Data breach settlements are an unfortunate but all-too-frequent side effect of ransomware attacks. When hacks expose sensitive user data, it can lead to a lot of problems.
Data is sometimes sold to criminals who can use it for future hacks or to steal money from bank accounts. Stolen data is often used in identity theft, too. Depending on which country the breach occurs in, it can also come with expensive legal penalties.
Ransomware hackers are very aware of this, so more and more hackers are trying to use data to extort money from their victims. If your organization does suffer from a data breach, you may end up facing a data breach settlement.
What is a data breach settlement?
A data breach settlement occurs when the victims whose data is leaked seek financial compensation from the organization that was entrusted with their data. In the US, it usually takes the form of a class action lawsuit, where a large group of individuals with the same grievance file a lawsuit.
A lawyer litigates the lawsuit for the claimants, and if he wins, the money is distributed to the people affected by the data breach (after the lawyer takes a hefty fee, of course). In most cases, the company may agree to pay some amount as a settlement rather than going to trial.
How does a data breach settlement work?
Every data breach settlement starts with a data breach. How the data breach happens is very important to the case— if there is negligence on the part of a company, it will be easier for the litigant to claim damages.
Unfortunately, in most cases, data breaches occur because the victim is not following cyber security best practices on how to protect against ransomware. This is where cyber security awareness training comes in handy and can help on prevent such breaches in the first place. It’s also very important what kind of data are stolen, and how the company responds.
If a company notifies their customers immediately about the breach, it gives the customers time to change their passwords and otherwise protect themselves against whatever criminals might do with the stolen data.
All of these details will be part of negotiations between the victim of the data breach and the lawyers. If the breach is very severe and there was a lot of negligence by the responsible company, the settlement amount can be very high.
How long does a data breach take?
The length of a data breach settlement process depends on the nature of the case. In some cases, it could take as little as a few months. In other cases, if there are a lot of disputes, it could take several years.
What are the requirements for a data breach settlement?
Usually, for a data breach settlement to occur, there has to be a data leak which exposes potentially damaging personal information. The money is supposed to compensate damages or losses that people suffer due to the breach.
There also needs to be some responsibility on the part of the company. For example, if the leak is completely outside of the control of the company, it’s hard to say that they should pay for the damages. This is very rarely the case, however; in almost all cases, data breaches can be prevented by good cyber security.
Biggest data breach settlements ever
When you look at some of the bigger data breach settlements, it’s easy to see why ransomware hackers threaten companies with them.
Equifax
The biggest ever was the Equifax data breach. Equifax is a credit rating agency based in the US. In 2017, hackers stole the records of over 160 million people from Equifax’s servers.
The data included names, birthdates, social security numbers, and sometimes driver’s license numbers. Equifax was hit with multiple lawsuits in th aftermath, and ultimately ended up paying a settlement of $575 million USD.
T Mobile
T Mobile agreed to pay a $350 million USD data breach settlement after the data of 100 million customers was stolen from its server. As part of the settlement, the company also agreed to spend $150 million USD to upgrade their cybersecurity.
Apparently this wasn’t enough, because the company got hit another data breach in early 2023.
Uber
Ride sharing app Uber experienced a data breach in 2016. The company received criticism because it kept the breach a secret for over a year. They finally agreed to pay $148 million USD in a settlement.
Marriott
Hotel chain Marriott failed to secure the data of 133 million guests which was stolen in 2018. They were also condemned for failing to realize that the breach had occurred for an extended period of time. They were ordered to pay a fine of $124 million USD.
Can you pay a ransom to prevent a data leak?
When it comes to regaining access to encrypted data, it is legal in most jurisdictions to pay a ransom. However, if possible, it’s always better to avoid paying, since paying encourages the hackers to keep attacking others.
When it comes to data breaches, however, there are more strict laws in many jurisdictions. It’s important to be aware of the relevant laws in your jurisdiction and comply in order to avoid fines. To be on the safe side, it’s always better to report any ransomware attack to the relevant agency in your country.
Hackers may tell you that if you pay a hefty ransom, they will keep the data breach secret, which could avoid having to pay a multi-million dollar settlement. Some gangs may honor this promise, and it may be tempting to accept, but this is very dangerous. Not all gangs will keep their promise, and some may demand more ransoms after the first ransom.
Also, if a company gets caught covering up a data breach, penalties are severe. The reason some data breach settlements are so high is for exactly this reason.
The best and most ethical thing to do is to adopt full transparency about data breaches. If you don’t know what data have been affected, you can always contact our team of experts and inquire about our Ransomware Recovery Services.