In 2016 and 2017, Home Depot settled lawsuits of $19.5 million after its data breach. In June 2017, Anthem agreed to pay $115 million to settle lawsuits stemming from a 2015 breach. The numbers indicate that data breach settlements are rising.
The Factors Driving a Rise in Settlements
There are a few factors driving the rising cost of data breach settlements, including:
- The class sizes of persons affected by data breaches is increasing. The more customer information involved in a breach, the higher the cost (including any settlement) typically. One reason for growth in size is the growth in the amount of data online now. Organizations are storing a tremendous amount of data about their customers.
- As data breaches have become larger, so have the number of parties seeking some type of redress for those breaches. A company that has suffered a data breach of its customer information must now face not only class action lawsuits from those customers but from financial institutions looking to recoup costs as well. In addition, potential investigations and enforcement actions can be initiated by federal and local government offices.
Mitigating Settlement Cost After a Breach
Avoiding the high cost of a settlement means avoiding the breach in the first place. However, that’s not very likely today as the prevailing wisdom seems to be it’s not if, but when, in terms of data breaches. So, what steps can organizations take to reduce the chance of a breach – and potentially reduce the cost of a settlement after a breach?
Remember the basics of data security. Regular security assessments, the use of encryption, penetration testing, vulnerability patching, threat detection monitoring, and employee training regarding phishing scams are activities that should be part of an organization’s security efforts.
Review the data you hold. As we mentioned earlier, the amount of customer data impacted in a breach contributes to the size of settlement. Organizations should relook at the information they are requesting (and storing) from customers and assess whether all the information is necessary. Periodic data inventories should also be conducted to assess if data can be purged or removed to offline storage.
Document your security policies and procedures. If you are breached, it will help if you can document the steps you take to ensure data security. In some cases, actions can occur due to lack of proper protections – even when there is no evidence of identify theft. For example, Wellpoint paid $1.7 million to settle an action due to lack of a lack of policies/procedures to authorize database access and a lack of safeguards to verify authorized users.
Minimize data breach lag time. We discussed in an earlier blog post why data breach lag time – the time between when a breach occurs and when it’s detected – is such a crucial factor in terms of breach impact. Lag times can impact settlement cost too, as the more customer records impacted, the higher the cost to settle. Minimize lag time with user monitoring software to protect against insider threats. Use threat hunting to search through your network to detect and isolate advanced threats that evade existing security solutions.
Do the right thing by customers. Prompt and detailed communication after a breach, quick efforts to mitigate damage (by proactively resetting passwords, for example), and offering free credit monitoring services are all steps that may help to reduce customer disgruntlement and the possibility of a lawsuit.