(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)
Equifax, one of the nation’s three credit reporting agencies, recently announced a multi-million dollar settlement for a 2017 breach that affected 143 million Americans. At first glance, this might seem like justice for the little guy. But a closer look shows that the ones who stand to get the biggest payoff are the well-heeled lawyers who crafted the deal. Moreover, the sharks have smelled the blood in the water, and so these types of high-cost payouts could soon become the norm.
Costly private data breach settlements impose significant costs on businesses, but most of these funds do not go into the pockets of consumers. The details of the settlement show that, at a minimum, Equifax will pay out $275 million in penalties and fees to government regulators. As a general matter, financial penalties are useful in so far as they force companies to feel the pain of data breaches and other privacy failures—companies know that they are better off spending money now on better privacy and security controls so that they can avoid penalties in the future. Indeed, as part of the settlement, Equifax has agreed that it “shall spend a minimum of $1 billion on data security and related technology” over the next five years.
Equifax also must pay $300 million to establish a consumer restitution fund. But the payout to consumers is minimal. Most consumers will simply opt to receive free credit monitoring for 10 years or a one-time $125 payment. But only $31 million of the settlement is available for these cash payments. If more than 248,000 of the 143 million affected consumers make a claim, the amount paid out will be lowered and distributed on a proportional basis.
But the lawyers in the class action lawsuit against Equifax have a guaranteed payday. They will receive $77.5 million in fees, plus an additional reimbursement of up to $3 million in litigation expenses. Moreover, any individual claimants can seek reimbursement for up to $20,000 per person for losses associated with the data breach…such as hiring a lawyer.
The Equifax settlement is certainly not an anomaly among class action lawsuits, but it is part of a new trend of privacy-focused class action lawsuits enabled by recent privacy laws. For example, the Illinois Biometric Information Privacy Act (BIPA), passed in 2008, requires companies to obtain written consent before collecting biometric information, store the information securely, and retain and delete the information according to a publicly available policy. While a few other states have similar biometrics laws, BIPA is unique because it allows individuals, rather than the state attorney general, to seek damages for violations. These damages can be up to $5,000 per violation, plus attorney fees, expert witness fees, and other expenses. Moreover, earlier this year, the Illinois Supreme Court ruled that plaintiffs do not have to show harm to sue companies for violations of BIPA—opening the floodgates for lawsuits. Indeed, whereas there were only six BIPA cases in 2015, there has been an average of one new case filed every single day since the Illinois Supreme Court decision.
California’s new privacy law, the California Consumer Protection Act (CCPA), also includes a private right of action, although it only applies in some circumstances. While advocates have already tried and failed to expand the private right of action to apply to any violation of the CCPA, they will likely try again. Moreover, law firms are salivating at the prospect of Congress establishing a private right of action at the federal level, or at least not blocking states from pursuing their own. At least two significant proposals in Congress, Sen. Cantwell’s (D-WA) draft privacy framework and Sen. Markey’s (D-MA) Privacy Bill of Rights Act, have supported a private right of action.
As the Equifax case shows, these class action lawsuits typically yield relatively little for consumers. Instead, the main beneficiaries are lawyers. The better option is to strengthen data protection regulations and equip federal regulators with the resources they need to pursue violations and impose reasonable fines that will act as deterrents. As Congress considers different proposals on federal data privacy legislation, it should keep a private right of action off the table.