Facing the challenge of rising cyber breach litigation

Cyber breaches have become the latest honeypot for the US plaintiff bar. Jim Blinn, vice president, client solutions at Zywave, looks at the impact on the insurance industry.

Over the past few years, there has been a significant rise in the number of lawsuits filed in the US for cyber breaches and other types of cyber events.

As more and more personal information is stored on the internet, the potential for increasingly sophisticated cybercrime or plain human error has also increased. And when a breach occurs, more often than not it affects large numbers of consumers simultaneously.

With data compromises on the rise, research from leading insurtech Zywave has found that the number of companies impacted by lawsuits has gone from 79 in 2019 to 357 in 2023 – more than a 350 percent increase.

Regulatory and legal changes

Aligning with this trend, it has become easier for attorneys to argue the case for plaintiffs, who historically only had mixed success in class action data breach lawsuits because they were unable to demonstrate an injury.

In 2016, the US Court of Appeals for the Sixth Circuit concluded that the plaintiffs suffered an injury even though they could not demonstrate that their stolen data had been used. In this case, the plaintiffs alleged that hackers breached the computer network of one of the largest US insurance and financial services companies and stole their personal information, along with that of 1.1 million other individuals.

The district court in Southern Ohio heard that the breach created an “imminent, immediate and continuing increased risk” of identity fraud. The district court granted the insurance company’s motion to dismiss, but this was later overturned by Court of Appeals, which determined that the plaintiffs’ case could be based solely on imminent future harms.

Big wins for plaintiffs

Social inflation is also playing a role in the rise in cyber litigation as a plethora of high-profile cyber breaches have heightened the public’s awareness of data privacy.

A cyberattack on Progress Software Corp’s MOVEit file-sharing tool discovered in May 2023 exposed the records of numerous government agencies and around 8,000 organizations around the world, affecting millions of people. This resulted in about 320 individual lawsuits being filed involving dozens of organizations.

One of the largest settlements following a 2017 cyberbreach was made by Equifax, an American multinational consumer credit reporting agency, which lost the personal and financial information of nearly 150 million people. The data analytics giant agreed to pay up to $700mn, including a $425mn consumer restitution fund, as part of a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all US states and territories.

In 2022, mobile communications giant T-Mobile lost a class action lawsuit following a data breach that affected around 77 million people, and it had to pay out $350mn to fund class members’ claims and their legal fees.

Most lawsuits against firms for cyber breaches do not result in such huge settlements, but the smaller ones do add up. Zywave research found that around 100 cyber lawsuits settled in state and federal courts last year resulted in payouts totalling around $650mn.

Legal firms are become increasingly aware of the money to be made from these lawsuits, with most firms taking a 25 percent cut of the payout. Some plaintiff firms have dedicated teams in this area, identifying a breach and, if there are enough people involved, filing suit on their behalf.

According to Zywave research, Morgan & Morgan, the largest plaintiff firm in the US, has been involved in more than $840mn in settlements for its clients in 158 cyber breach cases. Another firm, Milberg Coleman Bryson. launched more than 200 lawsuits, resulting in more than $88mn in settlements.

Zywave’s research looked at nearly 200,000 cyber events and around 67,000 additional cases describing the resulting financial consequences, including lawsuits and fines. It also concluded that the greater number of records that were exposed, the higher the probability of lawsuits or fines, with personal health and financial identity leading to most litigation or fines.

How the insurance industry can fight back

This increase in litigation for cyber breaches and the financial outlay for firms is forcing underwriters to focus more on identifying companies that are most vulnerable to the risk of legal action in the digital age, such as those in healthcare and retail.

Claims professionals will also need to refine their strategies to identify breaches with the greatest exposure to litigation and large settlements. Claims managers would be advised to try to move cyber breach cases to a federal court as our research found that federal judges are more conservative and less plaintiff-friendly, with win rates much higher in state courts.

To face the challenge of the rise in legal defence and indemnity costs in these cases, cyber insurers will need to bake them into increased premium costs. They will also have to carefully assess their forms to see if any exclusions or sub-limits need to be introduced.

Risk managers should have a comprehensive cyber risk management plan to encourage companies to strengthen their defences against breaches and mitigate risk.

No matter how strong a company’s cyber security is, there is no cast-iron guarantee against breaches. Cyber insurance is a vital part of any cyber risk management plan. As cyber threats continue to evolve and lawsuits multiply, risk managers should keep an eye on the cyber products and services that are also evolving.

Buyers of cyber insurance are advised to have detailed discussions with their brokers to ensure their policies offer adequate coverage, and what level of protection they require.