Legal Settlements Over Half of Breach Costs. What to Do About This?

I recently attended the Net Diligence conference in Marina Del Rey. It was great to reconnect with many friends in the space and discuss the latest trends in the cyber liability insurance universe. The most interesting news from the conference was the information in the most recent Net Diligence report on data breach claims activity, which got my attention for several reasons.

First, this is the only report I've seen with data breach cost data derived from actual claims, compared with survey-based studies such as those by the Ponemon Institute. Second, it was a surprise to me that the costs are growing so dramatically, with the average breach cost growing 54 percent from $2.4 million to $3.7 million. And lastly, the primary cost source that contributed to the increase suggests to me that there are opportunities for the claims departments to better manage (reduce) some of the cost elements.

Of the $3.7 million average data breach cost in this year's study, fully $2.1 million or 57 percent of the total cost can be chalked up to legal settlements related to class-action lawsuits from the impacted individuals. While responding to data breaches can be expensive projects, this particular statistic leads me to wonder whether some organizations should focus more on their breach response strategies, specifically to better address the real and perceived harms that are experienced by the affected individuals.

My reasoning here is that presumably class actions are based on an underlying presumption that the affected individuals have experienced some types of harm. There may be a disconnect, however, between a "conventional" data breach response and the nature of the response that can really address the concerns of affected individuals, reducing the potential for dissatisfaction that can lead to a class action.

The conventional breach response is to provide notification by letter, make an offer for free credit monitoring services for a year, and establish a call center, typically with the primary focus on enrolling people in the credit monitoring. Based on the Net Diligence report, the most expensive part of the data breach response itself is the "crisis services", which is predominantly credit monitoring. Now interestingly, credit monitoring is offered as a demonstration of goodwill although it is not required by any state or federal laws.

The more that I've been thinking about the conventional response, the more I've been considering that it may no longer be the best way to address the concerns of the individuals that are affected. Now the notification letter, and much of its contents, is dictated by law. So there isn't a lot of leeway there. But in my opinion, the efficacy of credit monitoring in addressing potential harms in many data breach circumstances has declined.

I believe that the solution is a different type of breach response strategy that does not hinge on credit monitoring as the centerpiece. ID Experts uniquely looks at the data breach response process through the eyes of the person whose personal information has been exposed. By conceiving a data breach response strategy through this lens, a methodology we refer to as YourResponse we first and foremost look at how best to address the real, and perceived, concerns and risks to the individual. And what we've concluded is that while in some cases credit monitoring is the most effected protection to offer, that increasingly other solutions such as identity recovery services and specialized cyber monitoring products can more directly alleviate the consumer's anxiety and risks, and in fact do so in a more cost-effective manner.

Our success is rooted in our ability to constantly put ourselves in the shoes of a data breach victim. Doing so allows us to understand how these individuals feel and react to the news of a breach of their sensitive data. Our primary business is not selling credit monitoring, as is the case with many of the other companies that offer data breach response services. This enables us to take a unique perspective as to what is really best for the individuals affected by a particular data breach, independent of the built-in bias that is just inherent with a credit monitoring vendor. Such independence of perspective frees us up to do whatever will best serve our client, the organization that experienced the data breach, through best serving their affected customers. It is our belief and experience that this both limits the prospective harms to data breach victims and can substantially discourage class action litigation.

I hope that all of the conference attendees, and others that are interested in reducing data breach risks through cyber insurance, will reconsider the conventional letter/call center/credit monitoring formula that has become prevalent for data breach response. The world is changing, hackers are getting smarter, threats and risks and expanding in new directions. You and your clients should consider that if they are smarter about "how" they respond to a data breach, that they might be able to substantially reduce the increasingly onerous "legal settlement" costs that are resulting.