A Q&A with Sasha Romanksy, Ph.D. Candidate, Carnegie Mellon University
For organizations dealing with a data breach, legal liability is one of the first questions that arises. But are some data breaches more likely to result in lawsuits than others? Sasha Romanosky, a Ph.D. candidate at the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, studies the legal and economic issues around data security and consumer privacy. In a recent study he coauthored, “Empirical Analysis of Data Breach Litigation,” he found that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit. We spoke with him about his findings.
Can you explain the importance of your study for a risk manager or an Insurer?
Basically, we were looking at what kind of breaches are being litigated and what kind of variables are strong predictors of lawsuits. The second question is what are the variables and conditions that make a plaintiff more likely to win? This information can help risk managers and insurers have a better sense of how to protect themselves and for assessing and pricing cyber insurance policies.
What were the biggest takeaways from the study?
Very simply it seemed that only 4 percent of reported breaches are being litigated at the federal level—we make a distinction between the federal and the state level. We also found a huge variation in the causes of action, which included unfair business practices, negligence, breach of contract, breach of duty, and various state and federal statutes. A new cause of action is the unauthorized disclosure of personal information.
What you can draw from all of this, it seems to me, is that attorneys are trying different approaches. If there is no evidence of financial loss, the case is usually dismissed. We found that those organizations that offered credit monitoring were 6 times less likely to be sued—those that didn’t were thought to have behaved carelessly. We also found that financial information as opposed to other personal information or medical information is more likely to lead to lawsuits. When individuals suffered financial harm the odds of a firm being sued in federal court were 3.5 times greater. As such, firms dealing in financial information should take more care not to disseminate it.
About half of the cases settle, which is a useful finding, and very often for a nominal fee for the named plaintiff. There can be a substantial award or lump sum for people who suffered identity theft to pay specifically for losses. Defendants settle 30 percent more often when plaintiffs allege financial loss from a data breach or when faced with a certified class action suit.
So far we can’t tell what other factors or characteristics might influence lawsuits and settlements. We need to do more research to find out if the prominence and size of the company, the presence of liability insurance coverage, jurisdiction of event, the timing or quality of notice to victims, and/or media coverage have an impact.
What else do you see on the horizon as far as trends in data breach litigation?
One thing we saw with the Sony breach is that after 30 people filed class action suits, the insurance company would not pay out the damages. In response, Sony changed their end user agreement license to prevent users from suing—instead they must now agree to arbitration. That might be something to keep an eye on going forward—it will be interesting to see if other companies do the same thing.
This study conducted by Mr. Romanosky and his colleagues (see study) is a great step towards helping corporate insurance risk managers and cyber risk underwriters better understand the reality of the class action litigation costs exposure that many organizations are facing. Lawsuits can be time consuming and very expensive. The 2011 NetDiligence® Cyber Claims Study found the average loss paid out by insurance carriers for a data breach event was $2.4 million, a good portion of that devoted to legal defense and indemnification. Moreover, we believe that emerging precedents from plaintiff-friendly cases might reduce the number of future cases dismissed for lack of damages, one of those being the RockYou lawsuit (see summary) which found that personally identifiable info has inherent value.