Class Action lawsuits are the standard in data breach litigation. In fact, almost every data breach case I have researched over the past few years was filed in that format. Class Actions are brought when a single defendant harmed a number of the same people. One of the alleged harmed is listed as a representative in the class and an attorney or a large group of attorneys represent all of the class in a single lawsuit. Most of these lawsuits are pursued in Federal Court, because of the different locations of the plaintiffs and straightforward rules regarding the certification of plaintiffs as a common class. They must have questions of law or fact common to the class.

I used to get notices all of the time to join lawsuits as a member of a class (credit card interest rate violations, extra cell phone charges by the provider, recall notices that weren’t properly given) and ignored most of them. The few I did respond to, I remember getting a settlement check just big enough to buy a happy meal. The other thing I remember was the sheer number of plaintiffs involved drove the entire settlement amount well up into eight figures. While I received $2.37 for my share of the award, attorneys were filing requests for the court to approve 25% of the total settlement of their attorney fees, which was somewhere near $5 million. Another way of computing attorney fees is looking at the fees separate from the award using professional guidelines, namely the “lodestar method”.  In some cases in which their clients receive no monetary amount, but instead goods or services, the court can still award the class action attorneys legal fees paid by the defendant.

If you remember the Office of Personnel Management Data Breach several years ago in which some of you were affected by, you know that subsequent litigation against OPM and its security contractor was settled only a matter of a few weeks ago. The amount agreed upon was $63 million, and members of the class are able to submit claims for anywhere from $700.00 upwards. No surprise, shortly following the settlement, plaintiff’s lawyers filed a motion for the Federal District Court, D.C., to approved attorney fees for $8.5 million dollars. These fees will be spread out amongst multiple law firms.

According to court documents, the plaintiff attorneys refer to the “lodestar method” of computing attorney fees in which several factors, such as time spent on the case, the normal hourly rate of the firm, and the complexity of the case are put into a formula that in turn, generates a number that represents the amount the class attorneys are justifying to the court.

Some of the interesting points of the motion include:

  • The numbers are separate and not part of a contingency fee, but if they were, would only be 12% of the entire award.
  • The award request is consistent with similar awards.
  • The customary hourly for the plaintiff firms is around $1,000.00 per hour.
  • The case took a lengthy amount of time to settle so current hourly rates should apply
  • The case was unique due to highly technical data security issues and a nation-state attacker.
  • The plaintiff attorneys achieved a very good result for their clients, in light of the risk of further litigation.

Whether or not this fee request is rational, it is clear that data breach class actions are here to stay. If you happen to be a victim of something like the OPM case, consider all of your options and understand the length of time involved to get a result.

Related News

Joe Jabara, JD, is the Director, of the Hub, For Cyber Education and Awareness, Wichita State University. He also serves as an adjunct faculty at two other universities teaching Intelligence and Cyber Law. Prior to his current job, he served 30 years in the Air Force, Air Force Reserve, and Kansas Air National Guard. His last ten years were spent in command/leadership positions, the bulk of which were at the 184th Intelligence Wing as Vice Commander.