Why Haven’t There Been More Cybersecurity Class Action Lawsuits?

Product liability has been a significant area for class action litigation, with billions of dollars of awards made.

Recent litigation includes cases against Johnson & Johnson and Bayer, which began after the organizations’ products were found to increase the risk of cancer.

With all this class action litigation, it’s somewhat of a surprise that cybersecurity has not seen its share. According to the Identity Theft Resource Center, 2021 saw more than 1,862 data breaches affecting 298 million people.

Meanwhile, the FBI estimates that these breaches cost nearly $7 trillion globally. You would expect that this obvious failure to protect information would bring out swarms of plaintiff lawyers, but it hasn’t.

One rather odd reason is the lack of damages. Almost half of the lawsuits related to cybersecurity breaches are based on negligence. For a negligence action to proceed, the plaintiff must have suffered damages. Real damages.

In Spokeo, Inc. v. Robins, the Supreme Court found that plaintiffs must demonstrate that they have suffered a concrete injury that can be traced to the defendant’s conduct. This bar has been difficult to overcome.

A case decided under a Civil War law may change this. The False Claims Act (31 U.S. Code § 3729) is “a federal statute originally enacted in 1863 in response to defense contractor fraud during the American Civil War.”

Under the Act, any person who knowingly submits a false claim to the government is liable for double – now treble – the government’s damages plus a $2,000 penalty for each false claim.

But what has this to do with cybersecurity? The answer lies in DoD (Department of Defense) contracts.

Contractual failures

The DoD receives an annual allocation of about $712 billion, which it uses to purchase items from about 300,000 contractors.

Under DoD regulations DFARS 252.204-7012, contractors are required to implement NIST SP 800-171, but many have not.

Now the Department of Justice, as part of a joint program, will use the False Claims Act “to pursue cybersecurity related fraud by government contractors and grant recipients.”

The next question is obvious: What is in this for plaintiff lawyers and their clients?

Enter another obscure doctrine called qui tam. The False Claims Act allows private citizens to file suits on behalf of the government against those who have defrauded the government.

Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. In 2021, this amounted to more than $5.6 billion in settlements, of which more than $120 million was from DoD contracts.

The recovery range depends on whether the government decides to take the case. If it does, then 15–25% is the average; if the government chooses not to intervene, then it’s 25–30%.

This is what happened in the case of United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc. There, the district court denied the defendant’s motion for summary judgment of a False Claims Act count against Aerojet Rocketdyne for allegedly fraudulently inducing the government to enter into federal contracts when the company knew it was not compliant with cybersecurity requirements.

What’s interesting is what seems to be an employment case for unfair termination is actually a case about the False Claims Act and qui tam.

It’s a milestone case because it allows any private individual to bring a case for the failure of an organization to have adequate cybersecurity, thus bypassing Spokeo. No damages are necessary because this involves a federal statute.

Limited scope

While effective, these facts do not apply to every breach. There are only a handful of cases where qui tam applies, and there is the lack of or failure of a required cybersecurity system.

These cases, like product liability cases, can be costly for any organization that is unprepared. The best preparation is to implement the most widely recognized cybersecurity framework, ISO 27001.

It’s the international standard for information security management, and can be used to help organizations comply with countless industry- and nation-specific laws and frameworks, such as the HIPAA (Health Insurance Portability and Accountability Act) and CMMC (Cybersecurity Maturity Model Certification).

You can find out more about the benefits of ISO 27001 by downloading our free green paper: Cybersecurity and ISO 27001 – Reducing your cyber risk.

This guide explains the information security threats that your organizations faces and demonstrates how the Standard can be used to bolster your defenses.