You’re breached; it’s above the fold in the paper. Customers are fearful. What do you do? At a minimum start with providing credit monitoring for victims to reduce litigation risk.
Researchers at Carnegie Mellon University (CMU) and Temple University calculated that companies have asix-fold lower risk of being sued in federal court if they provided credit monitoring to victims post-breach.
Litigation risk increased ten-fold if the breach was caused by a cyber-attack (vs. lost, stolen or improperly disclosed data). The paper,"Empirical Analysis of Data Breach Litigation," also concluded that the “odds of a firm being sued as a result of improperly disposing data are three times greater relative to breaches caused by lost/stolen data, and six times greater when the data breach involved the loss of financial information.”
CMU lead researcher Sasha Romanosky obtained publicly reported breach records from DATALOSSdb then cross-referenced them with WestLaw and PACER (Public Access to Court Electronic Records) to perform the analysis of 230 federal lawsuits between 2000 and 2010.
Although news headlines are heavy on security breaches, the research evidence in the study suggests only 4% of publicly reported breaches led to federal litigation, and of that, roughly half are settled. Settlements tend to range from $500 to $15K per plaintiff, who are commonly seeking restitution as a result of the impact of fraud and identity theft from the breach.
The number of plaintiffs for any single breach is wide ranging, and attorneys are more likely to pick up cases with a larger number of victims to increase fees. Average attorney fees for cases were $1.2 million, according to the CMU study.
Companies with higher sensitivity and more regulated data, such as financial and medical firms are generally at higher risk of litigation. For example, the study concluded that a breach of medical information over other data categories increased the probability of case settlement by 31%. Breaches that occur with less sensitive, less regulated data--for example, e-mail addresses only, would be less likely to find themselves in litigation.
