Judge Approves $350,000 Data Breach Settlement

On March 14, a federal judge in California approved a class action settlement between a large real estate trust and its employees. The trust suffered a “large-scale cybersecurity data breach,” in which attackers gained access to personal information about the company’s 2,500 employees.

Under the terms of the settlement, the trust will establish a $350,000 fund, which will basically pay each current and former employee affected by the breach a King’s ransom of $70. The trust must also pay for three years of credit monitoring for all of the affected employees.

And since somebody will ask, the lawyers get paid $140,000 out of the settlement fund. The employee who filed the initial lawsuit also gets a $5,000 “incentive fee.”

Typical, the settlement should have been much more substantial, after all REITs are not without saleable assets.

Well, the problem with a lot of these data breach class actions is that it’s difficult to establish legal “standing” when there’s no proof that any data was actually misused. In other words, many courts do not consider it an “injury” if data is stolen but the victims do not sustain a direct financial loss. The judge in this case even pointed this out. So had the parties not settled, it’s likely the company would have filed a motion to dismiss and probably succeeded.

In fact, the U.S. Supreme Court this week punted a class action settlement against Google back to the lower courts to determine if any of the plaintiffs had standing.

Point well taken. This is where the law needs to be refined establishing liability is specific. Why? Companies holding PII will not take seriously the protection of that information if there is no incentive to do so. As long as the profit from collecting outweighs the potential risk to those profits nothing will change.

I think the most practical solution would be to expand the Federal Trade Commission’s role in policing data breaches. A regulatory agency is in a better position to monitor (and fine) companies who act irresponsible. Class actions are simply a poor mechanism to address this type of problem.

1 Like

Fines by the FTC would not compensate people for the time and trouble they would expend on changing accounts bew payment cards etc. However they could impose audited practices upon the violators the question then becomes will such be of any real value (politics). As far as class actions the amounts the lawyers could cull from settlements should be limited. Perhaps setting up a fund as was done with the asbestos case would be a better way to handle settlements. Any thoughts?

Actually, the FTC can–and does–use fines to compensate individual victims. I covered the agency for years and recall dozens of cases where this happened. The Commission typically hires a third-party agency to administer a fund, much as you suggested.

As for limiting attorney compensation in class actions, as the law stands now judges are required to review and approve any payments, as was done in the case I cited. Sure, you could impose stricter limits on compensation, but it’s not like the lawyers take whatever they want.

A more controversial practice–actually, the subject of that Google case before the Supreme Court–is distributing class action settlement funds to third-party charitable and educational organizations. This is known as a “cy pres” distribution, and it is supposedly done when it is deemed impractical to compensate individual class members.

A quick reply to what I think is a topic that should be of concern to all in the biz. Giving charitable and educational organizations settlement should be specifically forbidden. Many of these organizations IMHO are running scams staying just short of the RICO law. If I sound like a cynic it because I am. Need to do a little research on other points but keep an eye out . Thanks for your comments food for thought.