As data breaches have exploded in frequency and scale, it’s no surprise that corresponding lawsuits have also flourished.  Do these lawsuits have a common pattern?  A recent draft research paper, Empirical Analysis of Data Breach Litigation, takes a look at federal data breach lawsuits to assess the common characteristics.

The findings were illuminating:

1. The odds of a firm being sued in federal court are three and a half times greater when individuals suffer financial harm, but over six times lower when the firm provides free credit monitoring.
2. The odds of a firm being sued from improperly disposing data are three times greater relative to breaches caused by lost/stolen data, and six times greater when the data breach involves the loss of financial information.
3. Defendants settle 30% more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.
4. Plaintiffs seeking statutory damages are not more likely to achieve a settlement.
5. The odds of a settlement are 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware.
6. While the compromise of financial information led to more litigation, it does not appear to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is most strongly correlated with settlement.
7. Only about four percent of reported breaches result in federal litigation.
8. Of the federal actions coded, there are over 86 different kinds causes of data breach actions brought by plaintiffs for essentially the same kind of event.

The report hopes that the research will serve as a useful guide to firms trying to determine the chances of exposure to a lawsuit and the likelihood of settlement.  Insurance markets might also find the report helpful as a measure for pricing cyber-insurance policies, and plaintiffs and defense attorneys can be helped through insight into the trends around data breach litigation.



Experian will be at the annual HCCA 2012 Compliance Institute conference at Caesar’s Palace in Las Vegas. This conference offers an important opportunity to meet industry professionals with solid credentials in a number of areas related to medical information and data security. Some of the topics to be addressed at the conference include healthcare reform, compliance effectiveness and HIPAA privacy/data breach.

Attendees at the Compliance Institute can choose from 128 sessions and 225 speakers. Special conference tracks address legal and regulatory issues and privacy and security concerns, as well as general compliance. Also offered are advanced discussion groups, industry immersions, speed networking and more. For more information, go to http://www.compliance-institute.org/.

Come and visit our booth. We’ll talk about ProtectMyID^®, Surveillance Alerts^TM and ProtectMyID^® ExtendCARE^TM, as well as other Experian products that can play a critical role in protecting your organization, informing patients of a data breach and helping your organization recover from an incident. You can also enter your name in a drawing for a chance to win a new iPad.

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.

Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

Today’s headlines trumpet yet another high-profile medical data breach, this time through Health Net.  The company’s nine missing computer drivers have exposed the records of 2 million policyholders, thus compromising personal information that includes addresses, Social Security numbers, financial data and other information about customers, employees and healthcare providers.  California insurance regulators are conducting multiple probes to determine whether Health Net, which services 6 million policyholders nationwide, “did everything it could have done to avoid and appropriately remedy this security breakdown.”

This corporate catastrophe reminds us of the increasing hazard of medical fraud, which is the most expensive and time consuming to resolve of all types of identity theft[i].  The second annual National Study on Medical Identity Theft, fielded by the Ponemon Institute provides further insight into this pervasive problem and how it affects consumers.

Key finding include:

Recognizing the importance of privacy does not equate to action:

• Nearly 1.5 million Americans have been affected by medical identity theft
• The average cost to resolve a case of medical identity theft is $20,663, up slightly from $20,160 in 2010
• Nearly 70% of total respondents felt it is important to have personal control over medical records
• Nearly 80% felt that healthcare organizations should ensure the privacy of personal medical records
• Nearly half (49%) of past medical identity theft victims took no new steps to protect themselves after their own incident
• 50% of respondents did not report the incident to law enforcement or other legal authorities, up from 46% in 2010

Consumer indifference is fueled by lack of understanding of repercussions

• Of those that failed to report an incident, 43% cited the lack of resulting harm and the desire to “not make it a big deal.” This is up from 37% in 2010
• 37% of respondents fear embarrassment as a result of medical identity theft more than loss of medical coverage (21%) or a diminished credit score (18%)

Consumers are uninformed of new healthcare reform policies

• More than half of respondents (55%) are not familiar or have no knowledge of the new healthcare reform policies
• 79% are not aware of the plan to create a national electronic database of American’s health information
• 33% of respondents believe that a national electronic database will increase the risk of medical ID theft

Medical identity theft is a family affair

• In many cases, the victim discovers the thief to be a relative and the crime is often not reported to authorities
• The leading instance of medical identity theft was at the hands of a family member, accounting for 36% of all victim responses, making it the most common scenario by an overwhelming margin
• According to 51% of respondents, the number one reason for not reporting the incident after discovery is because the victim knew the thief and did not want to report him or her

Health Net is conducting its own investigation into its recent data breach, and regulators have praised the company for acting quickly to alert consumers about the incident.  Healthcare organizations are responsible for protecting consumer privacy and reporting breaches, but the National Study on Medical Identity Theft’s survey confirms that consumers need to play their own part in reporting incidents and helping healthcare companies protect private medical information.

[i]2010 Global Privacy Summit Presentation: The Potential Damages and Consquences of Medical Identity Theft and Healthcare Data Breaches – Dr. Larry Ponemon

Consumers who are part of a data breach may be more likely to experience identity theft. Learn about sources and consequences of identity theft and the benefits of ProtectMyID.