On or around July 17, 2015, UCLA Health suffered a cyberattack that affected approximately 4.5 million individuals’ personal and health information.  A week later, the Regents of the University of California were hit with a series of class action suits related to the breach.  After four years of litigation, the matter is coming to a close.  On June 18, 2019, the court will finally determine whether the settlement reached by the parties is fair, reasonable, and adequate.  At present, the total cost of the settlement may exceed $11 million.  This settlement is just one example of how a privacy incident can embroil an organization in costly litigation for years after the initial incident and underlines the benefits of implementing secure systems and procedures before an incident occurs.

The proposed settlement will require UCLA to provide two years of credit monitoring, identity theft protection, and insurance coverage for affected persons.  UCLA will also set aside $2 million to settle claims for any unreimbursed losses associated with identity theft.  UCLA will spend an additional $5.5 million plus any remaining balance on the $2 million claims budget towards cybersecurity enhancements for the UCLA Health Network.  In total, there would be $7.5 million dollars set aside to reimburse claims and enhance security procedures.  However, UCLA must also cover the up-to $3.4 million in fees and costs of the class action plaintiffs’ attorneys.

So in addition to its own attorney’s fees and costs (which are likely substantial), UCLA is positioned to spend an additional $3.4 million to cover the fees and costs for the plaintiffs.  Between spending on your own and a plaintiff’s legal fees, it is always preferable to be proactive and mitigate security risks.  Robust security systems and procedures can reduce the chance of an incident occurring in the first place and mitigate risk to individuals and your organization if an incident occurs.

Our Take:

The recent UCLA settlement is a powerful illustration of the cost in time and treasure of a security incident. Four years of distraction litigating, fielding regulatory inquiries, and performing internal reviews, contains intangible costs that go beyond the $11 million price tag. No amount of preparation will eliminate the risk of a security incident, but organizations have control over their own risk posture towards these incidents. Secure systems and procedures mitigate risks, improve public perceptions, and reduce regulatory zeal.