In the past couple years, business email compromise (BEC) attacks have dramatically increased. As a result, corporate victims of BEC attacks have been increasingly subject to class action litigation on behalf of their employees or customers whose information may have been accessed or disclosed in the BEC attack. This article examines the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.
Likelihood and Success of Litigation
BEC attacks can take many forms, but one of the most prevalent forms involves an email scam designed to obtain employee tax return information. These attacks, known as W-2 phishing attacks, have triggered the majority of the class action litigation relating to BEC attacks and therefore provide a useful basis for analyzing potential litigation from all forms of BEC attacks.
In a W-2 attack, a third-party typically sends company employees an email that appears to be from a company executive. The email will likely ask the employee to reply with the Form W-2 of every company employee, and the employee often complies with the request. Attackers seek employee W-2 forms because information such as the employee’s Social Security number and tax withholding can be used to perpetrate fraud against company employees, including identity theft, the filing of fraudulent tax returns, and the opening of fake bank accounts or credit cards. Since 2016, over 375 companies have disclosed that they were the victims of successful W-2 attacks.
Despite the large number of apparently successful W-2 attacks, the total number of class action lawsuits stemming from W-2 attacks is relatively low—only 18 such lawsuits have been identified. While several factors might contribute to a decision to file (or not file) a lawsuit, all 18 of these cases have been filed since the beginning of 2016, suggesting that class action litigation resulting from BEC attacks might continue to become more frequent. Following public disclosure of a W-2 attack, companies can expect potential class action litigation to be filed relatively quickly (if filed at all), with over 40 percent of such cases being filed within six weeks of public disclosure.
Companies can also expect that class action litigation related to a W-2 attack will be filed in federal court, which has occurred in over 75 percent of such cases. Of these cases, courts have ruled on a motion to dismiss in only five cases, with other cases being in the early stages of litigation or having been voluntarily stayed, settled, or dismissed. Consistent with recent decisions in other types of class action data breach litigation, such as Attias v. CareFirst, Inc., the majority of courts that have ruled on a motion to dismiss in the W-2 class action context have found that the plaintiffs had Article III standing.
Notably, an increased risk of fraud or harm was found to be sufficient for standing, and plaintiffs were not always required to have pleaded any out-of-pocket losses. In the one instance where the court granted a motion to dismiss for lack of standing, the plaintiff’s complaint had failed to adequately distinguish her injuries from those of the class. The plaintiff, however, promptly filed an amended complaint to address this error and the defendant elected to file an answer rather than another motion to dismiss. Thus, W-2 class action litigation is not likely to be easily dismissed on standing grounds.
After finding that plaintiffs had Article III standing, courts have examined whether plaintiffs have adequately pleaded their common law claims, such as negligence, breach of implied contract, and invasion of privacy, and their state statutory claims, such as laws regarding unfair and deceptive trade practices acts or unfair competition. In every W-2 class action involving a motion to dismiss, courts have found that plaintiffs have adequately pleaded at least one claim. The most common surviving causes of action are negligence and breach of implied contract, while courts have typically dismissed claims based on negligence per se, breach of contract, and invasion of privacy. Companies have thus had little success in dismissing such class actions in the early stages of litigation.
Five of the federal court class actions relating to W-2 attacks have either settled or are pending court approval of a proposed settlement. In addition to attorneys’ fees, the settlements typically consist of two components: two years of identity theft protection services, and out-of-pocket costs incurred by class members, such as the cost of self-purchased identity theft protection, costs paid to accountants or attorneys to assist in resolving tax fraud, or overdraft fees paid to financial institutions as a result of the BEC attack. Settlement documents typically estimate that the value of the identity theft protection offer is $350 to $500 per person, based on what it would cost a consumer to purchase the same services directly from the identify theft protection vendor, although a company might be able to negotiate a lower cost per person for the hundreds or thousands of individuals whose information was the subject of the BEC attack.
Reimbursements for out-of-pocket costs are usually handled in one of two ways. In some cases, class members are allowed to seek reimbursement up to a fixed amount, which usually ranges from $3,500 to $5,000 per person. In other instances, the reimbursement of out-of-pocket costs is subject to a cap that varies based on the type of cost at issue. For example, the settlement of Whitehead v. Advance Stores Company Inc. provided up to $750 for those individuals who were a victim of tax fraud and paid a tax preparer or attorney to notify the IRS or assist in resolving the tax fraud. That same settlement provided up to $1,250 for victims of identity theft who experienced unreimbursed payment card charges or who otherwise paid fees to a financial institution due to the BEC attack.
These settlement costs suggest that companies could pay tens of millions to settle a W-2 class action. For example, in Castillo v. Seagate Technology LLC, Seagate’s reported exposure from the identity theft protection offer alone was reported to be $5.75 million, based on the retail cost of providing two years of identity theft protection to all potential class members (~$480 per person multiplied by 12,000 potential class members). If potential out-of-pocket costs are also included, Seagate’s total potential exposure from the settlement would increase by an additional $42 million ($3,500 per person multiplied by 12,000 potential class members).
Despite gaudy maximum settlement values, companies that are victims of W-2 attacks are unlikely to pay the maximum allowed under a settlement agreement. This is because settlements typically require class members to sign-up for the identity theft protection services and to submit documentation of their out-of-pocket expenses, and in each case the rate of class member participation is typically quite low. As an example, the Advance Stores settlement yielded claims from only 39 class members (and 9 class members opted-out), out of a possible 101,400 affected individuals. Likewise, one of the largest credit card data breaches ever involved a class of over 100 million cardholders, but resulted in the submission of only 290 claims, 11 of which the company estimated were valid (In re: Heartland Payment Systems, Inc. Customer Data Security Breach Litigation). In addition to low participation rates, another reason companies usually do not pay the maximum allowed by a settlement is because the dollar amount of the out-of-pocket claims in W-2 and data breach cases is usually far below the maximum allowed by settlement agreements.
Successful BEC attacks, such as W-2 attacks, are more likely than ever to trigger class action litigation. Such litigation is likely to be filed in federal court and companies have not experienced much success in dismissing such suits in their early stages. Settlements typically include high costs per class member, but such costs might be mitigated by a low rate of participation in the settlement by class members.
Even though several other W-2 class actions are currently pending, these trends appear unlikely to reverse themselves in the near-term. Consequently, companies should consider enhancing employee training and technological tools to detect and prevent successful BEC attacks. In addition, companies should consider obtaining cybersecurity insurance to cover the investigation, remediation, litigation, and/or settlement costs from a successful BEC attack.
Sunil Shenoi, Seth Traxler and Gianni Cutri are partners at Kirkland & Ellis LLP and advise clients on a variety of data security issues, including responding to data security incidents, representing clients in data security litigation, and counseling clients on data security diligence.
REPRINTED WITH PERMISSION FROM THE FEBRUARY 22, 2018 EDITION OF CORPORATE COUNSEL © 2018 ALM MEDIA INC. ALL RIGHTS RESERVED. FURTHER DUPLICATION WITHOUT PERMISSION IS PROHIBITED