Portfolio monitoring and asset recovery of growing global securities class actions can be daunting. Broadridge can help simplify the complex.

Data Breach Securities Class Actions: Record Settlements and Investor Claims on the Rise

Data breach related securities class action filings are on the rise.¹ These lawsuits are based on allegations that companies misrepresented or misled investors about cybersecurity events, such as data breaches or security vulnerabilities, causing stock prices to fall when the truth is revealed. Data breaches have increased steadily since 2020² and this surge in breaches and cybersecurity incidents has led to more shareholders filing securities class action claims. This year we have witnessed significant settlements, including three of the top ten largest data breach related securities class action settlements, totaling $560 million.

Increased Frequency of Data Breaches

In response to the rising number of data breaches, corporations are investing heavily in cybersecurity measures to protect their data. In 2023, organizations spent $188 billion globally on implementing cybersecurity measures, a figure projected to rise to $215 billion in 2024.³ Despite these investments, the number of data breaches in the United States have nearly tripled since 2020, with a record 3,205 data breaches in 2023.⁴ A 2023 survey of over 1,000 businesses worldwide found that 72.7% had fallen victim to ransomware attacks, coinciding with the record number of data breaches in the United States⁵ leading to over $1 billion in ransoms being paid to cybercriminals last year.⁶

⁷

Effects of Data Breaches on Shareholders

Data breaches have significant financial repercussions for shareholders, as their investments often decline in value. An analysis of 28 public companies that experienced data breaches revealed an average 7.27% share price drop following the breach, with financial and technology companies impacted the greatest.⁸ Financial companies saw a 17% decrease in value against the NASDAQ within the first 16 trading days post-breach and continued underperforming the NASDAQ by 2% even six months later.⁹

On average, it takes 46 days for a company’s stock price to rebound to pre-breach levels, and not all companies are able to fully recover.¹⁰ However, even when stock prices do rebound on paper, one study found that when stocks showed a near 18% increase in the two years after a data breach, these stocks still underperformed the NASDAQ by 11.35% on average, resulting in a “loss” for investors. ¹¹

2024 Brings Large Securities Data Breach Settlements

The rise in data breaches and cybersecurity incidents has led to increased data breach related securities class action filings. These cases reflect a broader trend known as “event driven litigation,” where a significant event or development, such as the disclosure of a data breach or security vulnerability, triggers a drop in a company’s share price and forms the basis of the class action, rather than traditional accounting fraud or financial misrepresentations.

Thus far, 2024 has been a banner year, featuring the first, second, and sixth largest data breach related securities class action settlements of all time, totaling $560 million. These cases involved alleged failures to disclose data breaches or material aspects relating to how customer data is secured.

Regulations Worldwide – More Class Actions to Come?

In July 2023, the SEC adopted new cybersecurity risk management rules which require public companies to disclose any cybersecurity incident which would be deemed material to investors on an 8-K form. These disclosures must be made within four days of when the company deems the breach (or series of related smaller breaches) to be material, and the disclosures must include both the quantitative and qualitative impacts of the incident.

At least two major disclosures under the new SEC 8-K requirements have already fallen short of compliance.¹² UnitedHealth Group's February 22, 2024, disclosure of a suspected unauthorized nation-state intrusion and Microsoft's January 19, 2024, disclosure of an email hack both failed to list quantitative impacts, mentioning only qualitative ones.¹³ In fact, within the first 100 days of the new SEC regulations enactment, 73% of 8-K reports did not state whether the breach had a material impact, and only one that did included quantitative effects.¹⁴ As companies adjust to these new disclosure requirements, we expect filings if it is later revealed that certain quantitative impacts existed and were not reported.

Other countries have adopted similar disclosure requirements. Article 33 of the European Union’s General Data Protection Regulation requires disclosure of the breach within 72 hours of learning of the breach and without undue delay. The disclosure must include the likely consequences of the breach, and the measures to be taken by the company to address the breach and mitigate any possible adverse effects. Australia’s Privacy Act also has disclosure requirements, where an eligible data breach¹⁵ must be reported to affected individuals. The breach must also be reported to the Australian Information Commissioner, and this notification must contain the contact information of the notifying entity, a description of the data breach, the kind of information concerned, and recommendations to individuals regarding the steps they should take to minimize the impact of the breach.

Due to the global scale of these regulations, we expect to see an increase in securities class action filings related to cybersecurity disclosures across multiple jurisdictions.

Final Thoughts

The rapid growth of event-driven data breach related securities class actions calls for increased vigilance regarding data breaches, claim filings, and compliance with new regulations. With the rising frequency of these class actions globally, investors must stay informed to maximize their recovery opportunities.

Each year billions of dollars are being left on the table. 

Find the right advocate who can help you maximize recoveries.

_{¹ In this article, we use the term "Data Breach" to refer broadly to all related incidents, including breaches, data privacy concerns, cybersecurity threats, security vulnerabilities, and other similar occurrences.}

_{² Ani Petrosyan, Annual Number of Data Compromises and Individuals Impacted in the United States from 2005 to 2023, Statista (Feb. 12, 2024), https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed.}

_{³ Stuart Madnick, What’s Behind the Increase in Data Breaches?, Wall St. J. (March 15, 2024), https://www.wsj.com/tech/cybersecurity/why-are-cybersecurity-data-breaches-still-rising-2f08866c.}

_{⁴ Petrosyan, supra note 2.}

_{⁵ Ani Petrosyan, Annual Share of Organizations Affected by Ransomware Attacks Worldwide from 2018 to 2023, Statista (Mar. 28, 2024), https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/.}

_{⁶ Ransomware Costs Businesses Record-High $1 Billion in 2023: Your 5-Step Plan to Prevent Attacks in 2024, Fisher Phillips (Feb. 21, 2024), https://www.fisherphillips.com/en/news-insights/ransomware-costs-businesses-record-high-1-billion-in-2023.}

_{⁷ Petrosyan, supra note 2.}

_{⁸ Cybersecurity Breaches and Their Impact on Corporate Stock Prices, Cap. Tech. Univ.: Capitology Blog (May 18, 2020), https://www.captechu.edu/blog/cybersecurity-breaches-and-their-impact-on-stock-prices.}

_{⁹ Id.}

_{¹⁰ Keman Huang et al., The Devastating Impacts of a Cyber Breach, Harv. Bus. Rev. (May 4, 2023), https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.}

_{¹¹ Chris Brook, Data Breaches Have Lasting Effect on Stock Price, Digit. Guardian (Aug. 22, 2022), https://www.digitalguardian.com/blog/data-breaches-have-lasting-effect-stock-price.}

_{¹² Bob Zukis, Companies are Already Not Complying with the New SEC Cybersecurity Incident Disclosure Rules, Forbes (Mar. 4, 2024), https://www.forbes.com/sites/bobzukis/2024/03/04/companies-are-already-not-complying-with-the-new-sec-cybersecurity-incident-disclosure-rules/}

_{¹³ Id.}

_{¹⁴ Charu A. Chandrasekhar et al., 100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned, Debevoise & Plimpton (Mar. 28, 2024), https://www.debevoise.com/insights/publications/2024/03/100-days-of-cybersecurity-incident-reporting.}

_{¹⁵ An eligible data breach is one that is likely to result in serious harm to any of the individuals to whom the information relates.}