Data Breach Settlements Are Multiplying — and the Per-Person Payouts Are Getting Smaller Every Year

Announcements of data breaches now follow an odd rhythm. Typically on a Friday afternoon, a business notifies employees via email that “certain personal information may have been accessed by an unauthorized party.” The entire text is never read. A few months later, you receive a legal notice in your email stating that you are eligible to make a claim. You click, complete a form, and after perhaps eighteen months, a $7.34 check shows up. It’s difficult to ignore how commonplace this has become.

Every year, the numbers underlying this custom become more bizarre. The number of documented data breach incidents in the US increased from 447 in 2012 to over 1,800 by 2022 and then to a record 3,205 the following year, almost tripling in just three years. Like gulls following a fishing boat, class actions follow the breaches. They increasingly result in massive aggregate settlements combined with minuscule individual payouts.

Everyone cites Equifax as an example. A $380.5 million fund was established by the 2019 settlement, with an additional $125 million available for out-of-pocket losses and a $1 billion commitment to data security expenditures. It appeared historic on paper. In reality, millions of people who applied for free credit monitoring received it, and those who requested the $125 cash alternative were informed that their share might be reduced to a few dollars because the fund was oversubscribed. There’s a feeling that what showed up in anyone’s mailbox wasn’t as important as the headline number’s appearance.

There is a structural component to the problem. Certain settlements are constructed “top-down,” allocating a single fund to each claimant. Some are “bottom-up,” such as the Chacon v. Nebraska Medicine case, where class members could receive up to $300 or up to $3,000 for extraordinary loss in addition to $20 per hour for time spent cleaning up the mess. There is no aggregate cap. The claim rates, which typically range from two to ten percent of eligible class members actually file, make it seem generous at first. The majority of people never even check their emails.

The victims in this story are different, but the securities side is more prominent and the checks are larger. The $560 million settlements for Alphabet, Zoom, and Okta made 2024 a historic year. These customers are not receiving reimbursement for Social Security numbers that were compromised. They are institutional investors, such as pension funds, retirement plans, and the Rhode Island Employees‘ Retirement System, which is spearheading the opposition to Google’s parent company. The real person whose information was exposed in the 2018 Google+ vulnerability? They are not at all in that class.

In the meantime, there has been uneven implementation of the SEC’s new four-day disclosure rule. Both Microsoft and UnitedHealth submitted 8-Ks that analysts and regulators deemed lacking in quantitative information. Nearly 75% of 8-K breach reports completely ignored the materiality question during the first 100 days of the rule. This could be nothing more than growing pains. It’s also possible that businesses have discovered that ambiguity is safer.

The lawyers, the hackers, or even the regulators don’t stand out when you watch all of this happen. It’s the gradual decline in the apparent value of a stolen piece of personal information. Ten years ago, plaintiffs contested the “diminution in value” of a Social Security number that had been leaked, treating the number as property. That argument seems almost archaic now that the same customer has experienced breaches number four or five. The settlements continue to grow. The checks continue to get smaller. Another Friday afternoon email is being written somewhere.