Close this search box.
Implications of denial of class certification in data breach cases

EP 76: Implications of denial of class certification in data breach cases

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

March 30, 2021

What does it mean for cybersecurity professionals trying to create defensibly reasonable cybersecurity programs if a data breach lawsuit is filed against their employer and it fails to gain class certification? Your hosts are Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group.


Episode Transcript

Kip Boyle: Hi. I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly cyber risk management journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing before or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text, they put clickable links in for all the resources, and they create the best look and feel for each episode.

Jake Bernstein: And finally, we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to That's the letter B dot L-I-N-K forward slash C-R-M-J.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now on with the show.

Voiceover: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at and

Kip Boyle: Hey, Jake. What are we going to talk about today?

Jake Bernstein: Good morning, Kip. Today, we're going to discuss the ... Apparently, I'm having a hard time getting going, but we're going to discuss the denial of class certification in a data breach case and what that means for cybersecurity professionals who are trying to create defensibly reasonable cybersecurity programs.

Kip Boyle: All right. All right. Good.

Jake Bernstein: Yes. And I will state clearly that, yes, this is one of those legal episodes, but I think it's a really important one for a couple of reasons. First, and Kip will talk about this, but as you know, from personal experience, class certification is a crucial point for class action lawsuits, and it's really the make or break moment for any kind of data breach class action. And if a case fails on class certification, what that really means is that you're not going to have the numbers to justify keeping the case going. It's too expensive to litigate for a one-off plaintiff. And so what happens is they settle quickly and usually take big losses, particularly when the plaintiff's lawyers have been funding the litigation.

Kip Boyle: Yeah. There's so much in what you said that if we had done this episode maybe even, yeah, I think about a year ago ... If we'd done it a year ago, certainly two years ago, I probably would've been a lot more lost.

Jake Bernstein: Lost?

Kip Boyle: Yeah. Yeah, yeah, yeah. But what happened over the last year and a half is I served as an expert witness in a case. And it was just what you described. So there was a data breach, and it concerned protected health information. And there was a law firm that filed the complaint, started the lawsuit, and they were seeking class action status for the case. And I was looking at the evidence and writing a report, and we worked on it for ... It was a year.

Yeah, just over a year I worked on this, and many hours each month, and it all ended rather whimperingly with a settlement. And I found out that the law firm had spent far more money pursuing the case than they settled for. So as an expert, I'm not really bothered by the way that the case turned out because it's not my job to be rooting for one side or the other. But as a cyber professional, I just found it fascinating, sobering, and quizzical. I just had this big question mark over my head. I'm just like, "Well, what about the patients? What about their data?" Yeah, it's crazy. And so I love the idea that we're going to dig into this a little bit, because expert witnessing aside, I just think that this is something that cybersecurity professionals and cyber risk managers should know more about.

Jake Bernstein: Exactly. And that was my feeling as well. And I think the goal here isn't to turn cyber risk managers into class action experts. Let me rephrase that Into experts on class action law. By all means, if you have the opportunity to serve as an expert witness, you should do so. You'll learn a lot. Right, Kip?

Kip Boyle: Yeah, yeah. For sure. You will learn an awful lot about how these lawsuits actually proceed. And to be clear, expert witnesses are paid a very good rate for their services. So there's certainly that. And-

Jake Bernstein: And I think-

Kip Boyle: And you don't ever have to do it again, if you don't like it.

Jake Bernstein: That's true. And I think there the interesting thing is I think you'll be challenged to think about cyber risk in ways that you probably don't normally think about it. And I think that is also valuable.

Kip Boyle: Yeah. Well, let's keep going with the episode here. So could you please tell our audience, and I'm going to do this to you several times, I suspect, in the episode today where I'm going to ask, "Could you clarify this term or that term," and let's start by the term, "class certification," because I got to admit, I'm still a little bit fuzzy on class certification.

Jake Bernstein: Sure. So class certification is a civil procedure rule. It's a process by which the individual representative plaintiffs, in other words, the people who are individually named, are-

Kip Boyle: So if there's 25 people whose data gets breached, it's 25 people.

Jake Bernstein: So that would-

Kip Boyle: 25 plaintiffs.

Jake Bernstein: Sort of. It's actually more like let's say that 50,000 people are part of a breach, but you and me are the ones who actually sue. So it'll be Boyle and Bernstein, which actually sounds like a law firm, will be-

Kip Boyle: I'm not going to law school.

Jake Bernstein: No. It would be Boyle and Bernstein versus Data Breach Victim. And we would be the individually named plaintiffs. Now, what we want to do is we want to be able to represent at the whole class, all 50,000 people.

Kip Boyle: Oh.

Jake Bernstein: And that is what class certification is for. It's to allow you and I to represent the entire class of injured people. And it's really this that is what really makes a class action different from a typical lawsuit.

Kip Boyle: Well, as somebody who studied computer science in school, I can't help but to notice that a class, and I hope I'm remembering this right because I haven't done it a long time, but in object-oriented program, you have classes also. And it-

Jake Bernstein: That is true.

Kip Boyle: And it defines a group, right? And so it's interesting the intersection there. Sorry. Keep going, please.

Jake Bernstein: Yeah. So much like object-oriented programming, there's a lot of really technical civil procedure involving or surrounding and dealing with class actions. And I have to admit, this is one of the areas of law that I haven't done a lot in. So I'm not an expert, though I'm more than passingly familiar, having been involved in some of these cases over the years. So let's dig in here and say that this is all based on the federal rules of civil procedure. There are state versions, most of which are just direct copies of the federal rules. And basically, certification is going to require that the class action certify four prerequisites in Rule 23A, and then one of three different scenarios, at least one of three different scenarios from Rule 23B. And I'm going to use those numbers because it's difficult to discuss this without referring to them.

Kip Boyle: Yeah. And a little shorthand would help, right?

Jake Bernstein: Yeah, exactly.

Kip Boyle: Okay. So, okay. So there's two rules. Let me just recap. 23A and 23B, and these are the rules that judges are using to determine whether it's a class or not. Is that right?

Jake Bernstein: Yes. Yeah. Basically, Rule 23. So yeah, that's right. And it'll help if we just dig into this, so-

Kip Boyle: Yeah. Let's do it. And good thing it's a podcast, everybody, because you can always pause and rewind.

Jake Bernstein: That's right. Okay. So first, 23A, these are the four absolute requirements. If you don't have any one of these, then you don't get to be a class, or to phrase that differently, you must have all four. And these are the bar exam style class action components, and they are numerosity, commonality, typicality, and adequacy of representation.

Kip Boyle: I'm in law school already.

Jake Bernstein: Now those are some awesome jargony words there, but they're not difficult to understand when you take a moment. So first, numerosity is actually really simple. The class simply has to be so numerous that joinder, which is just the idea of bringing different people into the lawsuit, is effectively impossible. So what numerosity means is there have to be a lot of people.

Kip Boyle: Which is why I said, if we had 25 plaintiffs and you corrected me earlier and said, "No, more like 50,000."

Jake Bernstein: That's right. 25, I mean, you could easily bring a normal lawsuit with 25 plaintiffs. It would be slightly annoying, but not really. That's no big deal. 50,000 on the other hand, that's in class action for sure. And just to skip ahead, there were about 16,000 people involved in the case that we're going to be discussing, and that met numerosity just fine. So that's the first one. Commonality, this one's also pretty logical. The claims presented must have common questions of law or fact so that if we determine or answer these questions, that will pretty much resolve the issue for all class members. And this makes sense, right?

Kip Boyle: Yeah, that's very straightforward. Yeah. It's very straightforward.

Jake Bernstein: Very straightforward. And it's logical, right? How can you have a class action if everyone's got different issues? It doesn't make sense.

Kip Boyle: Yep. And as the non-lawyer in the room, I get it. I'll just say I get it.

Jake Bernstein: Yep.

Kip Boyle: Makes sense.

Jake Bernstein: Now typicality, I think it gets a little confusing here between commonality and typicality. But typicality just means that the claims are defenses of the representative parties, which means you and me are typical of the claims or defenses of the class. So it's related to commonality, but what this is saying is the named plaintiffs, so going back to our example, if you and I are trying to represent a 50,000 person class, in order to meet typicality, our claims have to be typical of everybody.

Kip Boyle: Hmm. Got it.

Jake Bernstein: Also, if you think about it, pretty logical, because if you want to be a class representative, you probably need to have the same basic issues to deal with.

Kip Boyle: Right. Yeah, yeah. And in object-oriented programming, a class is a set of the same thing, right? Highly common identical objects that have the same parameters. They're just clones of each other.

Jake Bernstein: Exactly. So again, that would make sense. Typicality is really a question of the suitability of the named plaintiff, and that's rarely at issue, to be honest. And the same is true of the last one. Adequacy of representation basically just says, "Hey, are the plaintiffs and their lawyers good enough to provide an effective representation to the class as a whole?" And this actually does go into the experience and skill level of the lawyers. So if you're-

Kip Boyle: Oh, interesting.

Jake Bernstein: If you're a first year lawyer who graduates law school and you go out and hang up a shingle, as they say, and you try to represent a class of two million people involved in a highly technical, some type of toxic tort or big data breach, you may actually struggle with adequacy of representation. Rarely that's a problem because usually class actions are brought by experienced law firms.

Kip Boyle: Okay. But it is a criteria.

Jake Bernstein: It is a criteria. So now now many cases are won or lost on these four issues. But even if you meet all of them, you still have to meet one of the three 23B scenarios. And we're not going to go through those because they're a bit longer, but suffice to say, two of them are important. 23B3 is the class that seeks monetary damages. You care about this, right? Because the whole point of bringing a class action is to kind of-

Kip Boyle: Make them pay?

Jake Bernstein: Aggregate the damage. Yes. Aggregate the damages so that it's worth bringing the case.

Kip Boyle: Okay.

Jake Bernstein: And 23B3 requires predominance and superiority, which I'll talk about in a moment. And then 23B2 is injunctive relief. That's where you get to say, "Hey, you have to do this or not do this," and this one is pretty straightforward. It requires that the defendant acted or refused to act on grounds that apply generally to the class. So even though all of this sounds really complicated, it all boils down to fairly logical questions of commonality and making sure that this class is meaningful enough that we can go ahead and basically take a shortcut because you may be thinking, "Couldn't you just litigate this case 50,000 times?" You could. You totally could, right? There's nothing stopping you from doing that. The problem is it's very, very inefficient.

Kip Boyle: Okay. Okay. Yeah. And that makes sense. Okay. So just to summarize, so in order to become certified as a class, a case has criteria that it needs to meet. And there's two rules, and one of the rules, the 23A rule, has four things that all have to be satisfied. And then there's a 23B rule that we touched on a little bit.

Jake Bernstein: And there's more rules. I mean, this is a simplified version of it, but it's sufficient for this discussion.

Kip Boyle: Okay. Okay. How about if we move forward, because if anybody wants to get more clarity on these terms, again, just listen again, because I think, Jake, you've done a good job of putting some clarity in here. And the reason why we're doing this, by the way, dear audience, is because we're going to talk about a specific case, and these concepts that we've just covered are necessary to understand that.

Jake Bernstein: Yeah, and they're they're necessary, I think, too, because, quite honestly, most cyber risk managers have probably never heard these rules before.

Kip Boyle: Yeah.

Jake Bernstein: And the simple fact is that one of the largest legal consequences of a data breach or security failure is the class action lawsuit. And because of that, as a cyber risk manager, you should at least be familiar with these concepts so that ... You don't want the class action to be a black box of fear as you manage cyber risk. And it's not. It doesn't need to be. This is understandable.

Kip Boyle: Yeah. And I also like the ability, even not being a lawyer, to be able to say to a senior decision maker, "Hey, we need to pay attention to this here because this could become a class action lawsuit, and here are some of the implications of that," because there's a practical side to all of this-

Jake Bernstein: There is.

Kip Boyle: ... that needs to be managed, right? And so it's good for us to know what that is.

Jake Bernstein: Yep. So why don't you go ahead real fast, because I gave you a nice script, and tell everyone what predominance and superiority means briefly. And then we'll dig into the actual case.

Kip Boyle: Okay. So predominance occurs when questions common to the class members predominate over questions affecting individuals. And what that means is that the questions that most class members care about are more numerous or more significant to the resolution of the case than the questions specific to individual plaintiffs. Did I get that?

Jake Bernstein: You did. And let's go back to the Kip and Jake versus some data breach victim.

Kip Boyle: Okay.

Jake Bernstein: So what that means is that out of those, now we're looking at the whole class, the 50,000 members of the class predominance is going to say, "Okay, what caused this data breach?" It's all the same question, right? Because more than likely, the cause of the data breach, we're all affected by the same thing. And so that's a simple example of what predominance means.

Kip Boyle: Okay. And superiority is asking the question about whether a class action is the best way to litigate the case, and judges love to create multifactor tests that require balancing and weighing concepts and facts. And I think that's probably, even though got clear rules, I don't know that an artificial intelligence system is going to be able to make decisions, because it's squishy, right?

Jake Bernstein: It's very squishy. And these different balancing tests, sometimes they can even be different by which state or circuit you're in. So again, it's not about becoming an expert in this. I do find, too, that computer scientists, IT folks, a lot of people who go into cybersecurity are generally those who like clear answers, right? And I think people who go to law school hoping for clear answers do have a tough time, whereas philosophers, people who, frankly, I was a philosophy major, often do quite well because we're already preconditioned to accept that there is no answer. There is no clear answer. There's no necessarily right or wrong.

Kip Boyle: You're dwelling in a gray zone all the time.

Jake Bernstein: Exactly. Okay. So-

Kip Boyle: So can we talk about the actual case?

Jake Bernstein: Yeah, yeah. So the superiority thing, there's a bunch of factors that go into that as well, but we're not going to talk about that. So first, the case. McGlenn versus Driveline Retail Merchandise, Incorporated. This is a case about an employer who has been sued by a class of employees for the employer's loss of sensitive tax information and other data. This is a tale as old as time, Kip. The employer got hit by a phishing attack that resulted in almost 16,000 W2s being sent to the bad guy, who had posed as the company's CFO. Not a sophisticated attack. Pretty common.

Kip Boyle: Yeah. Very common. Okay. And so just unpack this a little bit more. So the plaintiff, and that's McGlenn, right? Okay, so the plaintiff, McGlenn, alleged that the employer's actions allowed the thieves to then file fraudulent tax returns to file for unemployment benefits and to apply for other jobs using false identity because the social security numbers were disclosed. So the data breach resulted in a long tale of more fraud and crime. And then plaintiff McGlenn also said that there is additional risk of the stolen information being used to obtain driver's license, government benefits, medical services, housing, on and on and on and on, right? So this long tale of fraud can just keep going and going and going. And if I'm McGlenn, I'm like, "This is a lifelong cleanup job on my credit file and so forth," right? So it's a pretty standard data breach situation, right?

Jake Bernstein: It is. And maybe in some ways almost too standard, but there are some interesting things here to talk about. So first, the phished employee actually testified that she had received no training at all that would've aided her in spotting the phishing email, nor had anyone told her about this W2 phishing scheme that so common, as we know. And it probably goes without saying, but none of those W2s were password protected or encrypted. And if you think about what's on a W2, that's a lot of information. I mean, if there was a single document that is really a gold mine of information for bad guys, a W2 would be it.

Kip Boyle: It's a master key to somebody's identity.

Jake Bernstein: It can be. I mean, the only thing worse would be W2 plus a couple of medical records, and that would really do it. But anyway, in this case, McGlenn, the named plaintiff, her personal information was used to open a new credit card account with Capital One. So this actually happened. And she complained that it took her 10 hours to close the account, to resolve and mitigate the issues arising out of the misuse of that personal data, and she also listed a whole bunch of other stuff. Time spent monitoring her credit, the emotional distress and anxiety resulting from it, all the issues that you talked about, and there is a laundry list of harms. Now you can probably already see there's going to be a problem. When I keep saying, "potential harm," we've talked about this before. So why don't you say, Kip, what's the issue with that?

Kip Boyle: Yeah. Well, so the issue is all rolled up into the word, "speculative," which is to say, not concrete enough, right?

Jake Bernstein: That's right. You got it. And it's still a problem for these types of lawsuits. However, and this is something that's really important for our audience to understand, it matters where you live. This case was brought in Illinois. Everything about it was an Illinois issue, and there is nothing like the CCPA in Illinois. In fact, there isn't even a common law duty to safeguard employee information. The only duties under Illinois law are a data breach notification statute. That's it. So lesson number one here is don't bring data breach class actions in states where the law isn't in your favor.

Kip Boyle: Well, that argues against the attorneys as being seasoned enough, right? Because they should have known.

Jake Bernstein: Well, here's the thing is that different courts come down on this in different ways, and it's not always easy to predict exactly which way a case is going to go. I mean, if you just take a step back and you just look at the basic facts, employer failed to train its employees, they got phished, and they lost 16,000 W2s. I think you and I, at least, would look at that and be like, "Yeah, there should be some liability there." And I think there should be, right? I think there should-

Kip Boyle: Especially given the things that you said, that there was no training.

Jake Bernstein: Yeah, exactly. I mean, the defendant here just didn't do very much. It was not good enough.

Kip Boyle: Not practicing reasonable cyber security.

Jake Bernstein: I would argue they were not. So let's get back to why class certification failed, specifically. We could have just-

Kip Boyle: Yeah, and the implications.

Jake Bernstein: And the implications. And this is the whole reason we spent so much time at the beginning-

Kip Boyle: Setting it up, yeah.

Jake Bernstein: ... setting it up is that I could just say, "Well, and the class certification motion was denied." But that's not going to teach anybody anything.

Kip Boyle: Right.

Jake Bernstein: So first, okay. Out of the four 23A requirements, numerosity, typicality, and adequacy were all fine. They were all met. Obviously, there were enough people, those claims were typical, and in this case, there was no issue of lawyer adequacy. And you expect that. Obviously, they lost, but they certainly didn't start the case assuming they would lose. So commonality, however, was at issue. And the court basically said, "There's no commonality."

And that's because the court was really focused in on these individualized issues on causation, injury, and damages, basically saying that, "Okay, McGlenn, you had to spend a bunch of time dealing with this credit card that got opened up and these other issues, but what me, the judge, I don't think that was common enough across the class. In other words, it happened to you, but that doesn't mean, and there's no reason to believe that it happened to all 16,000 people." That's lethal to class certification.

Kip Boyle: Okay. Interesting. I can see there's going to be quite a few takeaways for our cyber risk managers by the time we're done. Okay. All right. So let's think for a moment here. So the court rejected certification under 23B2, and I'm troubled because-

Jake Bernstein: And just to review, 23A is the four, and then you still have to meet at least one of the 23B rules, and 23B2 is the one for an injunction. And why would you want an injunction? Well, for this type of thing, you would hope that the lawsuit would force the company to take reasonable steps to protect data, right? Isn't that what you would want?

Kip Boyle: Yeah, yeah. Definitely. Well, if I'm was the plaintiff-

Jake Bernstein: But the court said no. And the court said no because the data had already been lost. So there was no way, in other words, and this gets to a lot of specific issues with civil procedure and lawsuits, and we're not going to get into a philosophical legal debate here on this stuff, but basically-

Kip Boyle: That's good.

Jake Bernstein: ... the court focused on the information of the plaintiffs that had already been lost and wouldn't consider the future at all. Maybe that's normal, maybe it's not. It is troubling. But to boil this one down, I think it's simply a lack of law. Illinois doesn't have laws in place to protect against this stuff. So I think that we can basically chalk it up to a local issue there.

Kip Boyle: Yeah. The practicality of this situation just isn't really even coming into the situation, is it? I mean, yeah, that data's gone. Those 16,000 records are disclosed, but there could be more. And the fact that this employer isn't practicing reasonable cybersecurity suggests that they're at risk for more data breaches or different types and so forth. And yeah, it's fascinating to me that a judge could rule that that's not material, that it doesn't matter. Yeah. I mean, just as a layman, I'm just like, "What?"

Jake Bernstein: Well, and I think, too, the problem here is that the lawyers there should have been able to argue more successfully. I think that, "Hey, look, these 16,000 employees, they didn't all quit after this, right? And if you don't provide injunctive relief, this could happen again, and they could suffer more harm." That's the tactic I would've taken and who knows why they didn't.

Kip Boyle: Okay. Wow. Okay. Well, I guess one of the takeaways from this is, I'll just repeat something you said, which is it really matters which state you are operating in and which state you receive a lawsuit in. It really matters. And people moving out of California, maybe that's one of the things that, not people, but companies ... I've been reading news stories about companies that are relocating their headquarters out of California into other states. And I don't know, I mean, maybe as a cyber risk manager-

Jake Bernstein: crosstalk

Kip Boyle: No, but maybe as a cyber risk manager, maybe there is some advantage in having your company headquartered and other than California.

Jake Bernstein: Well, and I mean, it depends on what your thinking is. If you're a cyber risk manager and you want to manage cyber risk because that is what you do, and you want support for it, I think it's important to understand this stuff, because if you're in a state where this type of thing can happen and the class action is going to fail, you don't have at as a motivating factor for the senior decision makers. And so I think that's pretty common. And just to wrap up this discussion here, the court also rejected the plaintiff's request for class certification under Rule 23B3, which is about money damages. And that really just goes back to the commonality issue.

And they said, "Hey, the common questions of law, in fact, did not predominate over individual questions," which of course is what you'd expect if there's no commonality. I think this is an interesting issue for cyber risk managers to at least hear about, because once you demystify the class action, it allows you to look at the facts and realize, "What makes us vulnerable to class actions, and how do we defend against that?" And if you can do that, then by definition, you're actually being a better cyber risk manager," because if you're-

Kip Boyle: Well, I actually think a lot of my colleagues, and if I was in the situation, I think this comment that I'm about to make would apply to me as well, but a lawsuit like this, let's say I worked for the defendant and I was their chief information security officer. My goodness, would I be conflicted, right? If I was the CISO for Driveline Retail Merchandising, Incorporated, on the one hand, I'd be like, "Okay. Well, I've got a duty to help my employer defend itself in this lawsuit."

But then on the other hand, I would be thinking to myself, "But the ethics of this, right?" I mean, just as a cyber risk manager, as a cybersecurity professional, possibly as a CISSP holder, who has made an oath to behave ethically, I might feel conflicted because I might think that, "Well, my employer didn't do what they were supposed to do. I have records showing that I told them that we should train people and they decided not to do it."

Jake Bernstein: Yep. And that's a really interesting point. We could probably spend an entire future episode talking about that. It comes up a lot when you discuss the so-called professionalization of cybersecurity. Being a lawyer, with great power comes great responsibility, but also rules.

Kip Boyle: Isn't that Spider-Man?

Jake Bernstein: I think it is. I can also say phenomenal cosmic power, but itty bitty living space, if we want Aladdin. But my point is that when you become an officer of the court, you take an oath. And though that gives you certain powers and abilities and authority that non-lawyers don't have, it also comes with constraints and rules in your freedom of action, right? You can't do certain things. You've got the ethical rules of, or depending on what state you're in, in Washington, they're the rules of professional conduct ... Sorry, that's not right. Rules of professional responsibility. I'm blanking on it.

Kip Boyle: RPC, right?

Jake Bernstein: Yeah. RPC. It is rules of professional conduct. They have different names across the country, but that's the bottom line. And with the CISSP, one of the things that differentiates that as a certification is those ethical rules that come along with it. And so it's a really good point, actually, Kip. What do you do if you find yourself in this situation? How do you handle it?

Kip Boyle: Yeah. And conceptually, this situation, while we're talking about it in the context of a lawsuit, actually this situation can come up in other contexts as well. Because we just in a previous episode, we talked about, "What does it take to negotiate a data security addendum that your giant customer has put in front of you and expects you to sign?" And I have felt conflicted in that situation, too, because on the one hand, again, I'm like, "Well, I need to help my employer negotiate the best possible terms in this contract," but while I'm doing that, and I've got my digital red pen in my hand and I'm scratching out terms in the contract as being like, "This isn't reasonable for us and blah, blah, blah," and I'm thinking to myself, "Man, I wish we could do that."

So it could be a very conflicting experience for us, not just in the context of a lawsuit, but yeah, yeah. Well, that's why I'm glad we're doing an episode like this to put these things on the table. And you talked about the professionalization of cyber risk management and cybersecurity management. And I keep thinking about CPAs. When I think about, "What will our profession turn into if we professionalize and if there's state licensure requirements and that sort of thing," I think about CPAs because I think they're the closest other professional that is licensed in-

Jake Bernstein: And doctors. I mean, doctors are a really big one.

Kip Boyle: Yeah. But doctors and lawyers have to go through a lot more schooling.

Jake Bernstein: That is true.

Kip Boyle: So I think of CPAs because they don't have to go through quite as much schooling. So I'm just trying to come up with another profession that requires a similar amount of preparation and that sort of thing. Then the other thing I think of is, well, hairdressers actually have more licensing requirements than we do.

Jake Bernstein: So yeah, and you have to draw a distinction between a profession and just a job that requires a license to do, and that's public health. But that is the point. And I do think we should have an episode on the professionalization of cyber risk management, but I think we have hit our time for this particular episode.

Kip Boyle: Yeah. Yeah. We really appreciate everybody hanging in there with us. But we do want to bring this to a conclusion. So let's wrap it up. You've been listening to another episode of the Cyber Risk Management Podcast. And what did we do today? Well, today we discussed the denial of class action certification in a very specific data breach case, and we talked about what did it mean to cybersecurity professionals who are trying to create defensibly reasonable cybersecurity programs, and sometimes how that can feel like a very conflicting thing to do. So thanks for being with us, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Voiceover: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.