see organizations mature. Voices become more assertive and you have breakthroughs, like sales involving these groups earlier in the process. You develop a sensitivity to these issues that wasn’t there before because it’s clear that this matters to senior management and the board.”
Lead discussions around reasonable cybersecurity measures
As uses of AI and data advance and become more powerful, boards should expect to lead more discussions about the controls they have in place for protection, Morgan says. Under the new SEC rules, for example, companies will be required to develop and maintain “reasonable” cybersecurity practices—though the SEC doesn’t define what’s reasonable or not. Morgan says this gray area will likely be front-and-center in future lawsuits.
“I do expect there to be lots of litigation and regulatory enforcement actions that center around the question of whether a particular entity has reasonable cybersecurity,” he says. “In the course of those discussions, there will be debates about what standards should be applied to determine what’s reasonable or not, and to what extent the question of reasonableness is determined by the path of attack versus an organization’s overall cybersecurity.”
As data breach cases continue—and as the number of large data breach class action settlements continue to grow—the risk from inadequate security will become more apparent to decision makers, he says. “That means there will need to be more discussions about these issues.”
Perform a self-critical analysis
A self-critical analysis is an investigation into an organization’s cybersecurity program to identify areas of weakness and ways to improve its cybersecurity maturity. A large piece of a self-critical analysis is focused on what can be done to stop an attack, Morgan says, which is especially critical during cybersecurity litigation.
While the Equifaxes, T-Mobiles, and other big boys on the block garner headlines, small and midsize organizations are also at risk.
“One of the issues that comes up in lawsuits is to what extent your organization’s legal adversary—whether that’s a plaintiff, plaintiff’s lawyer, or regulator—can have access to your organization’s self-critical analysis of its own cybersecurity program,” he says. “The focus on stopping attacks is very important from a legal perspective because it helps to moot potential claims for injunctive relief that are seeking orders to address the problem or improve from a cybersecurity perspective.”
Morgan says performing a self-critical analysis is a best practice that organizations should consider.
And it’s not just larger companies that need to step up their game to prevent, or be prepared for, litigation. While the Equifaxes, T-Mobiles, and other big boys on the block garner headlines, small and midsize organizations are also at risk.
Case in point: Hope College, a small, Christian, four-year liberal arts school in Holland, Michigan, which now faces two separate class action lawsuits, filed in the last week of 2022. The lawsuits, which charge the school with negligence and a failure to notify victims quickly enough—thus allowing “their injuries to fester and the damage to spread”—relate to a data breach in September that may have compromised confidential information of more than 155,000 people. Another cautionary tale to illustrate the importance of shoring up defenses.
By establishing cybersecurity expertise on boards, driving a culture of cybersecurity at the top, discussing reasonable security measures, and looking critically and introspectively at the organization’s cybersecurity processes, companies can drive more awareness, instill best practices, and build a stronger security foundation to withstand future litigation.