Mark A. Olthoff, Shundra Crumpton Manning of Polsinelli PC summarize some issues raised by recent class action decisions:
Very few civil cases ever reach a jury. Nearly every lawsuit is at some point resolved by the court on motion or through settlement. Class action cases are no different, including those filed after data breach incidents. Accordingly, developing a strategy early in a lawsuit timeline is critical – whether to seek an early dismissal or an early out of court resolution. This article discusses a number of developments in the past year impacting class action settlements. And whether a case settles for tens of millions of dollars or substantially less, these recent events should be a part of any settlement consideration.
You can read their article on The National Law Review. The issues they identify are interesting. None of them, though, concern whether a proposed settlement provides adequate improvements or remedies for data security policies or practices that contributed to the data breach.
Should class action settlements be required to provide some cure or improvement in data security if the plaintiffs had alleged negligence or that the breach would have been easily avoidable if only the defendant had [used MFA, patched promptly, insert your favorite best practices here]?
Has any judge ever rejected a proposed settlement because it failed to include some security commitments or improvements?