During a recent Sound Advice podcast, Angela Sabbe and I discussed some recent trends in settlements of data-privacy class actions. This practice point summarizes and supplements some of the points made during the podcast by discussing three questions that counsel should consider in negotiating a settlement in a data-breach class action.
Question 1: Is There an Existing Settlement Model?
In certain types of data-breach class actions, there is a proven track record of approved class-action settlements that practitioners can draw on to formulate a settlement structure and other terms. In payment-card data-breach class actions brought on behalf of consumers, for example, there have been numerous class-action settlements, most of which have involved a claims program in which individuals who have out-of-pocket expenses can claim reimbursement for those expenses as well as seek compensation for lost time spent dealing with the breach. There is a similar body of exemplar settlements for cases involving claims for statutory damages arising out of a data breach. In cases brought under California’s Confidentiality of Medical Information Act, for example, several settlements have been reached in which those affected are simply paid some percentage of the statutory damages award. Being able to draw from a previous model settlement can make a subsequent settlement easier to negotiate, and being able to point to settlements with similar terms can often make a subsequent settlement easier to get approved by the court.
Question 2: Does Credit Monitoring Make Sense?
One type of class relief that has been used in data-breach settlements is to provide credit monitoring or identity-theft insurance to the individuals who were impacted. These tools can provide meaningful benefits to victims when used in the right circumstances. However, this type of relief can sometimes be a square peg for a round hole. For example, credit monitoring and identity-theft protection do not really address the true risks posed by a payment-card breach where only payment cards have been impacted. Many credit-monitoring products also do not provide meaningful protection to the risk of tax fraud. Trying to use these types of benefits in the wrong case can lead to meritorious objections and possible disapproval of a proposed settlement.
Question 3: Are the Likely Damages Sufficiently Uniform or at Least Predictable so That a Fair Distribution of Settlement Benefits Can Be Made?
One of the biggest challenges in attempting to fashion a settlement in a data-breach class action is the potential disparity in the damages suffered by some class members as compared to others. This can create the same sorts of challenges that are seen in the mass-tort context, where a class settlement may not comport with due process because some class members have not suffered any injury at all, while others may have suffered significant financial losses resulting from identity fraud, and still others may have significant injuries, but ones that were not actually caused by the defendant’s conduct. These types of problems led the U.S. Supreme Court to reject a class-action settlement model for asbestos-related claims in Amchem Products, Inc. v. Windsor, 521 U.S. 591 (1997). Any benefits program has to be organized in a way to prevent benefiting one subclass at the expense of another, such as by allowing minimum awards and imposing caps on reimbursement claims that would leave those most injured by the incident without meaningful compensation. Claims programs in payment-card data-breach cases tend to avoid these pitfalls because the types of out-of-pocket losses and other claimed injuries arising from payment-card breaches tend to be small in amount, and predictable in type. By contrast, in class actions arising out of data breaches from which other types of identity theft are possible, variations in the types and amounts of damages and difficulties in evaluating the causal connection between claimed injuries and the data breach create the same kinds of problems addressed in Amchem.
Paul Karlsgodt is a partner at BakerHostetler in Denver, Colorado.