Parker Hannifin has agreed to settle a class action lawsuit related to a March 2022 data breach. As a part of the settlement agreement, the manufacturing company will pay $1.75 million, but it denies any wrongdoing.

Five experts spoke to InformationWeek about the Parker Hannifin data breach, the lawsuit, and the outlook on further legal action related to data breaches.

The Data Breach

Between March 11, 2022, and March 14, 2022, an unauthorized third party gained access to Parker Hannifin’s IT systems. “It is difficult to put together exactly what were the points of failure that lead to this breach, as Parker Hannifin, like so many organizations experiencing these scenarios, have not been very transparent about the specific weaknesses present or the improvements needed to protect themselves from similar breaches in the future,” Asif Savvas, chief product officer and co-founder of identity access management company Simeio, tells InformationWeek.

The breach resulted in the potential exposure of current and former employees’ and dependents’ information, including names, dates of birth, Social Security numbers, addresses, driver’s license numbers, passport numbers, online account information, financial account information, and health insurance information, according to the company’s press release announcing the breach.

The Class Action Lawsuit and Settlement

Joan Migliaccio, the wife of a former employee, filed the class action lawsuit in Ohio federal court on behalf of current and former employees, Top Class Actions reports. Her husband was employed at Parker Hannifin in the 1980s. The company had Migliaccio’s personal information because her husband enrolled in its employee benefits program. The lawsuit alleges the compromise of personal identifying information and protected health information.

The settlement agreement was reached on March 10. Current and former employees have until July 14 to file a claim form, and the final approval hearing is set for Aug. 2. Parker Hannifin will pay up to $5,000 to individuals to cover out-of-pocket losses related to the data breach, according to the settlement agreement.

A Cost of Doing Business?

Companies are charged with safeguarding both consumer and employee information. Yet, breaches happen constantly. In a Form 10-Q filed with the SEC on Feb. 7, Parker Hannifin addresses the class action lawsuit: “Based on our ongoing assessments, the incident has not had a significant financial or operational impact and has not had a material impact on our business, operations or financial results.”

Are class action settlements, like this one, a cost of doing business? Larger companies can absorb the costs of settlements, but smaller companies might have to shut their doors. The global average total cost of data breach is $4.35 million, according to IBM Security’s Cost of a Data Breach Report 2022. The costs of breach notification, regulatory fines, lawsuits, and reputational damage quickly add up.

“How businesses categorize these types of lawsuits ties into the core values of the company and its ethos,” Savvas says. “Companies with a strong ethos look at these types of actions as an opportunity to fix, resolve, and strengthen what is broken to increase employee and customer loyalty by proactively communicating what went wrong and what is being done to fix it.”

The EU’s General Data Protection Regulatory (GDPR) law and the California Consumer Privacy Act (CCPA) focus on protecting individuals’ information. More states are implementing their own data protection regulations. More regulation means more potential for fines and legal action as data breaches continue.

“Organizations have been trying to enhance their cyber policies, but the balance between cost and benefit has been greatly scrutinized,” says Rahul Mahna, managing director at the outsourced IT services team of accounting, tax, and business advisory firm EisnerAmper.

While regulations aim to improve cybersecurity, Rick Borden, partner in the privacy and data security group at law firm Frankfurt Kurnit Klein & Selz, argues that attackers continue to have advantages over defenders. “New technologies that are not yet widely implemented are needed to change the cost differential between attackers and defenders. Otherwise, we will continue to see breaches reported on a very regular basis,” he says.

With rising costs associated with data breaches and continued efforts by threat actors, companies are faced with the prospect of not only prevention but also breach response plans. “Companies should be better prepared on the front-end, not only by trying to stay a step ahead of cybercriminals and beefing up security but also educating employees and minimizing data that they retain regarding past employees,” says Chiara Portner, a member of the corporate practice of Silicon Valley law firm Hopkins & Carley.

If a breach does occur, Cinthia Motley, director of the global data privacy and information security practice group and leader of the business litigation practice group at national law firm Dykema, emphasizes the importance of having cyber insurance. “Companies are typically shocked when class action lawsuits are filed, let alone by their own employees. Not having the right type and amount of cyber insurance coverage in place before such an event occurs can be catastrophic to an organization’s bottom line,” she says.

The Future of Data Breach Lawsuits

Companies are required to protect the information of both consumers and employees, but that responsibility was not always so clear. “In 2018, the Pennsylvania Supreme Court held in the Dittman case that employers have a duty to protect employee information. Prior to that, there were somewhat surprising (to many privacy professionals) arguments that protection of employee information had a different legal standard,” Borden explains. “Even under CCPA, employee personal information was not explicitly protected in the same manner as the information of consumers until this year.”

It is likely that employees will continue to seek legal redress from employers when their personal data is compromised. “The influx of biometric (BIPA) class action lawsuits in Illinois (over 200 in 2022) is a clear indication that employees are not shy to sue their employers for data privacy and data protection violations,” Motley says.

Savvas also anticipates that companies will continue to face class action lawsuits. “It’s easy to see there is a widespread appetite for greater accountability from companies, especially larger organizations and those capable of reducing cybersecurity risk, to protect consumer and employee data, so the landscape seems likely to continue in that direction over the next few years,” he says.

What to Read Next:

Breach Takes Systems Down Across Western Digital

GoDaddy Hit with Multiyear Breach

What's Next for T-Mobile After Yet Another Data Breach?