Last time, I looked at the steps organizations should be taking to prepare for the inevitable data breach. I ended the column with the call to arms that every organization should prepare – and keep up to date – a robust “data breach preparation plan.”
Before looking at what should go into the DBPP, it’s worth understanding a number of parameters surrounding data breach litigation. To this end, this column discusses the findings of a groundbreaking research project in the United States that, based on an empirical analysis, studied 1,772 data breaches that occurred in the US between 2005 and 2010 — and the 230 federal lawsuits that emanated from these data breaches.
A Dizzying Array of Causes
The first observation worth making about these cases is that plaintiffs’ counsel are becoming expert at crafting a wide range of causes of action in data breach circumstances. The research identified no fewer than 86 discrete theories of liability, which included (in order of frequency): breach of unfair state business practices statute; negligence; breach of contract; fair credit reporting statute; privacy statute; privacy torts; electronic communications privacy statute; driver privacy protection statute; breach of duty; unjust enrichment; the US Constitution; conversion; misrepresentation; computer fraud and abuse statute; breach of good faith; declaratory relief; state constitution; breach of warranty; emotional distress; civil rights statute; fraud; freedom of information statute; video piracy protection statute; and trespass to property. So, the plaintiff toolkit is very robust.
At the same time, not every data breach results in litigation. Therefore, the research asked the key question: what factors increase the likelihood of a lawsuit?
More Records, More Lawsuits
The research comes to conclusions about when it’s more likely that a breach will end up in litigation. One of the biggest factors is the number of records implicated.
In short, the greater the number of records that were disclosed in an unauthorized fashion, the greater the likelihood of litigation. Bottom line, the research found that a 10 times increase in the number of disclosed records increases the probability of a lawsuit by 8 per cent. For example, the research found that the mean number of records in non-litigated data breaches is 98,000; for those that are litigated, the mean number of records is 5.3 million.
This finding has important implications for your organization. It means you have to analyze your databases and understand which ones are most vulnerable, and the relative size of each. Obviously, your “hardening” measures should be implemented for all of them, but if you have some very large ones, you should expend extra effort on protecting them.
What Type of Data?
The research also concluded there was a correlation between the type of data that is compromised and the likelihood of litigation. For example, breaches involving financial data, and especially credit card numbers, generated the highest likelihood of subsequent litigation. One driver for this result is that, in the US, the Gramm-Leach-Bliley and Fair Credit Reporting statutes mandate fairly strict security controls, while the collection and sharing of credit card data is strictly governed by contracts administered under the Payment Card Industry Data Security Standard.
Again, therefore, the lesson from this finding is the requirement for situational awareness and action — namely, if you are dealing with financial information, and especially credit card data, you have to be thinking in terms of an extremely robust level of security for that data. The same also goes for medically oriented data, given that the US Health Information Portability and Accounting Act also prescribes a fairly stringent set of requirements, including patient consent, before health information can be shared across health-care facilities.
What Caused the Breach?
The research shows that it matters to prospective plaintiffs what the actual cause of the data breach was. In the survey period (2005 to 2010), lawsuits were more likely to follow when there was a highly negligent act, such as mistakenly throwing tax records into a dumpster, than when there was an attack on the organization’s computer network by a hacker. Presumably, the former was considered more a “fault” of the organization than the latter, with the startling result that the improper disposal of data is three times more likely to lead to litigation than when the data is stolen.
I wonder, however, whether this distinction is as clear-cut in the 2010 to 2015 period. Over the past five years, the mechanisms for managing external threats over the Internet have improved, such that a series of best practices for this have developed — witness the cyber-security policy issued by the federal Office of the Superintendent of Financial Institutions in Ottawa. On the other hand, the number of hackers has also increased, with the result that the number of data breach incidents has increased markedly over these past five years relative to the previous half-decade; for example, in the US, from 2006 to 2010, there were an average of 805 data breaches a year, while in the period from 2011 to 2015, the number increased to 1,411 a year.
What Type of Harm?
The research also shows that it matters what type of harm actually befell the plaintiffs. Most critically, if actual financial harm was experienced, particularly through identify theft, then that was much more likely to prompt litigation. Interestingly, the research found that only 22 per cent of the federally litigated breach cases in their 2005 to 2010 sample involved financial loss. Considered from another perspective, the results of the research indicate that the likelihood of a company being sued increases by a factor of 3.5 when its customers experience actual financial harm.
By the same token, the likelihood of litigation drops by a factor of six if the organization provides free credit monitoring promptly after the breach. This is why, for example, one often sees the express remedy of the provision of free credit monitoring hardwired into an outsourcing agreement between a financial institution customer and its IT services provider, with the remedy to kick in immediately upon any data breach that impacts the customer’s client data. Indeed, for some time now it has been considered a standard best practice to have credit monitoring commence immediately following a data breach (for example, this is recommended by the US Federal General Accountability Office).
From Claim to Settlement
Relatively few cases actually proceed to trial, and in this respect data breach litigation is not much different than other types of lawsuits. However, the research also considered what factors particularly drive settlement in the data breach space.
The research found that 76 per cent of the breach litigation cases from 2005 to 2010 were class actions. Moreover, successful certification as a class results in a 30-per-cent greater likelihood of settlement. Again, this is perhaps not surprising. More interesting, though, is the finding that plaintiffs are also 30 per cent more likely to settle when they experience financial loss.
It is important to note that the lack of a finding of identity theft is one reason often given by judges in dismissing a data breach lawsuit. That is, the court is not convinced that a sufficient “actual” harm has occurred to warrant the litigation. At the same time, and particularly if the class is able to get certified, often the defendant settles simply to avoid the additional costs of litigation, or to attempt to stop the negative publicity, or merely because the litigation has taken a significant amount of attention that could be put to better, more productive use.
It is also worth noting that the likelihood of settlement increases 10 times in the case of breaches caused by hackers when contrasted with hardware items that are stolen or lost. And in terms of the sensitivity of data, when the litigation relates to medical data there is an increase of 31 per cent probability that the case settles.
One cannot underestimate the importance of class action lawyers, who propel these cases forward. The research found that the mean payment to plaintiffs’ legal counsel for a settled class action data breach case was $1.2 million, with the maximum being $6.5 million. At the same time, the mean award to members of the class was $2,500, with most settlements providing roughly $500 per plaintiff. In many cases, the total amount of financial redress per claimant is so small that the bulk of the award was paid to charities.
Volume of Lawsuits
Overall, the research found that, from 2005 to 2010, only about 4 per cent of breaches led to litigation. This is consistent with the findings for litigation rates in other types of personal-injury litigation.
It’s interesting to speculate, however, whether this percentage, in Canada, will rise with the new mandatory breach notification requirement that was added to federal privacy law in mid-2015. Also, from a potential litigation perspective, the recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) now require companies to keep track of the precise records implicated in a data breach. Again, presumably this will assist plaintiffs’ counsel in the mounting of data breach litigation claims.
Regardless of specific drivers of litigation in the data breach space, there is no doubt that you will be better prepared to manage that risk if you have a robust DBPP, and it is to that item we turn next month.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.
