The Weekly Breach Breakdown Podcast by ITRC - Precedent or No Precedent - S6E7

Show Transcript

Welcome back to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown, supported by Sentilink. I’m James E. Lee, the ITRC’s President, and this is the episode for March 7, 2025. Last month, we talked about how many, if not most, data breach lawsuits are dismissed on technical grounds before they ever get near a jury. This month, we discuss cases that survive a motion to dismiss but still don’t make it to trial because they are settled.

Whether it’s a criminal charge or a civil lawsuit, most cases never go to trial. A Duke University Law School study found that only one percent (1%) of federal civil litigation actually made it to a jury or judge to decide. That’s out of more than 200,000 actions filed with federal courts each year.

Most cases are dismissed, and most of the remaining actions are settled by the parties. Why? Usually, it is for one of two reasons – certainty or fear.

With a settlement, you buy a certain outcome compared to going in front of a jury or a judge, where you can influence but not control the outcome. You always have the right to appeal, but that’s more uncertainty – the bane of any business.

There’s also fear – the fear of losing and creating something that could be worse than losing: precedent. It’s not uncommon in data breach lawsuits with limited case law behind them for the defending party to settle up rather than have a judge or jury reach what they perceive as a bad outcome, becoming the rule that other courts follow.

We don’t know what recently drove two companies to settle their data breach lawsuits. However, here are two good examples of what you see when parties agree to agree these days.

First up is United of Omaha, which is part of the Mutual of Omaha Insurance Group. Here’s one where the plaintiffs did not go to federal court, where there is plenty of precedent for dismissing similar claims. Instead, attorneys for people whose personal information was shared with the insurance company by their employers filed in state court, where the rules are often very different.

Rather than go to trial, United of Omaha has agreed to reimburse the plaintiffs up to $1,500 for out-of-pocket expenses associated with responding to the breach, as well as two years of credit monitoring and identity theft insurance. Victims who do not want the monitoring or insurance can claim $50 cash related to the 2024 breach. The state court is expected to approve the settlement in June.

In a much higher profile action, T-Mobile, the wireless telecom company, will start making payments next month as part of a settlement reached in 2022. T-Mobile will pay $350 million for a 2021 data breach. The company also agreed to invest an additional $150 million in cybersecurity.

In T-Mobile’s case, customers can claim reimbursement for up to $25,000 in out-of-pocket expenses, while others may automatically receive $25. California customers will receive $100. 

In both data breach lawsuits, because a court never ruled that they were liable, the companies denied being at fault or engaged in wrongdoing. 

If you want to learn how to secure your personal or business information to make it less valuable to criminals in a data breach, speak with an expert ITRC expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for supporting this podcast and the ITRC. Please hit the like button for this episode and subscribe wherever you listen to podcasts. If you want to learn more about data breaches and their impact, download the ITRC’s 2024 Annual Data Breach Report here. We will return next week with another episode of the Weekly Breach Breakdown.