MOVEit Data Breach: Regulatory and Litigation Repercussions
Written by Supply Wisdom || Dilip N
The 2023 IBM Cost of a Data Breach Report revealed that 95% of the studied organizations experienced more than one breach. According to Verizon’s 2023 Data Breach Investigations Report, Ransomware is present in more than 62% of all incidents committed by organized crime actors and in 59% of all incidents with a financial motive.
The severity of the situation continues to be evident with the 2023 MOVEit data breach, for which class-action lawsuits were filed against Progress Software and various other organizations for compromising the sensitive personal information of an estimated 40 million+ people and 600+ organizations.
Organizations incur costs when they lose data from a breach, and cybersecurity litigation accounts for a significant amount of these expenditures. Litigation is expensive and can continue for years after the initial breach, whether it’s a class-action lawsuit or litigation from residual consequences after consumers lose their data to identity thieves.
Data Breach Lawsuits Increasing in 2023
Businesses that fail to secure the information of their customers are likely to be sued, as impacted customers are no longer willing to tolerate these incidents at the expense of their privacy and financial losses.
The 2023 Data Security Incident Response Report, which was created after gathering responses from more than 1,100 cybersecurity professionals, suggests that businesses’ tolerance levels have declined. Almost everyone who suffered consequences related to a data spill is likely or has already, filed a lawsuit against their technology partners.
Following the significant MOVEit hack, the class-action lawsuit against Progress Software may pave the way for more legal action against software providers whose applications are exploited in extensive supply chain breaches.
Let us see some of the recent cyber-related litigations that can dent several companies’ image and finances:
- Class-action lawsuit was filed against Capita plc by Barings Law Firm over the data breach.
- Johnson & Johnson and IBM face class-action lawsuit over patient data breach.
- CareSource sued for US$9.9 M in a data breach class-action lawsuit.
- Honeywell faces multiple lawsuits over data breach.
- Class-action lawsuits were filed against Progress Software and various other organizations in the wake of the massive MOVEit data breach.
- Financial Services firms TD Ameritrade and Prudential Financial were sued over the MOVEit data breach.
- TIAA faces a class-action lawsuit over MOVEit data breach.
- Patients sued Johns Hopkins for data leaked in the MOVEit software breach.
- Umpqua Bank faces a class-action lawsuit over the MOVEit data breach that affected 430 K customers.
Impact of Data Breach and Lawsuits
A successful data breach that results in lawsuits could have a lot of negative effects on businesses. Brand damage, income loss, compliance violation costs, attorney bills, investigations, law enforcement concerns, and other irreparable damages to business continuity will need to be dealt with by organizations.
According to IBM’s 2023 Cost of a Data Breach Report, it shows that the global average cost of a data breach reached US$4.45 M in 2023, a 15% increase over the last 3 years. Detection and escalation costs increased 42% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.
Although the cost of US$4.45 M is an average, many organizations pay millions more to settle consumer lawsuits. For example, the 2017 Equifax data breach settlement had the company agree to a global settlement of up to US$425 M with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 US states and territories to help people affected by the data breach.
Organizations also launch reputation management campaigns to win back public trust and need a way to recover from these expenses.
Legal Consequences Post a Data Breach
Organizations must adhere to data protection and privacy rules outlined in state and federal laws, contracts, international statutes, and regulatory bodies, depending on where the firm is based and the type of business. The following legal repercussions may befall the company if data is compromised or if it disregards recommended security measures:
- Data breach litigation
- Fines and sanctions
- Compensation claims
*Source: IBM Cost of a Data Breach Report 2023
What Should a Company Do After a Data Breach?
The class-action lawsuits and the 2023 massive MOVEit data breach serve as a reminder of the growing significance of cybersecurity and the requirement that businesses implement more robust security precautions to safeguard sensitive customer data. It highlights the significance that businesses may face legal consequences for any negligence or failure to properly protect client information.
A good business reputation might take years to establish, yet it only takes one successful data breach followed by litigation to destroy all customer and stakeholder trust. One of the most damaging effects of cybercrime and lawsuits is customer loss because most customers will cease doing business with companies that do not protect their data. Small firms are particularly impacted by this and according to industry studies, 60% of SMBs (Small to Medium-sized Businesses) fail within six months of announcing a data breach incident.
Supply Wisdom continuously monitors companies for cyber incidents, cyber-related lawsuits, and other regulatory actions that may harm the reputation and business of their clients/partners. Contact Supply Wisdom today to continuously monitor your third-party risks and stay ahead of disruptions from similar events.