Is settling a data breach lawsuit the best option for enterprises?

In the unfortunate event of a data breach lawsuit, it's often better to settle before the case reaches court. Expert Mike O. Villegas explains why and how CISOs can help.

Many of the major data breaches in recent years have resulted in class action lawsuits, and in virtually every case that's been resolved has resulted in the enterprise settling with plaintiffs. As a CISO, do you think settling is the best idea? Is a lawsuit something enterprises should prepare for in the event of a data breach? If so, how should they prepare?

Most attorneys will tell you that settling makes much more sense than going to court. One of the primary reasons for this is that it is less expensive to settle. Going to court means there will be expenses for attorney fees, expert witnesses, extensive depositions during discovery, travel and time. Settling eliminates the majority of those expenses. Another important reason to settle a data breach lawsuit is publicity. Details of the case can be kept private if the company settles. It's bad enough that the company has to settle with customers or partners affected by a breach, but to have the data breach lawsuit drawn out in court and to make the details public record is not good for business. Sometimes trials can take years to come to a decision and that in itself is costly and a reputation risk.

Even if the company wins the case, the affected party can still drag the process out longer with an appeal. During the settlement discussions, there is more flexibility as to what can be said and how evidence is provided. In a court case, there are rules of evidence and procedure that make it cumbersome, time-consuming and, again, expensive. Lastly, there is a "Not Guilty" verdict if you settle. It is a way to pay for an error on the part of the company without admitting guilt.

So when does a data breach lawsuit go to court? Almost never, but if the settlement terms are not fair and would exceed the cost of going to trial, then the latter is the better option. However, the affected party is ultimately the one that decides whether or not to settle.

The CISO should never assume the data breach lawsuit will be settled or not. He should always take due care to preserve the chain of custody, ensure computer systems are not tampered with accidentally or advertently, and preserve affected systems based on rules of evidence. The CISO has no influence over which way the case will go and he shouldn't; leave that to the attorneys. Just make sure that if the data breach lawsuit goes to trial, you have done everything to maintain the integrity of the affected systems and evidence.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out if the 2014 Neiman Marcus data breach lawsuit set a precedent

Learn how to avoid data breach lawsuits

Discover how the FTC lawsuit against Wyndham Hotels affects enterprises

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing