There has been a spike in data breach class action lawsuits this year, impacting data privacy on a global scale. According to a study by Law.com Radar, the monthly average of data breach class actions was 44.5 from January through August. This figure is more than double last year’s 20.6 monthly average. Data breaches have also been on an uptick, leading to increased claims and concerns over identity theft fraud. According to the Identity Theft Resource Center, there was an increase of 114 percent in reported data compromises from 2023 Q1 to Q2, reflecting the highest number of breaches ever during a quarter. These incidents are getting more costly each year, both in terms of financial impact and the time spent by organizations and individuals in dealing with the aftermath. IBM reported in the 2023 Cost of a Data Breach report that the global average breach cost was $4.45 million, representing a 15 percent increase over three years. The pocket losses and losses time spent are significant, prompting more settlements and class action settlements.

But what do all these statistics mean, and how should business leaders react to potential class action settlements? First, it is time to come to terms with the reality that any organization is fair game for an attack that could lead to identity theft fraud among customers. They must pay attention to the data breach class action landscape, including deadlines to file claims in any action lawsuits. Next, instead of viewing these trends in isolation, it is time to unite them and look at the whole picture. Where significant data breaches occur, class action exposure increases exponentially, and the settlement class can become large and complex. Lastly, organizations need to formulate a breach response plan that is proactive, accounts for risk mitigation, includes restoration services and credit monitoring, and factors in potential class action liability, including the time spent managing claims.

Current Conditions

There are several factors contributing to the rise in data breaches and subsequent class action lawsuits. The obvious reason is that as the world continues to digitize more, there is more information out there to access, raising significant data privacy concerns. Bad actors are developing more sophisticated and strategic ways to target sensitive information, which can result in identity theft fraud, pushing organizations into class action settlements and necessitating credit monitoring services for victims. Meanwhile, organizations are simultaneously producing and storing a record amount of data, increasing the risk and potential pocket losses from data breaches. They are also figuring out how to use advanced technologies as a tool to intercept information, making data privacy a critical concern for businesses and individuals alike.

For example, ransomware attacks have been trending in recent years, with demands previously in the thousands now escalating into millions, affecting both privacy and financial security. Even if an organization saves money by paying the ransom, this is contributing to the bigger problem and does not prevent subsequent class action lawsuits from the settlement class. Bad actors will keep perpetuating these attacks because they have gotten away with it in the past, exploiting vulnerabilities in systems and email communications, while continuing to sophisticate their efforts. Other trending attack methods include phishing, multifactor authentication breaches, malware, and exploiting email security gaps.

Large-scale hacks have also contributed to the drastic uptick in breaches, leading to an increase in class action settlements. The MOVEit hack, resulting from a software vulnerability that began in May 2023 (and is still ongoing), is one of several recent events illustrating how widespread attacks can quickly place a large number of organizations at risk of class action lawsuits. Many MOVEit incidents involve over one million impacted contacts, and the types of data impacted tend to be rich files with complete contact data, such as complete client or employee lists containing full PII sets, raising significant data privacy concerns. Events like this have the potential to create large class action lawsuits against the software creator and its customers, with affected individuals needing to submit claims before any deadline to file claim passes. Affected individuals have already started filing lawsuits against organizations using MOVEit, thus highlighting the importance of not only having sound internal practices but also keeping apprised of third-party systems storing any business data.

The above, coupled with more court education, regulatory rules, cyber insurance mandates, and media reporting on data breaches, highlights how front and center this topic is currently. This has directly caused more class action activity that is costlier, both in terms of settlements and the losses time spent in litigation and claims processing. Settlements are higher due to the number of affected consumers and public attention on breaches of all sizes, leading to an increase in class action settlements where the settlement class can be vast. More class actions are being filed, and courts are allowing certification. The Law.com Radar study found that from this January through June, there were 246 data breach class actions, which is close to 2022’s grand total. Courts are even requiring defendants to turn over privileged investigative breach reports, and affected individuals are being offered credit monitoring services and restoration services to mitigate the impact on their credit reports.

These circumstances place urgency on breached organizations to mitigate quickly and explain security gaps to save their reputation. To lessen risk, it is crucial to not only anticipate data breaches—but also the class actions that can follow. Organizations must be proactive in addressing data privacy concerns and providing restoration services to affected individuals.

Adapting and Acting

It is time to act. Having controls in place to mitigate breach risk is no longer an option, especially with the potential for identity theft fraud and the subsequent need to provide credit monitoring services to affected individuals. Organizations must review their security gaps regularly and make this an ongoing top initiative to protect data privacy. Not putting enough prevention in place to avoid a breach, or failing to quickly determine a breach cause and remediate it effectively, are both contributing factors to the uptick in class actions and class action settlements. However, more are looking to invest in cyber preparedness, as demonstrated in the IBM report where 51 percent of organizations said they plan to increase cybersecurity spending because of an internal breach. Such investments may include credit monitoring services, restoration services, and other measures to protect the privacy and credit of customers and employees.

But where to start? Keeping on top of the changing landscape will help improve policies and procedures related to managing threats and risks, but this is only the beginning of what needs to be done to have a robust and effective cyber readiness plan that also anticipates class action activity and protects data privacy. What needs to be done will be unique to every organization, whether a large corporation or a federal credit union. The goal should be to determine the best combination of security controls that fall within an organization’s risk tolerance. From training to threat detection software, mock breach exercises, and beyond—the possibilities are plentiful and flexible. Additionally, organizations should consider the impact on customers' credit reports and be prepared to offer restoration services and credit monitoring services in the event of a breach.

This is not a feat to tackle alone, so fear not. An outside consultant with not only cybersecurity capabilities but also class action expertise is ideal. Look for an expert partner that can pinpoint cyber gaps and fix them by integrating new tools or information governance approaches; advise on what to include in an organization’s incident prevention and response programs; keep apprised of breach and class action trends; provide breach response services; and have staff available to handle class action administration, including managing claims processing, ensuring affected individuals can submit claims before the deadline to file claim, and handling communication regarding the action lawsuit in the event that one materializes after a breach.

By tapping into outside resources in addition to internal efforts, an organization will be in the best position to tackle data breaches that come their way—and any class actions that may follow, minimizing pocket losses and the losses time spent on litigation. This will also reduce breach and class action risk in the first place, providing peace of mind and allowing organizations to maintain good cyber hygiene, preserve customer privacy, and protect against email phishing attacks.