July 30, 2018

The Cost of Non-Compliance: Legal Fees

Welcome to Part 2 of our Breach 101 Blog Series:
The Cost of Non-Compliance: Legal Fees

One of the first calls companies make when they learn about a security issue is to their outside counsel – sometimes referred to as a “breach coach.” Phone calls and subsequent legal counsel these coaches provide are invaluable when it comes to navigating the breach response process, mitigating risk, and (hopefully) avoiding regulatory scrutiny and fines.

But sometimes this critical counsel during the response process is just the start of the legal fees that companies may incur.

No matter the circumstances of a data breach or the steps taken to manage it, the company may be pursued by a variety of parties including the US government, consumers, shareholders, vendors, business partners and customers.

Typically, court cases can take an average of three to five years, and the costs associated with a lawsuit can come from several different areas and can add up quickly. Types of incurred costs include attorney, court, copy and deposition fees as well as expenses related to pertinent records and court reporters.

So, what does that mean in real, financial terms? Take Target’s litigation costs following its breach as an example:

  • Between 2015 and 2017, Target was named in more than 140 different lawsuits with customers, US State’s Attorney Generals and US banks and credit card companies in connection to the breach.
  • Target paid a total of $24.75 million in legal fees for lawsuits with 47 US State’s Attorney Generals and customer class-action lawsuits and agreed to pay up to $20 million of US banks’ legal fees who were affected by the breach.
  • The settlements cost approximately$68.5 million total. As part of the settlement with the US financial institutions, Target also paid $172 million to reissue cards compromised in the breach.
  • All in, Target stated the total cost of the 2013 data breach was roughly $414 million, including litigation costs and settlements with various entities.

This blog is part two of our Breach 101: Cost of Non-Compliance blog series.

In our next post, we will explore the cost of reputational damage. Read the introduction or part one: The Cost of Non-Compliance: Fines Add Up.

Legal Fees from non-compliance

Takeaways for individuals:

If a company does not protect consumers’ information from a data breach, legal action can be taken to correct the damages. However, lawsuits may take years to complete and there is no guarantee of how much compensation customers will receive.

In the case of the 2013 Target data breach, the company settled class action lawsuits with customers for $10 million, a sum that is small in comparison to the over 100 million customers whose financial or personal information was exposed. However, to help protect yourself from getting to the point of litigation, it is important to monitor your financial records and alert companies that have your financial or personal information if you feel something seems suspicious.

Takeaways for companies:

Companies that invest in fortifying their cyber security not only limit the scope of a hack, but can also have a more defensible position should a lawsuit arise. Choosing the right security partners can help you not only prevent a breach, but also understand the full impact of the data lost or compromised, ensure a timely and effective response, and demonstrate commitment to doing the right thing and taking security seriously. Then, even if you are fighting a legal battle in the courtroom, you may be able to maintain or even build confidence in the court of public opinion.