Avoiding Massive Data Breach Class Action Settlements and Soaring Cyber Insurance Premiums

The volume of data breach class actions exploded in 2023.  2024 is on track to surpass 2023’s unprecedented numbers. The unique legal challenges of these novel cases, including issues of standing and uninjured class members, continue to vex the courts, leading to inconsistent outcomes.   Business abhors the unknown and that makes the legal ramifications of suffering a data breach even more of a black bag.  What is well known, however, is that settlements in these class actions are exceedingly expensive.  As is the cost of cyber insurance most organizations carry to protect solvency should they become the next victim of a data breach. 

The costs of a class action settlement can easily rise into the tens or even hundreds of millions of dollars.  At the same time, the frequency of claims against cyber insurance policies in the face of today’s tsunami of data breach events is ballooning the average premium charged by insurers to all cyber policy holders.  Even those who have (so far) avoided being a victim of a data breach. 

This paper delivers data quantifying the numbers of class actions brought against organizations victimized by data breaches and illustrates the phenomenal rate of growth of this threat.  It then highlights the correlation between the growth of data breach class action settlements and the rising rates for cyber insurance which many organizations engage as a hedge against such settlements.  Lastly, it provides a methodology for avoiding falling victim to a data breach, suffering a massive class action judgment and paying for insurance coverage which is cold comfort in the wake of a cyber-attack.

Data Breach Class Actions by the Numbers

International law firm, Duane Morris LLP notes, “Data breach has emerged as one of the fastest growing areas of class action litigation. After every major (and not-so-major report) of a data breach, companies now can expect the resulting negative publicity to prompt one or more class action lawsuits, saddling companies with the significant costs of responding to the data breach as well as the significant costs of dealing with high-stakes class action lawsuits on multiple fronts.”

in 2023 organizations victimized by data breaches were faced with class actions, including copy- cat and follow-on class actions across multiple jurisdictions.   The 2023 data breach class actions were significantly more costly to the plaintiff organizations, even as compared to those judgments but one year earlier in 2022.  It only took the first six months of 2023 to reach the total number of class actions that had been filed in 2022.  Approximately 246 data breach class actions were brought within the first half of 2023.  According to the Duane Morris Data Breach Class Action 2024 report, “On average, plaintiffs filed 44.5 data breach class actions per month during 2023 through the end of August, marking a significant increase from the average of 20.6 per month that we saw in 2022.”

From September 2023 to the end of the year, Plaintiffs filed over 450 additional data breach class actions (including those in privacy areas), for an average of over 125 a month.

The Duane Morris numbers are corroborated by research produced by the Harvard Law School Forum on Corporate Governance which revealed the number of data breaches leading to class action claims has risen steadily since 2020. 

According to the Wall Street Journal, in 2023, global spending on cybersecurity measures reached $188 billion, with expectations to increase to $215 billion in 2024. However, Statista data shows the number of data breaches in the United States has nearly tripled since 2020, hitting a record high of 3,205 breaches in 2023. A survey conducted in 2023 of more than 1,000 businesses worldwide revealed that 72.7% had experienced ransomware attacks, which correlates with the surge in data breaches in the U.S., resulting in over $1 billion paid in ransoms to cyber criminals last year.

So far, 2024 has seen record sized class action judgments handed down in the wake of some of history’s most devastating data breaches.

$60,000,000 settlement against Okta (read the Privacy Been Postmortem on the Okta breach)

$150,000,000 settlement against Zoom Video Communications

$350,000,000 settlement against Alphabet Inc.

The top 10 largest class action settlements of 2023 include the following organizations illustrated in the graphic below from the Duane Morris document.

In order from largest to smallest, the largest settlements of 2023 were awarded against:

1. T-Mobile – $350 million
2. 2 Blackbaud, Inc. – $49.5 million
3. Wawa, Inc. – $28.5 million
4. Robinhood Financial LLC – $20 million
5. Pepsico, Inc. – $12.75 million
6. Ambry Genetics – $12.25 million
7. Advocate Aurora $12.25 million
8. Insurance Technologies Corp – $11 million
9. California Health and Wellness – $10 million
10. KSE Sportsman Media, Inc. – $9.5 million

As the chart below illustrates, the upward trajectory of more and larger data compromises heading into 2024 was pronounced.  And the resulting settlements so far in 2024 (not including those still being litigated) already dwarfs most of the largest of those from 2023.

These mammoth settlements are not likely to be the high-water mark for class actions following data breaches.  Numerous recent data breaches – unprecedented in size and scope – are only at the beginning of the process of being investigated.  Class action suits are still being prepared for filing in other massive data breaches such as the notorious MOVEit data breach (read the Privacy Bee postmortem here), the Snowflake data breach (read the postmortem here) and more than likely the Change Healthcare/UnitedHealth Group breach (read about the targeting of the healthcare industry here). 

Correlation Between the Growth of Data Breach Class Action Settlements and the Rising Rates for Cyber Insurance

The trajectory of cyber insurance premium increases correlates neatly with the growing numbers of data breaches, cyber attacks and class action settlements.  In 2023, premiums increased by as much as 20% higher than in the fourth quarter of 2022.  However, rates virtually doubled in the first quarter of 2022 and then rose by 79% in Q2 of 2022.  This explosion in rates makes the 25% year-over-year increase of 2021 seem trifling at best. 

According to Cybersecurity Dive, Standard & Poors analysts report cyber risk coverage is one of the fastest growing segments of the insurance sector and global premiums are expected to increase past the $20 billion mark by 2025 – up from around $15 billion in 2023.

Password security company, 1Password published some commentary offering insights into what is driving the spike in cyber insurance premiums.  As noted, the correlated spike in claims following data breaches and ransomware attacks is the obvious culprit. However, other secondary and tertiary factors are also at work in driving this rapid growth.   For example, insurance carriers are reducing their appetite for this particular risk.  Just as property and casualty carriers are reducing their appetite for homeowners’ policies in high-risk locations (like coastal areas and areas prone to repeated wildfire activity), insurers are protecting their solvency by underwriting fewer cyber policies.  This tightening supply in the face of increased demand pushes premiums higher. 

More interestingly, especially from the standpoint of how organizations can mitigate their risk so as to avoid becoming the next victim of a cyber-attack, data breach and class action lawsuit, is the fact that insurers have begun demanding insureds follow more stringent best practices for data privacy.  The strategies used to achieve these tighter standards is a point of controversy.  Different carriers may develop their own requirements for insureds before they’re extended cyber insurance coverage.  They may for example mandate individual practices such as multi-factor authentication, endpoint security, password encryption, employee training/awareness programs or any of the array of traditional cyber security functions already embraced by CIOs and CISOs. 

Yet, as Privacy Bee for Business has long noted, these cybersecurity activities are currently failing to protect against data breaches.  Particularly those that are deployed via social engineering and other tactics reliant upon obtaining and manipulating unsecured external data.  Using unsecured external data to develop highly contextualized phishing, spear phishing and other social engineering attacks.

A Methodology for Avoiding Breaches, Class Actions and High Cyber Insurance Premiums

Exposure to high cyber insurance premiums is not something that can easily be reduced.  This is because insurance products’ pricing is derived from pooled risk and the extent to which any particular asset class is subject to claims.  In today’s environment, wherein data breaches are a daily occurrence, the number of claims against existing policies is high.  Ergo, the premium insurers must charge to all customers rises in tandem.  That said, there are steps an organization can take to demonstrate self-directed risk mitigation activities to the insurance carriers. 

Think about it in terms of the homeowner who sends the insurance carrier pictures of their property evidencing brush removal, defensible fire space, or a newly installed roof to receive a reduction in premium.  As noted in the previous section, insurers are already tightening their requirements for underwriting and mandating certain cyber security best practices.  Organizations that can demonstrate a concrete process for protecting data privacy, addressing unsecured external data and lowering their overall privacy risk are likely to access lower cyber insurance premiums. 

Doing so requires buy-in from all the key stakeholders within an organization.  And there is evidence that the last 12 months of gargantuan data breaches and the resulting mammoth class action settlements that follow has spurred IT leaders to act.  Until recently, there was a disconnect between the potential fine and penalty potential of data breaches and the will to prioritize solutions. 

In 2022 data access management company OKERA polled Chief Data Officers, CIOs, Chief Privacy Officers, and CISOs from 125 North American companies.  Large companies.  93% having at least 1000 employees and 61% more than 10,000.  Of the many revealing findings in their Intersection of Data Privacy and Cybersecurity report, was the following contradiction. 

45% of the leaders polled said they were not concerned about the fines associated with non-compliance with privacy laws. They factor privacy breaches into their cost modeling. Yet 94% see compliance as a top priority.

It would stand to reason that today, 18 months later, the percentage of those concerned about fines has risen dramatically.  And since compliance with privacy laws was already a top priority, the eye-popping settlement numbers must certainly be driving strong actions in terms of compliance. 

What can an organization do then to stand up effective defenses against hackers and threat actors currently winning the “Battle of the Breach”?  Most organizations already employ industry standard best practices for cybersecurity.  However, far fewer are knowledgeable about the role unsecured external data privacy plays in ensuring these hardened defenses are not circumvented by social engineering attacks.  That’s where Privacy Bee for Business delivers the missing piece to avoid class action lawsuits and rising cyber insurance premiums.

External Data Privacy Management Strategies

Managing and protecting access to the PII of every single employee and those of all third-party affiliates (like vendors and other partners) may seem like an overwhelming challenge.  Knowing there are thousands of People Search Sites and data brokers, dozens of social media platforms, powerful search engines and tons of publicly searchable data makes it an even more sobering prospect.  Here are some of the broad solution elements from Privacy Bee to help immediately begin shrinking the attack surface back to acceptable tolerances.

Engage the Privacy Bee solution, a cost-effective method for taking control over the social engineering attack surface. 

Privacy Bee’s Employee Risk Management (ERM) solution is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.

ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.

Privacy Bee’s External Data Privacy Audit (EDPA) is a free-to-use, web-based privacy app for quickly and easily scanning employees PII exposure.  This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy management.

The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.

Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks.  It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance.   Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company at no cost to you.

While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface.  While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee.  Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.

Engaging the Privacy Bee for Business solution offers many other ancillary benefits as well such as eliminating physical threats to executives and other high profile members of your team.  It helps reduce unwanted spam and telemarketing that sap productivity.  It helps curb HR poaching, saving significantly on HR and lost opportunity costs. It helps foster a culture of data privacy that makes your organization more secure and a much more attractive partner to prospective customers.

Don’t wait to focus on shrinking your attack surface.  Contact Privacy Bee today for a demo and more information on how to be proactive with data privacy and attack surface reduction in your organization.