Orrick, Herrington & Sutcliffe LLP has reached a substantial settlement agreement of $8 million to resolve claims stemming from a data breach that occurred in March 2023. This breach reportedly compromised the personal information of approximately 153,000 individuals, raising significant concerns about the law firm’s cybersecurity practices.
The US District Court for the Northern District of California, presided over by Judge Susan Illston, approved the settlement during a hearing held on Friday. Judge Illston expressed appreciation for the efficient handling of the case, stating that an official order concerning attorneys’ fees would be forthcoming. This development marks a critical step for both the plaintiffs and Orrick as they seek to address the repercussions of the significant cyber incident.
The legal action against Orrick was initiated last year through a series of complaints that accused the firm of neglect in implementing adequate security measures to protect its computer systems. This lapse is said to have facilitated a breach that exposed sensitive data, including names, addresses, dates of birth, and Social Security numbers of the affected individuals. Four of these complaints were ultimately consolidated into a single case in December.
In May, Judge Illston granted preliminary approval for the settlement, which requires Orrick to contribute $8 million to a settlement fund that cannot be reverted. Legal representatives for the plaintiffs have sought a 25% cut from this settlement for attorneys’ fees, citing the favorable outcome achieved within a relatively short timeframe.
Members of the affected class are entitled to various financial compensations, including cash payments up to $2,500 for out-of-pocket costs, $7,500 for extraordinary losses, and additional hourly compensation for time spent addressing the implications of the breach. Furthermore, individuals can access three years of complimentary credit monitoring services, aimed at mitigating the risks associated with identity theft.
Since the announcement of the settlement, plaintiffs’ attorneys have reported receiving tens of thousands of claims, indicating an ongoing influx as affected individuals respond to the breach. The legal teams representing the plaintiffs include Green and Noblin PC and Federman & Sherwood, while Orrick is defended by Alston & Bird LLP.
This case exemplifies significant vulnerabilities that organizations face regarding data protection, emphasizing the need for robust cybersecurity measures. The tactics employed in the breach may align with the MITRE ATT&CK framework, potentially involving techniques such as initial access through phishing or exploitation of vulnerabilities, as well as persistence methods that allowed attackers to maintain their foothold within the systems. The implications of such breaches highlight the critical necessity for businesses to prioritize cybersecurity protocols and safeguard sensitive information.
This litigation, referenced as In Re: Orrick, Herrington & Sutcliffe, LLP Data Breach Litigation, has attracted attention in the context of ever-growing cybersecurity threats, illustrating the ramifications that can arise from inadequate security practices. With the settlement hearing slated for November 8, 2024, businesses are urged to remain vigilant and consider the lessons learned from this incident as they navigate the complex landscape of data protection.
