As data breaches have exploded in frequency and scale, it’s no surprise that corresponding lawsuits have also flourished. Do these lawsuits have a common pattern? A recent draft research paper, Empirical Analysis of Data Breach Litigation, takes a look at federal data breach lawsuits to assess the common characteristics.
The findings were illuminating:
- The odds of a firm being sued in federal court are three and a half times greater when individuals suffer financial harm, but over six times lower when the firm provides free credit monitoring.
- The odds of a firm being sued from improperly disposing data are three times greater relative to breaches caused by lost/stolen data, and six times greater when the data breach involves the loss of financial information.
- Defendants settle 30% more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.
- Plaintiffs seeking statutory damages are not more likely to achieve a settlement.
- The odds of a settlement are 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware.
- While the compromise of financial information led to more litigation, it does not appear to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is most strongly correlated with settlement.
- Only about four percent of reported breaches result in federal litigation.
- Of the federal actions coded, there are over 86 different kinds causes of data breach actions brought by plaintiffs for essentially the same kind of event.
The report hopes that the research will serve as a useful guide to firms trying to determine the chances of exposure to a lawsuit and the likelihood of settlement. Insurance markets might also find the report helpful as a measure for pricing cyber-insurance policies, and plaintiffs and defense attorneys can be helped through insight into the trends around data breach litigation.