First the Attack, Then the Class Action

Cyberattacks are more frequent and more sophisticated. That is common knowledge, but the fact that class action lawsuits following a data breach are increasing is less well known, possibly because the follow-on comes when the attack is no longer making headlines. The cost of settling these suits is climbing as well. In January 2023, T-Mobile agreed to pay $350 million to resolve claims that it failed to prevent a data breach that resulted in the theft of personal data, including Social Security numbers and driver’s license information of 76 million U.S. residents. Proactive risk management starts with an analysis of risk posture and an actionable improvement plan. There are important things corporations can do to minimize the chances of a multi-million dollar settlement. 1) Boards should be informed of the risk, and have a nuts-and-bolts understanding of cybersecurity. 2) Risk managers should discuss insurance issues that arise after an attack with the board or an appropriate committee. Having a board member with cybersecurity expertise is a giant step toward countering claims of negligence. 3) C-suite personnel should discuss what the SEC considers “reasonable” defenses, and look for areas of weakness in their company.