While corporate leaders often view cybersecurity as a technical challenge, contributing author Phil Favro illustrates the legal and organizational dimensions of cybersecurity in this recent article. Favro emphasizes that information governance not only limits exposure in the wake of a breach but also influences litigation outcomes. Courts are increasingly willing to allow breach-related claims to proceed, making governance measures a front-line defense against escalating costs and reputational harm. The Retina Group settlement serves as a timely example of how courts are tying governance reforms directly to case resolution. Encryption, defensible deletion, employee training, and clear security policies are no longer optional; they’re expectations. By investing in governance strategies before a breach occurs, organizations can strengthen resilience and demonstrate accountability when it matters most. This article offers both cautionary lessons and practical guidance for enterprises seeking to align their security practices with today’s legal realities.
Data breaches are dominating the headlines in 2025 and causing a number of difficulties for affected enterprises. Fallout can include bad publicity and brand damage, remedial expenses, and operational uncertainty. Breaches can also breed a culture of fear among employees, particularly for organizations that have not yet adopted measures to address cyber threats.
Significantly, many breaches could be prevented outright or their impact blunted if enterprises adopted effective information governance. Information governance measures for security purposes are not particularly difficult to implement. They involve developing upstream practices that can improve data safeguards while enhancing downstream responsiveness. All of which can help mitigate harm in the event of a breach and decrease resulting costs, particularly litigation expenses.
Reducing litigation expenses should be a key objective since breach lawsuits increase both direct costs and opportunity costs for enterprises. In the past, organizations may have been able to evade liability and high legal costs because courts were often skeptical that plaintiffs could plead justiciable lawsuits arising from data breaches. In contrast, judges now seem more receptive to claims arising from data breaches. As breach lawsuits survive motions to dismiss and proceed into discovery, companies are increasingly looking to settle claims. A key aspect of these settlements is increased cybersecurity awareness and enhanced security measures.
A recent settlement involving a healthcare provider from the Washington, D.C. area exemplifies this trend. In In re Retina Group of Washington Data Security Incident Litigation (Retina Group), a Maryland federal court—as part of a data breach litigation settlement that it approved— ordered the defendant provider to implement governance measures to harden its security profile.
And yet, clients need not be sued to learn these lessons. Instead, organizations can proactively strengthen their corporate network from breaches and insulate their business operations, employees, and clientele from many aspects of the resulting harm.
Litigation Trends
Courts have increasingly allowed data breach lawsuits to move forward in recent years. In general, they have recognized that plaintiffs can allege common law claims of negligence against organizations that have suffered breaches. For example, in the context of breaches that result in unauthorized disclosures of employee information, “numerous courts . . . have recently recognized an employer’s duty to safeguard its employees’ sensitive personal information.”
In the employment arena, claims that survive legal scrutiny typically allege that an organization had a duty to protect sensitive personally identifiable information (PII) or protected health information (PHI) belonging to employees based on the nature of its relationship with employees. The affected individuals then allege that the organization failed to implement standard procedures that would protect against misuse of that information through cyber-attacks or other breaches of corporate systems that allowed sensitive PII or PHI to be exposed.
Courts have likewise concluded that consumers can plead cognizable claims when they allege actual injuries arising from a breach. They must also show a logical connection between the harm they allegedly suffered (e.g., risk of identity theft, loss of privacy, out-of-pocket expenses, and lost time spent dealing with the breach, etc.) and the breaching organization’s alleged failure to take reasonable steps to safeguard their PII or PHI.
With courts often allowing breach lawsuits to proceed into discovery, organizations have turned to quick settlements to foreclose additional legal expenses and the possibility of a higher settlement value. The settlements typically do not include an admission of wrongdoing by the organization. Nevertheless, settlements often memorialize procedures that organizations must adopt going forward—suggesting they were previously lacking—to ensure their security measures are in line with industry standards or recommended practices. The Retina Group case is instructive on this issue.
Retina Group of Washington Breach Litigation and Resulting Settlement
In Retina Group, the defendant, Retina Group of Washington (“RGW”), allegedly experienced a breach in October 2023 when hackers apparently penetrated its corporate network and stole records reflecting PHI and PII for approximately 450,000 RGW patients. According to the complaint, stolen data included patient names, social security numbers, driver’s license information, payment information, and health insurance details. The complaint also indicated that RGW allegedly failed to implement reasonable security measures “such as encrypting the information or deleting it when it [was] no longer needed.”
RGW patients brought various lawsuits against the organization, with the matters eventually consolidated into a single putative class action against RGW. After filing its motion to dismiss, RGW negotiated with the plaintiffs a settlement of their claims. The court just approved the settlement on July 25, 2025, and awarded attorney’s fees to the plaintiffs. Key provisions of the settlement include payments to class members in the amount of $300, along with additional compensation for time spent addressing breach issues, plus two years of “credit monitoring and identity theft monitoring services.”
In addition, RGW apparently agreed to implement “certain business practice changes and remedial measures” as part of the settlement. According to a website established to apprise class members of their rights pursuant to the settlement, the specific procedures that RGW agreed to put into place within 120 days of the settlement’s effective date include the following:
- Develop a “written information security policy” and mandate that employees “acknowledge receipt and review of its written information security policy;”
- Implement a mandatory cyber-security education program including training for new hires, annual training for existing employees, and “periodic training updates . . . to address new information security issues and trends;”
- Prepare a written policy requiring password complexity corresponding to an employee’s access to sensitive data; and
- Recurring audits of company policies affecting data security to determine whether updates should be enacted to address “legal requirements and industry standards.”
The court opined that these procedures offered class members an additional benefit since they would ostensibly help protect RGW patients from future data breaches.
Safeguarding the Corporate Network with Information Governance
There can be little doubt regarding Retina Group’s conclusion that the above-referenced procedures will benefit class members. But the company itself—and other organizations—stand to benefit as well after implementing these measures. With enhanced technological features, written security policies, periodic employee training programs, and mandatory compliance with those features, policies, and programs, organizations can educate their workforce and reduce ignorance surrounding breach risks.
Lest there be any doubt, ignorance remains a key gateway that intruders exploit to breach the corporate network. In addition to countless anecdotal reports, this fact is confirmed by a recently published U.K. government report. The report observed that most ransomware attacks transpire because organizations and their employees have little understanding of the risks of ransomware. In that same report, the U.K. government highlighted the role of “phishing scams” in allowing cyber criminals to gain access to sensitive company information. In other words, cyber-attacks thrive on ignorance. Educating the workforce on cyber threats, coupled with basic technological protocols like password complexity and the other measures Retina Group highlighted, can enhance an organization’s security profile.
Not to be overlooked are the suggested actions identified in the Retina Group complaint: encrypting sensitive information and eliminating corporate data once its usefulness has ended. Encryption—both for data in transit and at rest—has been a recommended practice for well over a decade now. Security experts have likewise encouraged organizations to consider implementing defensible deletion programs for at least as long, and particularly since the so-called Sony Hack in 2014. Moreover, they are essential aspects of an information governance program for organizations that must address the EU General Data Protection Regulation, the California Consumer Privacy Act, and other data protection and privacy regimes.
Taking these and other governance measures can improve an organization’s security. To be sure, there is an upfront cost to these enhancements. Nevertheless, savvy enterprises will authorize budget for these improvements, understanding that taking the long view on data security has the potential to yield a substantial return on investment. With governance measures in place, organizations will likely be better prepared for future cyber-attacks that are certain to target their corporate networks.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID
[1] See In re Retina Grp. of Washington Data Sec. Incident Litig., No. DKC 24-0004, 2025 WL 2030241 (D. Md. July 21, 2025).
[2] Savidge v. Pharm-Save, Inc., No. 3:17-CV-186-CHB, 2025 WL 964446, at *8 (W.D. Ky. Mar. 31, 2025) (denying in part defendant’s motion for partial summary judgment and allowing plaintiffs to pursue certain putative class claims arising from an alleged data breach).
[3] See Ramirez v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023) (finding that plaintiff stated a negligence claim under Georgia Law after concluding plaintiff pleaded a special relationship between himself (and putative class members) and his former employer, “a foreseeable risk of harm” that arose from that relationship, and the reasonable foreseeability of a ransomware attack since defendant allegedly did not implement adequate security measures).
[4] Retina Grp., supra, at 2025 WL 2030241.
*Favro Law PLLC
