As cyber criminals continue to expand theirillegal activities, the issue of real injury from a hacking event comes evenmore into focus in the ensuing court cases as damages aredetermined and millions of dollars are awarded to data breachplaintiffs.

In a recent decision, the Supreme Court could have completelyaltered the landscape of consumer privacy and data breach classaction lawsuits in Spokeo, Inc. v. Robins, a closelywatched case before the Court last term. Although the underlyingdispute in Spokeo involved an alleged violation of theFair Credit Reporting Act and not a data breach, the case presenteda nagging question in privacy law: What kind of injury issufficient for Article III standing?

While the law in data breach litigation in the electronic agecontinues to develop, plaintiffs can increasingly expect theirclaims to be dismissed for lack of standing if they are unable tocredibly allege some sort of actual injury, as opposed to a mereincreased risk of some hypothetical future harm, and that theinjury is traceable to the theft of their data from the defendant.The Court in Spokeo was poised to draw the line betweenwhat is actual injury and what is hypothetical.

When the Court finally ruled in May 2016, it did not decisivelyanswer the question. Instead, the Court remanded the case to theNinth Circuit, holding that the appellate court had failed toconsider whether the alleged injury was concrete, and insteadconsidered only whether it was specified. While the Supreme Courtreiterated the threshold test for analyzing standing, it failed tosignal whether the alleged injury actually met the applicablestandard or offer any definitive statement that could tilt theplaying field toward plaintiffs or defendants.

In its opinion, the Spokeo Court defined a concreteinjury as "de facto; that is, it must actually exist," but it alsosaid that this does not mean the injury must be "tangible." Thesesoft guideposts on standing have created a sort of Rorschach test,with both plaintiffs and defendants contending that Spokeocompels a decision in their favor. This is especially so in thecontext of data breach class actions.

(Photo: Shutterstock)

Defendants have options

Since the Supreme Court issued what many view as an incompleteopinion in Spokeo, lower courts will continue to reachdiverging conclusions as to whether data breach plaintiffs havealleged sufficient injury to proceed to the merits. This presents adifficult choice for data breach defendants who lose motions todismiss on standing: Should they proceed to litigate the merits ofsuch an action, which, with the exception of challenging the meritsof the pleadings by way of a 12(b)(6) motion (or its state courtequivalent) is uncharted territory, or should they relent, andsettle? The latter can be hard to stomach, especially where theplaintiffs do not seem to have suffered any real harm.

Related: The 3 R's to remedy a cyber breach

Data breach defendants don't need to give in. Instead, theyshould force plaintiffs to establish their damages and then usecreative ways to approach settling these cases that simultaneouslyoffer plaintiffs tangible benefits and reassure defendants thatthey are not surrendering to plaintiffs who were not, injured.

Data breach settlements differ starkly from the classic classaction settlement model in which a large fund is divided evenlyamong class members who opt in (or who do not opt out). Many ofthese settlements involve tiered settlement funds, credit andidentity monitoring product offerings, data security enhancements,detailed claims processes and other settlement features thatprovide the parties an opportunity to avoid further litigationwhile also addressing many of the concerns of both plaintiffs anddefendants. We examined the publicized details of 19 consumer databreach class action settlements to determine how litigants areresolving these disputes and what tools parties can use reach acreative compromise. (See sidebar for list of actions.)

The bottom line

When details of a privacy class action settlement arepublicized, the headline tends to be the dollar amount thedefendant is going to pay into a settlement fund for the class. Welooked at those numbers when averaged based on the number of classmembers. Of the settlements analyzed, the average amount paidper-class member ranged from $0, in In re Adobe Systems Inc.Privacy Litigation, to $13.63 per person, in Rowe v.Unicare Life & Health Insurance Co. et al. In most cases,these averaged numbers do not match the amounts actually paid toclass members because the amounts paid differ based on variables inthe settlement structure. Still, analysis of the fund amountper-person is useful to gauge generally how much defendants arepaying in relation to the size of the class.

The data suggests that a number of variables can drive theper-person dollar amount of the settlement fund — the type of datapotentially exposed, the manner in which it was exposed, thejurisdiction in which suit was brought, and the other reliefprovided in the settlement.

For example, the per-person amounts paid in settling claims forexposing personal health information (PHI) tend to be higher thanthe amounts paid to settle claims for exposing personallyidentifiable information (PII), financial information or paymentcard information. The amounts paid per-class member for PHI suitsranged from $2.50 to $13.63, while the amounts for PII, financialinformation or payment card information were $0.73 to $5.23 and$0.00 to $6.32, respectively.

The size of the class may also drive the per-class membersettlement amount. For example, plaintiffs may be unlikely toaccept less than $1 per class member for a class of a few thousandpeople. In In re Michaels Stores Pin Pad Litigation, thecompany established a $600,000 fund for a 95,000-person class — anaverage of $6.32 per person — and also offered one year of creditmonitoring, with an additional year for anyone with unauthorizedcharges on their accounts.

On the other hand, defendants are unlikely to pay anywhere closeto $1 per class member to settle an action brought by a class onbehalf of 100 million potentially affected individuals. The partieshave to find a sweet spot, balancing the size of the class with therealities of what a defendant should actually pay.

Plaintiffs may contend that another driver of settlement amountsis the manner in which the data was exposed. Plaintiffs believethey have more leverage to demand higher settlement amounts wherethe circumstances of the underlying breach allow plaintiffs toargue that the defendant was lax in its security measures. Perhapsbased on this dynamic, settlement amounts based on breachesinvolving unauthorized physical access or the theft of unencrypteddevices tend to be more costly than those based on unauthorizedelectronic access or hacking.

For example, in Johansson-Dohrmann v. CBR Systems,Inc., the defendant established a fund of $8.56 per person (a$500,000 fund for out-of-pocket losses and $2 million for identitytheft, or $2.5 million, for a class of 292,000) where unencryptedbackup tapes containing PII and financial data were stolen from anemployee's car. The average settlement fund for the hackingincidents analyzed was about $0.50 per class member.

Evidence that class members were victims of actual identitytheft can also influence the settlement range — though suchevidence should not automatically prompt a panicked rush to settleby the defendant. Where some plaintiffs can show actual identitytheft damages, those damages may undermine the plaintiffs' abilityto satisfy the commonality and predominance requirements for classcertification.

Moreover, the settlement can be structured to compensateplaintiffs with actual identity theft damages and separatelyaddress those plaintiffs who cannot show damages. There is no magicin determining a reasonable settlement range, but the manner inwhich the data was exposed, the volume and type of data exposed,and evidence of actual damages are all factors relied upon byplaintiffs to assert that higher settlement amounts arewarranted.

Not all restitution following a cyber breach involves a cashsettlement. (Photo: Shutterstock)

Non-cash benefits

The settlements with the lowest per-class member dollar amountstend to also involve relief apart from the settlement fund —non-cash benefits such as vouchers for customers, credit monitoringor identity monitoring services, or clearly delineated securityenhancements that the defendant must undertake.

The data shows that the most common of the non-cash settlementelements is credit or identity monitoring. Incorporating thosecosts into a proposed settlement presents some challenges, however.Many defendants will already have offered and paid for credit oridentity monitoring to a large number of class members in initiallyresponding to the breach, and plaintiffs, their counsel, or thecourt in considering the settlement may be unwilling to considerthat prior expense as part of the settlement.

Related: Cyber-breach communications plans: Whatinsurance professionals need to know

Some companies have tacked on additional years of creditmonitoring as part of the settlement or re-opened the offer ofmonitoring to class members who did not opt in the first timearound. While credit monitoring can be useful depending on whattype of data has been exposed, plaintiffs and their counsel may notplace a high value on offering it as part of a settlement packagebecause those class members who were interested in such an offeringhave typically already enrolled following public notification ofthe breach. Still, it is one clear way to provide a non-cashbenefit to compensate all those potentially affected by thebreach.

Network security enhancements may present the most clear-cut wayto benefit all parties to data privacy class actions. Defendantsstrengthen their systems in an effort to avoid future similarincidents (and the risk of liability that flows from them), andplaintiffs gain further protection for data that the company maystill possess or may obtain in the future. This is particularlyuseful where a number of class members are likely to do businesswith the defendant company in the future.

The Target Corp. settlement incorporated security measures thatTarget agreed to adopt, including designating a high-level chiefinformation security officer to oversee information securityprograms, maintaining written information security programs,maintaining a process to monitor for information security eventsand respond to threats, and educating and training relevantemployees regarding the importance of securing consumers' PII.

The Adobe settlement also mandated specific securityenhancements, the details of which were largely redacted from thesettlement documents to maintain their effectiveness in fending offfuture hackers. The settlements in Curry v. AvMed Inc. andBurrows v. Purchasing Power LLC also featured detailedsecurity improvements, and in the Heartland Payment Systems Inc.settlement, the defendant agreed to report to an expert selected bythe plaintiffs regarding its remedial measures. The finality of theHeartland settlement was conditioned on the plaintiffs' expert'sacceptance of the report.

While negotiating these details and involving security expertsin the settlement process can take time and increase the cost ofreaching a settlement, it can also create a path to provide realvalue to the plaintiffs while still accounting for the defendant'sviews that the breach at issue did not cause the plaintiff's actualinjury. The settling parties often quantify in dollars the amountthe defendant will spend on security investments, so that the courtevaluating the settlement can consider it as a component of theoverall settlement value.

(Photo: Shutterstock)

The claims processes

A final area where privacy class action litigants have developedinnovative solutions is in structuring how the settlement fund ispaid out to class members. These class actions do not tend tofollow a model in which the total fund is divided evenly amongclass members who opt in to the settlement. Instead, thesesettlements feature carefully constructed procedures in which classmembers submit claims and seek reimbursement from the fund.

Related: Yahoo says 1 billion accounts breached in newhack

In some cases, the class members must submit proof of losseswith their claim for reimbursement from the fund. The Targetsettlement allowed two types of claims — documentary claims orself-certification claims. Class members who submitted documentsshowing out-of-pocket loss could be reimbursed up to $10,000, whileclass members submitting only self-certifications were entitledonly to an equal share of the amount remaining after alldocumentary claims were paid out (estimated beforehand to beroughly $40 per person). This claims process prioritizes paymentsto class members who have suffered out-of-pocket losses over classmembers whose harm is merely speculative (or virtuallynon-existent).

The AvMed settlement followed a similar pattern — approvedidentity theft claims would be paid first, then the remainder wouldbe divided among "premium overpayment claims." Prior to the AvMedsettlement, however, the Eleventh Circuit had found that even classmembers who had not been victims of identity theft had sufficientlypled injury by claiming that they paid more in premiums in exchangefor AvMed sufficiently protecting their data. While this precedentmay explain the why the parties in AvMed adopted this approach,distinguishing between plaintiffs with real damages and thosewithout is sensible even where the court has made no suchruling.

Another innovative approach is setting up a settlement fund withpayment tiers so the second tier only comes into play if enoughclass members submit valid claims to exhaust the first tier. Theparties to the Heartland settlement agreed to a $1 millionsettlement fund, but if valid claims exhausted that fund, Heartlandwould contribute up to another $1.4 million. This approach strikesa balance between the plaintiffs' interest in seeing thatdefendants make some payment to compensate for the breach, and inparticular class members who have suffered actual harm, as well asthe defendants' interest in limiting the amounts they pay tocompensate for hypothetical and speculative harm.

If the plaintiffs are right that the class has suffered and canprove real harm, the settlement is designed so that the defendantwill compensate for that harm. However, if the defendant is rightthat many (or most) class members have no actual injury, then thedefendant will not have to pay the higher tiers of the fund.

While post-Spokeo courts may continue to issueinconsistent opinions, the environment for data breach defendantsis not as frightening as it appears. Defendants should relentlesslychallenge plaintiffs to justify their alleged grievances andestablish their damages. Efficient solutions such as credit andidentity monitoring services for the truly affected can mitigatethe risk of larger and consequential damages.

Creatively structured settlements such as the "tiered"approaches put the onus on the plaintiffs to prove their damages —which, as one court approving such a settlement has noted, theywould have to do at some point anyway. Proving causation anddamages will be essential in each case.

Data breach class action settlementsreviewed:

• In re Adobe Syst. Inc. Privacy Litig., No. 13-5226 (N.D.Cal.)

• In re Heartland Payment Syst., Inc. Data Security Breach Litig.,No. 09-2046 (S.D. Texas)

• In re Sony Gaming Networks & Customer Data Sec. BreachLitig., No. 11-2258 (S.D. Cal.)

• In re Target Corp. Customer Data Sec. Breach Litig., No. 14-2522(D. Minn.)

• In re TJX Cos. Retail Security Breach Litig., No.07-10162 (D.Mass.)

• In re The Home Depot Inc. Customer Data Sec. Breach Litig., No.14-02583 (N.D. Ga.)

• In re Countrywide Fin. Corp. Customer Data Sec. Breach Litig.,No. 08-1998 (W.D. Ky.);

• Beringer v. Certegy Check Servs., Inc., No. 8:07-cv-01657 (M.D.Fla.)

• In re Dep't of Veterans Affairs Data Theft Litig., No. 06-506(D.D.C.)

• Lim v. Vendini Inc., 1-14-CV-259897 (Cal. Super. Ct., SantaClara Cnty.)

• In re LinkedIn User Privacy Litig., No. 12-3088 (N.D. Cal.)

• Rippy v. Schnuck Markets Inc., No. 2013-L-218 (Ill. Cir. Ct.,St. Clair Cnty.)

• Curry v. AvMed Inc., No. 10-24513 (S.D. Fla.)

• Burrows v. Purchasing Power LLC, No. 12-22800 (S.D. Fla.)

• In re Michaels Stores Pin Pad Litig.

• Johansson-Dohrmann v. CBR Systems, Inc., No. 12-1115 (S.D.Cal.)

• Rowe v. Unicare Life & Health Ins. Co., No. 09CH05166 (Ill.Cir. Ct., Cook Cnty.)

Michael Phillips, Kimberly Horn and Marcello Antonucci areclaims managers for technology, media and business services at theBeazley Group. Bonnie Wise, an attorney with Wiley Rein LLP,represents insurers in connection with disputes arising underprofessional liability, general liability and cyberpolicies.