Skip to Main Content

Critical Cyber Ruling – Defense Costs

Thursday, April 28, 2016

Recently, Chicago Crain’s published an article, “P.F. Chang data breach lawsuit can go ahead“,  discussing a critical ruling many of our clients and prospects don’t know about, yet it affects them all.  A 7th Circuit Court (that’s our Circuit), ruled that an individual can bring suit simply because they have an “increased risk of fraudulent debit/credit card charges and identity theft.” 

What does this mean?  If a breach happens, customers can now bring suit against that business even if they haven’t suffered damages.  Actual monetary damages aren’t necessary.  Simply having the increased risk is enough.

Why is this important?  Defense Costs. 
For example, say a business suffers a data breach.  Prior to this ruling, their exposure would be limited to notification expenses, PR costs, settlements/judgments if customers suffered damages, and defense costs (which many view as an afterthought).    

How does this ruling change things?  It opens the door for lawsuits to be filed immediately upon giving notice to customers, even if they have yet to, or actually do suffer, any damages.  Defense costs will begin accumulating several months ahead of when they currently would.  This will cause tens, if not hundreds, of thousands in increased defense costs.  This just took defense costs from an afterthought to one of the largest exposures……and no one was harmed. 

Below I’ve outlined the important things to consider based on this ruling.  P.F. Chang’s may be able to self-insure $1,000,000 in defense costs.  But, for middle-market companies, $1,000,000 in defense costs could put them out of business.  If you do not have cyber liability coverage now, you need to obtain it. 

Practical Aspects:

1. Why is this important for businesses? 
  • If a data breach takes place, the business will now be subject to defense costs, even if customers have yet to suffer any immediate or identifiable loss that can be traced back to the data breach in question.
  • One of the plaintiffs in this case hasn’t suffered fraudulent card use or ID theft, yet he is allowed to bring suit.
  • The other suffered four fraudulent uses, yet there is no proof it resulted from the P.F. Chang’s breach or from any other cyber activity.  He is allowed to bring suit as well. 
2. How much are defense costs? 
  • Case-by-case basis.  The average range had been anywhere from $250,000 to $500,000.  It will increase based on this ruling.
3. What if my business can self-insure the additional defense costs?
  • That’s fine.  But, defense costs are just a part of the overall cost.  We haven’t discussed expenses for notification, public relations, credit monitoring, regulatory fees/fines or settlements/judgments.
4. I’m not a restaurant.
  • It doesn’t matter.  This case is not limited to restaurants.  This applies to all businesses.
5. What should a business do to limit their defense cost exposure?
  • Put together a breach incident response plan.
  • Retain counsel and strategize prior to breaches occurring.
  • Be detailed in the breach notification description.
    This is crucial.  P.F. Chang’s did not distinguish the locations or dates in their notifications, which opened the door to additional customer lawsuits.
  • Insurance
  • Defense costs are covered under cyber liability policies.

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.