The OPM lawsuit will only make the lawyers rich

Class-action lawsuits are pursued by lawyers for a reason: They're a great way for them to make a lot of money. Too little of that money is ever seen by the victims, though.

Sensitive data pertaining to millions of people was compromised in the data breach at the U.S. Office of Personnel Management. I suspect that millions of those people smiled when they heard about the filing of a class-action lawsuit filed against the OPM. They would like some recompense for the incredible hassle that data breach caused them. And they probably want to see the OPM pay for its mistakes. Unfortunately, those smiles are probably about all they will get out of the lawsuit.

Although class-action lawsuits can result in some seemingly very large settlements, the members of the classes in question hardly ever see much money from them. Such lawsuits are essentially a transfer of wealth from the defendant to the attorneys filing the lawsuit. That sounds like cynicism, but it's realism. Because class actions are fairly common and can cover enormous classes of people, you've probably qualified for a payout from at least one of them in the past year. When you looked into it, did it seem worth your time to qualify? If you did bother to be established as a member of the wronged class, did you get any significant amount of money as a result? I seriously doubt it.

Let's take the Target class-action lawsuit as an example. Supposedly, more than 100 million people had their credit cards and personal information compromised in that breach. The credit cards were abused and had to be canceled. People had to contest charges made to their accounts. Naturally, some outraged lawyers decided something had to be done about that and filed a class-action lawsuit. (I'm kidding, of course; if the lawyers were outraged, it was at the possibility of being shut out when Target had to pay up, since other class-action attorneys were fighting to file the cases first and claim their share of the money.)

According to the terms of the Target settlement, $10 million was to be set aside to pay damages to the affected individuals. Does that sound like a lot of money? Not when it's shared out over 100 million people. It amounts to less than 10 cents per victim. Let's say that the number of victims was badly exaggerated, though. Cut it in half, to 50 million, and you're up to 20 cents per victim. Or let's say that only 10% of the victims seek compensation through the lawsuit. Hey, now you're talking real money: $1 per victim. If your only cost in filing your claim was postage, you're ahead, right?

In any case, each member of the Target breach class can be reimbursed for up to $10,000 in damages. In other words, at best you might be made whole, but you can't get anything beyond the compensation; there are no punitive damages. And to claim that money, you have to prove damages with the appropriate paperwork. Your time and aggravation are not reimbursable.

So that's what the members of the class -- you know, the actual victims -- are set to get per the settlement the lawyers arranged. How about the lawyers themselves? Well, they have asked for $6.75 million. Like the victims, they will have to share that payout, and there are five law firms involved. Still, I think it's safe to say that there's nothing like a million lawyers involved (though it always feels that way) -- they'll do much better than 10 cents or a dollar each. But be assured, they wont charge you for helping you get your $1. That's the kind of good-hearted people they are.

Some victims will do better than others. The ones whom the lawyers tracked down to serve as the class representatives had to show up for depositions, and their names were used to facilitate the lawyers in getting their $6.75 million. The attorneys were very generous to these people, requesting that they receive a whopping $500 each for all of their time and trouble.

That could be the extent of riches that victims could see from the class-action lawsuit regarding the most infamous credit card hack in history, a breach in which thousands of people experienced actual damages. There is no reason to think class action regarding the OPM hack will turn out any differently.

The filing for the OPM lawsuit makes reference to the Privacy Act of 1974. That act specifies statutory damages of $1,000 per incident. This means that any person who had their data compromised, whether they suffered losses or not, can be awarded $1,000 if it is determined that there was a violation of the Privacy Act. The specter of such a requirement can serve as a powerful inducement for organizations to settle a lawsuit. Think about it. If the case goes to trial and a violation of the Privacy Act is found, the OPM could be held liable for $1,000 per individual in the class action. With potentially 30 million victims in this case, that would come to $30 billion. I suspect most parties to the class action would be happy with that $1,000, but the lawyers are much more inclined to settle. That's how you end up with the law firms raking in millions while the victims gather a few cents.

I have reason to hold such a jaded outlook on this topic. I have talked to attorneys who engage in class actions. One thing that they say to justify their deeds is that such lawsuits are not really about reimbursing the victims, but rather about setting up incentives that can change the processes that resulted in the damages at the root of the lawsuit. They also say that victims who would prefer to hold out for a judgment that actually might compensate the victims are being greedy.

But does the threat of making huge payments in class-action lawsuits actually change any processes? All of the security improvements implemented by Target after the breach were put in place long before the legal settlement. Target reportedly had already incurred $191 million in costs, mostly spent on lawyers. The $10 million supposedly going to the affected consumers was inconsequential, as was the additional $6.75 million earmarked for the lawyers. It's hard to see how the class-action lawsuit had anything to do with any changes in the processes used by Target.

The potential for damage that resulted from the OPM breach is so large that many of us would probably be happy to see that organization called to account and told to pay up a lot of money. But we have to leaven that satisfaction with the realization that most of the money will be going to attorney Gary Mason and his firm, Whitfield, Bryson & Mason. There is also the possibility that a good portion of the money will go to the American Federation of Government Employees (AFGE), a union naming itself as a plaintiff in the class-action case filed by Mason. Watch carefully how much money this group gets for the compromise of your information. As for you the consumer, if you were a victim of the OPM breach, you will get nothing unless you can show damages. And if China was indeed the source of this compromise, as has been reported, you probably won't suffer tangible damages. At best, you can file to receive a piece of the negotiated settlement not allocated to damages. This will likely amount to less than $1.

Finally, keep in mind that any settlement paid by OPM, an agency of the federal government, will ultimately be paid by us, the taxpayers. So if there is a settlement, the net result is that we the people will have basically paid Gary Mason millions of dollars.

Keep smiling. Gary Mason sure is.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site,

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetdata breachesU.S. Office of Personnel ManagementsecurityOffice of Personnel Managementbecalawsuits

More about indeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts