In the unfortunate event of a data breach lawsuit, it’s often better to settle before the case reaches court.
Many of the major data breaches in recent years have resulted in class action lawsuits, and in virtually every case that’s been resolved has resulted in the enterprise settling with plaintiffs.
Most attorneys will tell you that settling makes much more sense than going to court. One of the primary reasons for this is that it is less expensive to settle. Going to court means there will be expenses for attorney fees, expert witnesses, extensive depositions during discovery, travel and time. Settling eliminates the majority of those expenses. Another important reason to settle a data breach lawsuit is publicity. Details of the case can be kept private if the company settles. It’s bad enough that the company has to settle with customers or partners affected by a breach, but to have the data breach lawsuit drawn out in court and to make the details public record is not good for business. Sometimes trials can take years to come to a decision and that in itself is costly and a reputation risk.
Even if the company wins the case, the affected party can still drag the process out longer with an appeal. During the settlement discussions, there is more flexibility as to what can be said and how evidence is provided. In a court case, there are rules of evidence and procedure that make it cumbersome, time-consuming and, again, expensive. Lastly, there is a “Not Guilty” verdict if you settle. It is a way to pay for an error on the part of the company without admitting guilt.
So when does a data breach lawsuit go to court? Almost never, but if the settlement terms are not fair and would exceed the cost of going to trial, then the latter is the better option. However, the affected party is ultimately the one that decides whether or not to settle.
The CISO should never assume the data breach lawsuit will be settled or not. He should always take due care to preserve the chain of custody, ensure computer systems are not tampered with accidentally or advertently, and preserve affected systems based on rules of evidence. The CISO has no influence over which way the case will go and he shouldn’t leave that to the attorneys. Just make sure that if the data breach lawsuit goes to trial, you have done everything to maintain the integrity of the affected systems and evidence.