What Happens When a Major Company Announces a Data Breach?


Data breaches have become an unfortunate fact of life for the corporate world as bad actors and the cybersecurity industry set up to stop them has become more and more sophisticated.

But what happens when a publicly traded company issues a data breach notification? For two recent victims of high-profile data breaches, the answer was almost immediate – litigation.

Credit reporting agency Equifax announced in September 2017 that a data breach had compromised personally identifiable information of 147 million people, according to the website governing the eventual class action settlement. Close to half the population of the United States was affected by the loss of “names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers, credit card numbers, or other personal information.”

According to Docket Alarm’s analysis of federal litigation involving Equifax, litigation followed almost immediately. Some cases concerning the data breach have filing dates of September 7, 2017, the same day that the breach was announced. While Equifax faces around 200 to 300 cases per month today, it faced 800 in September 2017. Filings remained high for the next few months as more cases were filed and consolidated into multidistrict litigation.

The top defendant’s law firms for federal lawsuits against Equifax include Clark Hill, Seyfarth Shaw, and King & Spalding.

On November 30, 2018, hotel chain Marriott announced that its guest reservation database had been compromised. The breach had been discovered just a few months before but had been active for years.

An overview of federal litigation involving Marriott reveals a similar spike in litigation filed against the company, this time in December 2018. During that month, 146 cases were filed against Marriott, ten times more than normal before and after the breach. (The visible spike in April 2017 is an unrelated cluster of bankruptcy matters). While not all of the 146 cases filed in December 2018 pertain to the data breach, the ones that did were eventually consolidated into a multidistrict case.

The breach’s effect is also manifest in data on Marriott’s law firm representation. Baker & Hostetler have represented Marriott on dozens of matters in the years after the data breach, but the number of new cases handled by the firm for Marriott has dwindled since.

A wide variety of plaintiff’s firms filed claims against Marriott in December 2018, the critical period for data breach litigation. Scott + Scott filed the most suits, while Joseph Greenwald and Laake, and Finkelstein Thompson were among the thirteen firms that filed more than one suit in the first month.