Sensitive data pertaining to millions of people was compromised in the data breach at the U.S. Office of Personnel Management. I suspect that millions of those people smiled when they heard about the filing of a class-action lawsuit filed against the OPM. They would like some recompense for the incredible hassle that data breach caused them. And they probably want to see the OPM pay for its mistakes. Unfortunately, those smiles are probably about all they will get out of the lawsuit.
Although class-action lawsuits can result in some seemingly very large settlements, the members of the classes in question hardly ever see much money from them. Such lawsuits are essentially a transfer of wealth from the defendant to the attorneys filing the lawsuit. That sounds like cynicism, but it's realism. Because class actions are fairly common and can cover enormous classes of people, you've probably qualified for a payout from at least one of them in the past year. When you looked into it, did it seem worth your time to qualify? If you did bother to be established as a member of the wronged class, did you get any significant amount of money as a result? I seriously doubt it.
Let's take the Target class-action lawsuit as an example. Supposedly, more than 100 million people had their credit cards and personal information compromised in that breach. The credit cards were abused and had to be canceled. People had to contest charges made to their accounts. Naturally, some outraged lawyers decided something had to be done about that and filed a class-action lawsuit. (I'm kidding, of course; if the lawyers were outraged, it was at the possibility of being shut out when Target had to pay up, since other class-action attorneys were fighting to file the cases first and claim their share of the money.)
According to the terms of the Target settlement, $10 million was to be set aside to pay damages to the affected individuals. Does that sound like a lot of money? Not when it's shared out over 100 million people. It amounts to less than 10 cents per victim. Let's say that the number of victims was badly exaggerated, though. Cut it in half, to 50 million, and you're up to 20 cents per victim. Or let's say that only 10% of the victims seek compensation through the lawsuit. Hey, now you're talking real money: $1 per victim. If your only cost in filing your claim was postage, you're ahead, right?
In any case, each member of the Target breach class can be reimbursed for up to $10,000 in damages. In other words, at best you might be made whole, but you can't get anything beyond the compensation; there are no punitive damages. And to claim that money, you have to prove damages with the appropriate paperwork. Your time and aggravation are not reimbursable.
So that's what the members of the class -- you know, the actual victims -- are set to get per the settlement the lawyers arranged. How about the lawyers themselves? Well, they have asked for $6.75 million. Like the victims, they will have to share that payout, and there are five law firms involved. Still, I think it's safe to say that there's nothing like a million lawyers involved (though it always feels that way) -- they'll do much better than 10 cents or a dollar each. But be assured, they wont charge you for helping you get your $1. That's the kind of good-hearted people they are.
Some victims will do better than others. The ones whom the lawyers tracked down to serve as the class representatives had to show up for depositions, and their names were used to facilitate the lawyers in getting their $6.75 million. The attorneys were very generous to these people, requesting that they receive a whopping $500 each for all of their time and trouble.
That could be the extent of riches that victims could see from the class-action lawsuit regarding the most infamous credit card hack in history, a breach in which thousands of people experienced actual damages. There is no reason to think class action regarding the OPM hack will turn out any differently.
The filing for the OPM lawsuit makes reference to the Privacy Act of 1974. That act specifies statutory damages of $1,000 per incident. This means that any person who had their data compromised, whether they suffered losses or not, can be awarded $1,000 if it is determined that there was a violation of the Privacy Act. The specter of such a requirement can serve as a powerful inducement for organizations to settle a lawsuit. Think about it. If the case goes to trial and a violation of the Privacy Act is found, the OPM could be held liable for $1,000 per individual in the class action. With potentially 30 million victims in this case, that would come to $30 billion. I suspect most parties to the class action would be happy with that $1,000, but the lawyers are much more inclined to settle. That's how you end up with the law firms raking in millions while the victims gather a few cents.
I have reason to hold such a jaded outlook on this topic. I have talked to attorneys who engage in class actions. One thing that they say to justify their deeds is that such lawsuits are not really about reimbursing the victims, but rather about setting up incentives that can change the processes that resulted in the damages at the root of the lawsuit. They also say that victims who would prefer to hold out for a judgment that actually might compensate the victims are being greedy.
But does the threat of making huge payments in class-action lawsuits actually change any processes? All of the security improvements implemented by Target after the breach were put in place long before the legal settlement. Target reportedly had already incurred $191 million in costs, mostly spent on lawyers. The $10 million supposedly going to the affected consumers was inconsequential, as was the additional $6.75 million earmarked for the lawyers. It's hard to see how the class-action lawsuit had anything to do with any changes in the processes used by Target.
The potential for damage that resulted from the OPM breach is so large that many of us would probably be happy to see that organization called to account and told to pay up a lot of money. But we have to leaven that satisfaction with the realization that most of the money will be going to attorney Gary Mason and his firm, Whitfield, Bryson & Mason. There is also the possibility that a good portion of the money will go to the American Federation of Government Employees (AFGE), a union naming itself as a plaintiff in the class-action case filed by Mason. Watch carefully how much money this group gets for the compromise of your information. As for you the consumer, if you were a victim of the OPM breach, you will get nothing unless you can show damages. And if China was indeed the source of this compromise, as has been reported, you probably won't suffer tangible damages. At best, you can file to receive a piece of the negotiated settlement not allocated to damages. This will likely amount to less than $1.
Finally, keep in mind that any settlement paid by OPM, an agency of the federal government, will ultimately be paid by us, the taxpayers. So if there is a settlement, the net result is that we the people will have basically paid Gary Mason millions of dollars.
Keep smiling. Gary Mason sure is.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.