'Empirical Analysis of Data Breach Litigation', a
paper by Sasha Romanosky, David A. Hoffman & Alessandro Acquisti for the 39th Telecommunications Policy Research Conference (TPRC) 2011, comments that -
Legal privacy scholarship typically emphasizes the various ways that plaintiffs fail when bringing legal actions against entities when their personal information is lost or stolen. However this scholarship often considers only a small set of published judicial opinions from large-scale data breaches. And so, little is actually known about the characteristics and disposition of a representative set of data breach lawsuits.
Using a unique sample of anually-collected data from Westlaw and PACER, we analyze the court dockets of over 200 federal data breach lawsuits from 1998 to 2011, making this, to our knowledge, the first empirical examination of data breach litigation. We use discrete outcome regression models to estimate the probability that a data breach will result in a lawsuit, and the probability that, once filed, the case will reach settlement. We find that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit.
These results suggest that plaintiffs respond more to the careless or negligent handling by a firm of their personal information, than to the firm’s inability to withstand a cyber-attack or misfortune of losing a laptop. However, while these properties may explain the probability of lawsuit, we find that breach characteristics (size, cause and types of information lost) do not significantly predict the outcome of a data breach lawsuit. Instead, the probability of settlement appears to be driven by the presence of actual financial loss, and class certification.
The authors conclude that -
The proliferation of data breach disclosure laws has heightened awareness of data breaches and catalyzed a flurry of lawsuits by alleged victims of identity theft. These disputes have arisen from the vigorous debate surrounding the use, and dissemination of personally identifiable consumer information. On one hand, collection of both public and private consumer information spawns innovation and reduces consumer costs. For example, data aggregators such as Choicepoint provide valuable services both to retail consumers (facilitating low-cost insurance premiums and lending rates) and corporate or government entities (employee background checks, assisting law enforcement, etc.). On the other hand, consumer advocates argue that the aggregation and storage of this personal information pose great risk to consumers, and its inadvertent or negligent disclosure can lead to many forms of identity theft, fraud, and abuse.
While most legal scholarship has highlighted the difficulties that plaintiffs face when bringing lawsuits because of these data breaches, to our knowledge, there has been no empirical research that has systematically and rigorously examined these suits. Using a hand-collected dataset of over 200 lawsuits, we provide a first-ever empirical analysis of federal data breach litigation in the United States. Our results suggest that individuals are more likely to file suit when the breached is caused by careless or negligent disclosure of personal information, relative to lost or stolen hardware. We also find that disclosure of financial information, though not social security numbers, also significantly increases the probability of suit. Moreover, while these characteristics of the breach (size, cause, types of information lost) were found to be strong predictors of the probability of lawsuit, they were not found to be significantly correlated with the outcome of the suit. Instead, specific instances of identity theft or fraud, class certification and multi-suit litigation were each found to significantly increase the probability that a data breach lawsuit would result in settlement.
The unconditional probability that any given data breach will result in a lawsuit is very small, 5.5%. Nevertheless, conditional on being filed, lawsuits settle almost twice as often as they are dismissed (51% versus 27%, respectively). While this result is still somewhat lower than current literature would predict (Eisenberg and Lanvers; 2009, table 4), it represents a novel insight because legal scholarship typically only emphasizes the failures of data breach claims. However, despite the large proportion of settled cases, the overall probability that any given data breach will settle is still only around 3%. Defendants, however, are surely not immune to the threat and expense of litigation: public actions brought by government entities are very successful, and legal fees can reach millions of dollars.
But is litigation the proper solution? Recall how we identified 86 unique causes of action alleged by plaintiffs for essentially the same event: the unauthorized disclosure of personal information. Does this huge diversity suggest that the current legal system is ill-equipped to efficiently resolve modern data breach harms? Does it expose the limitations of common law and statutory claims brought by individuals seeking redress from data breaches and resulting harms, be they actual, emotional, or anticipated harm?
In an attempt to address these questions, the US Department of Commerce (Department of Commerce, 2010) the Federal Trade Commission (FTC, 2010) have each crafted guidelines for a comprehensive privacy framework identifying best practices for the collection, use and protection of personal information. In particular, the Department of Commerce specifically asks, “should baseline commercial data privacy legislation include a private right of action?” (Department of Commerce, 2010, 30). That is, what role should a private right of action have in redressing harms from privacy intrusions? The outcome of such a proposal, presumably, would allow private individuals to bring legal actions, and obtain redress, for a firm’s mere violation of new data protection or consumer privacy statute. However, the tensions generated by such a proposal are grueling: on one hand, the threat of private class-action litigation may be necessary in order to induce firms to protect personal information, especially in light of the limited resources of public enforcement agencies such as the FTC, SEC, state attorneys general. On the other hand, such a liability regime could impose socially excessive costs on firms as a result of potentially massive damage awards and legal fees.