The Nebraska Legislature recently introduced a bill (LB 241) to provide protection from liability for cyber breaches in which PII or PHI were breached. The bill provides protection for a private entity from liability “unless the cybersecurity event was caused by willful, wanton or gross negligence on the part of the private entity.” The bill is one of several such bills which have either been passed or are under consideration by several states. Impetus for the Bill The increases in data breach class actions, ease of filing and rising settlements are just some of the motivations for this legislation. In 2017 the number of data breach class actions was under 200, while for the year 2024, the number of class actions filed were just short of 1500.¹ Each data breach notification brings a number of class actions, especially for large data breaches. A company facing notification requirements can expect a suit shortly after the letters are mailed. Data breaches are unique in that companies must disclose an event which may lead to a lawsuit. Adding to the issue, many state Attorneys General publish data breach notifications on their website. It is an easy task for a plaintiff’s attorney to find a notice, find a victim and then file complaint using a template from a prior class action. The ease of the process is inviting even more attorneys to this practice. This rise in the number of class action cases has also led to a rise in the amount the plaintiffs’ attorneys are demanding to settle the suits. Some of the bigger settlements are well known and published, such as: 1. Meta — $1.3 billion. 2. Didi Global — $1.19 billion. 3. Amazon — $877 million. It is troubling that foreign threat actors/hackers are able to wreak havoc on private entities and there is little the company can do about it after the fact. Then, to add insult to injury, plaintiff’s attorneys attempt to collect fees on behalf of affected individuals in class actions; but, the vast majority of the money is collected by the attorneys and very little, if any, actually inures to the benefit of the victims. A couple of examples are as follows: 1. In re Wright & Filippis LLC Data Security Breach Litigation class action settlement: ◦ The attorneys received a percentage of a $2.9 million settlement. ◦ The victims received credit monitoring worth an estimated $30 each. 2. Crumpton v. Octapharma Plasma Inc. Class Action settlement: ◦ The attorneys received a percentage of a $9.9 million settlement. ◦ The victims received approximately $400 to $800 based on submitted claims. 16 NEBRASKA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==