by Daniel J. Solove
If there’s a big data breach, the class action lawyers will start nipping like a bunch of hungry crocodiles. Upwards of forty separate lawsuits were filed against Target after its data breach, and one was filed the day after the breach became public knowledge.
The law, however, has thus far been far from kind to plaintiffs in data breaches. Most courts dismiss claims for lack of harm. I have written extensively about harm in a series of posts on this blog, and I have chided courts for failing to recognize harm when they should.
But the fact is that they don’t recognize harm. Generally, we make those who cause wide-scale harm pay for it. If a company builds a dam and it bursts and floods a town, that company must pay. But when a company loses data about a lot of people – more people than are in any one town – the courts frequently say “no harm, no foul.”
Yet the lawsuits keep coming. Why?
A fascinating recent paper sheds light on the situation. In Empirical Analysis of Data Breach Litigation, 11 Journal of Empirical Legal Studies 74 (2014), Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti analyze court dockets on more than 230 federal data breach lawsuits from 2000 to 2010. They reach some interesting conclusions:
- “[T]he odds of a firm being sued are 3.5 times greater when individuals suffered financial harm, but over 6 times lower when the firm provides free credit monitoring to those affected by the breach.”
- “[T]he odds of a firm being sued as a result of improperly disposing data are 3 times greater relative to breaches caused by lost/stolen data, and 6 times greater when the data breach involved the loss of financial information.”
- “Our analysis suggests that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. The odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31%.”
- “[M]ost data breach lawsuits are filed as class actions (76% in our dataset).”
- “78% of federally-litigated breaches did not result in financial loss, while 22% did result in financial loss.”
- “[O]f over 230 suits in our dataset, we observe only two instances of a plaintiff prevailing on a favorable ruling by a judge or jury.”
- The settlement rate for data breach litigation since 2004 is about 50%.
- “[C]ompromise of medical information was most strongly correlated with settlement.”
- “[D]ata breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal. That is, in cases without these characteristics, the plaintiff faces approximately a 50/50 chance of obtaining a settlement.”
- The authors contacted the attorneys in 86 of the cases and obtained data from 28 of them. Of these, “The mean value of settlements awarded to plaintiffs was about $2,500 per plaintiff (min = $500, max = $15k , n=19) with most awards being a nominal amount of around $500 and often awarded to named plaintiffs only. Attorney fees, on the other hand were substantially larger, with a mean sum of $1.2m (min = $8k, max, $6.5m, n=15). Importantly, however, settlements may also provide individual redress for identity theft losses and expenses, and cy pres awards to research, non-profits, and charities which have ranged from $50k, to $9.5m.”
- “[O]f the federal actions coded, we found over 86 different causes of actions brought by plaintiffs for essentially the same kind of event.” The most common causes of action were State Unfair Business Practice statutes, the federal Fair Credit Reporting Act, breach of contract, negligence, the federal Privacy Act, and the privacy torts.
The authors theorize some explanations, one of which involves avoiding further litigation costs. This reason strikes me as likely to be the correct one.
Our legal system is very clunky and expensive. It is an antiquated system built originally in Medieval times. Settling is much cheaper than litigating.
There’s a big problem with a system to resolve disputes that becomes so cumbersome, painful, and expensive that the parties feel they must pay to stay out of the system rather than use it. The system costs a fortune, and ultimately places the decisions in the hands of twelve jurors plucked off the street who have no background or expertise in the issue and know nothing about the legal standards they are being asked to apply. Although jury verdicts might be a bit more predictable than a coin flip, for many lawyers jury verdicts are not much more predictable. So the parties might as well just agree to an official coin toss and save themselves a lot of money.
It surprises me that our legal system remains so primitive in the 21st century. It is a terrible way to resolve important issues, which is probably why we don’t use anything like this system for any other important decisions.
My criticism of this state of affairs is not meant to be pro-plaintiff or pro-defendant. Our current system is not dealing with data breaches very well. This research study shows that parties are bargaining around the legal system to make it go away.
We need to rethink the concept of harm for data breaches, and we also need to rethink the legal system that handles the cases.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter