According to FBI Director James Corney “there are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”1 It is no wonder that management is increasingly concerned about the risks that flow from a data breach, especially the risk that their company will face a class action lawsuit.

The following provides an overview of the risks associated with lawsuits following data security breaches.2

Click here for image.

What factors should you look at after a data breach when considering the likelihood of receiving a class action complaint: 

  • Is a plaintiff’s firm looking at government records for information relating to your organization’s data security practices? For example, have they submitted requests to the Federal Trade Commission for records about your company?
  • Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
  • Did consumers suffer any direct monetary harm?
  • Could the data fields involved lead to identity theft?
  • Has there been any evidence of actual identity theft?
  • Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
  • If so, what percentage of impacted consumers availed themselves of your offer?
  • Has the jurisdiction in which you are most likely to receive a lawsuit (e.g., where you are incorporated or primarily operate your business) permitted other data security class action complaints to proceed past the pleadings stage?
  • Has the media widely reported on your data breach?
  • If so, did the media report your data breach before, or after, the company notified impacted consumers?