In August 2021, T-Mobile suffered a cyberattack that compromised the personal information of more than 75 million consumers. The subsequent class action lawsuit resulted in the mobile telecommunications company agreeing to a $350 million settlement, according to CNET.
T-Mobile is not the first company to experience such a large-scale, costly breach. In 2019, credit bureau company Equifax agreed to pay up to $700 million as a part of its settlement with the Federal Trade Commission following a 2017 data breach affecting 147 million people.
The final approval hearing for the T-Mobile class action lawsuit is scheduled for January 20. If the settlement gets that final approval, it will be the second highest US data breach payout following the Equifax settlement, according to CNET.
“A large settlement like this can influence decisions about the types of damages that are considered to be coverable, the amount of damages that should be awarded, and the legal standards that should be applied to determine liability,” Stephen Toland, an attorney and head of the Austin office of law firm FBFK, tells InformationWeek.
Data Breach Scrutiny
Any company that safeguards the personal data of millions of consumers is at risk of cyberattacks, data breaches, and the resultant expensive regulatory and legal ramifications. That data breach scrutiny is likely to increase.
“There’s a burgeoning number of Attorneys General investigations against corporations that maintain sensitive personal information such as health records and financial information [and] credit card and other sensitive private information of their customers,” says Michael J. Faul, a shareholder of law firm Herold Law.
In July, T-Mobile released a statement on the proposed settlement and its plans to enhance its cybersecurity strategy. The $350 million settlement is a clear signal of the importance of investing in cybersecurity to minimize the risk of expensive data breaches.
“We’ve seen time and again that companies often require painful -- and costly -- motivation to act on security needs. Some companies are so focused on their products, services, and revenue streams that it takes hefty fines and consequential settlements for them to realize the cost of poor security posture,” says Chris Patteson, field risk officer at software company LogicGate.
Breaches like the one that occurred at T-Mobile serve as warnings for other companies. “Too many companies rely on a false sense of security, a belief that, ‘It will never happen to us.’ Meanwhile, cyberattack numbers don’t lie -- nearly every business has endured some kind of breach,” according to Patteson.
Costly Reputational Damage
Beyond the financial impact of a lawsuit or regulatory fine, companies also face the prospect of costly reputational damage. “The financial impact of a fine may be less significant in motivating organizational investment in cybersecurity than the potential reputational damage or loss of consumer trust that could result from the data breach,” Toland says.
The possibility of multimillion-dollar consequences can be an effective motivation for companies to invest in cybersecurity basics -- things like security patching and awareness training -- and more robust preventative strategies. But risk mitigation is just that; it does not mean a breach will never happen. “No matter how sophisticated the IT organizations employed to firewall against cyberattacks, breaches are inevitable,” Faul says.
If and when a breach happens, organizations have to determine how to pay for fines and settlements. Cyber insurance can help cover the costs, but eyewatering settlements, like T-Mobile’s, indicate increased risk to insurance providers. “The obvious and immediate collateral impact to organizations industry-wide will be the continual rise in cyber insurance premiums and deductibles,” Toland says.
Companies may also increasingly seek damages from third parties responsible for data breaches. And third parties often are responsible. A survey of more than 600 IT professionals, conducted by cyber risk management company CyberGRX and research center Ponemon Institute, found that 53% of respondents had dealt with a third-party breach within the past two years.
In 2015, T-Mobile suffered another large data breach. The company used $10 million from its settlement with its vendor involved in the breach to satisfy its cyber insurance deductible with a Zurich American insurance unit, Bloomberg Law reports. The insurance company attempted to argue that T-Mobile could not use a third-party payment to cover the deductible but lost that argument in a Washington appeals court. The insurer is obligated to cover T-Mobile’s losses related to the 2015 breach.
Other companies could follow in T-Mobile’s footsteps when working through the aftermath of third-party breaches.
“I think the bigger changes coming as a result from this T-Mobile settlement will be that cyber insurance policy holders will be more aggressive in seeking recovery from third-party vendors as more cyberattacks target third-party weaknesses and insurance deductibles continue to rise,” Toland expects.