The class action settlement figure relating to the 2017 data breach at Equifax is winding its way slowly through the courts, but a judgment of $1.4B was upheld last week by the Eleventh Circuit. Included in that figure is more than $75M in attorneys' fees, plus a cash fund for the plaintiffs of $380.5M and data security efforts of $1B. The award has been remanded to vacate certain incentive awards to class representatives, however, and therefore is not final.
The Equifax breach involved the financial records of almost half the country -- 147M Americans felt the fallout of the incident. The Equifax matter predates modern comprehensive privacy laws, which at least for California residents could permit assessment of statutory damages without a class action. The incident at Equifax stemmed from failure to update software using a widely available security patch.
The Equifax settlement shows the true cost of data incidents to companies who suffer them. Generally speaking, the bulk of the costs of an incident do not come from consumer exposure. Rather, the exposure comes from the business cost to upgrade systems and workflows, plan, secure, and cover litigation. The balance of the cost may shift now that California has allowed for statutory damages following a breach, but the lesson remains the same: prevention and planning dollars are a cheaper way to manage data security and privacy than litigation and settlement.