Fed. Judge Approves $232K Settlement and $78K Fees in St. Louis Law Firm’s Data Breach Class Action
On October 16, 2025, U.S. Magistrate Judge John M. Bodenhausen of the Eastern District of Missouri greenlit a $232,500 class action settlement resolving claims against Nahon, Saharovich & Trotz PLC (NST), a midsized personal injury firm with a St. Louis office, stemming from a 2023 cybersecurity breach that exposed sensitive client data. In a dual ruling, the judge also awarded nearly $78,000 in attorney fees to plaintiffs’ counsel, Cole & Van Note—a California-based boutique specializing in data privacy litigation. The approval, in Garbarino v. Nahon, Saharovich & Trotz, PLC (Case No. 4:23-cv-01326), caps a two-year saga highlighting the irony of a law firm defending clients in injury suits while grappling with its own privacy lapses, amid a surge in legal sector breaches (up 25% in 2024 per Verizon’s DBIR).
The 2023 Breach: What Went Wrong
NST, which operates across Tennessee, Arkansas, Mississippi, Missouri, and Illinois with a focus on car accidents, workers’ comp, and medical malpractice, discovered unauthorized access to its internal IT systems on June 28, 2023. An unknown actor exploited vulnerabilities in network servers, potentially compromising records of thousands of clients and former employees. Exposed data varied but included highly sensitive info: full names, dates of birth, Social Security numbers, wage loss details, and general medical records—fuel for identity theft or fraudulent claims. NST notified affected individuals in September 2023 and offered free credit monitoring, but critics slammed the firm’s delayed response and alleged skimpy safeguards, like outdated encryption and unpatched software. No ransomware demand surfaced publicly, but the incident echoed broader trends, with law firms hit hardest by phishing and insider threats.
Lawsuit Launch: Negligence Claims Take Flight
The suit, filed by Missouri resident Susan Garbarino in October 2023, accused NST of negligence, breach of contract, and violations of state privacy laws for failing to secure data despite handling vulnerable personal injury files. Garbarino, whose info was allegedly exposed, sought class certification for all U.S. residents impacted, claiming the firm prioritized billables over cybersecurity basics. Represented by Cole & Van Note’s data breach team, the case argued NST’s lapses caused “imminent risk” of harm, including credit fraud and emotional distress. NST countered that no misuse was proven and they’d mitigated aggressively, but after discovery skirmishes—including subpoenas for internal audit logs—the parties mediated in early 2025, eyeing a pre-trial resolution to dodge escalating costs.
Settlement Terms: Cash, Monitoring, and Injunctions
The $232,500 non-reversionary fund provides pro rata cash payments (averaging $50-100 per claimant, based on claims filed) to eligible class members who submit valid proofs of loss, like identity theft expenses. All recipients get two years of free credit and identity monitoring via Experian, plus reimbursement up to $10,000 for documented out-of-pocket costs (e.g., loan rejections or legal fees). NST also commits to enhanced cybersecurity for three years: annual third-party audits, employee training, and multifactor authentication firmwide—overseen by a neutral monitor. No admission of liability, but the deal bars future suits on the breach. Claims deadline was September 15, 2025, with over 2,000 notices mailed; opt-outs were minimal, per court filings.
Fees Award: A Win for Plaintiffs’ Bar
Judge Bodenhausen rubber-stamped Cole & Van Note’s fee motion under the “percentage-of-fund” method, awarding 33.5% ($78,000) plus $15,000 in costs—deemed “reasonable” given the firm’s contingency risk and 200+ hours logged. This aligns with Eighth Circuit benchmarks (25-40% in privacy class actions) and reflects the niche expertise of lead attorneys like those at Cole & Van Note, who’ve notched multimillion-dollar wins in similar suits. NST didn’t object, signaling relief at closure; the ruling noted the settlement’s “fair, reasonable, and adequate” nature, with no challenges from class members.
Implications: A Wake-Up for Legal Cybersecurity
This modest payout—peanuts for NST’s $29 million annual revenue—nonetheless stings for a firm touting client trust. It underscores law firms’ outsized breach risks: Handling SSNs and medical docs makes them prime targets, with 2025 seeing 15% of U.S. incidents in legal services per HHS data. Experts like privacy prof Danielle Citron hail it as a “template for accountability,” urging ABA ethics updates on tech diligence. For claimants, it’s vindication amid identity woes; for the bar, a reminder: Skimp on cyber insurance or audits, and face the docket’s irony. NST, post-settlement, touted its “proactive reforms” in a client alert, vowing no repeat.
For the full docket or settlement site (claims still open for late filers), visit nstsettlement.com or PACER. Want comps to other firm breaches or cyber tips? Let me know!