'Empirical Analysis of Data Breach Litigation' by Sasha Romanosky, David Hoffman and Alessandro Acquisti in (2014) 11(1)
Journal of Empirical Legal Studies 74–104 argues
The surge in popularity of social media, e-commerce, and mobile services is proof of the benefits consumers are enjoying from information and communication technologies. However, these same technologies can create harm when personal consumer information is lost or stolen, causing emotional distress or monetary damage from fraud and identity theft. Since 2005, an estimated 543 million records have been lost from over 2,800 data breaches, and identity theft caused $13.3 billion in consumer financial loss in 2010 (BJS 2011). In response, federal legislators have introduced numerous bills that define appropriate business practices regarding the collection and protection of consumer information, and federal regulators have drafted privacy frameworks for consumer data protection (Department of Commerce 2010; FTC 2010). A significant concern for policymakers, therefore, is balancing ex ante regulation with ex post litigation to protect both consumer and commercial interests. For instance, the Department of Commerce inquired: “should baseline commercial data privacy legislation include a private right of action?” (Department of Commerce 2010:30). At issue is the degree to which the current liability regime sufficiently addresses modern privacy harms, or whether a new, more effective federal liability standard is required.
On one hand, a weak litigation regime would be ineffective at deterring a firm's harmful or negligent behavior. Lawsuits that are inappropriately disposed of eliminate a plaintiff's ability to obtain appropriate relief for legitimate harms. For example, a case was successfully brought against Rite Aide for carelessly tossing pharmacy labels and employment applications in a public trash dumpster. In the settlement, Ride Aide agreed to “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” Without legal action, such careless practices may have never been corrected.
On the other hand, a heavy-handed litigation regime could impose excessive legal fees and damage awards and—according to some—stifle innovation. For instance, Netflix, an online movie rental site, offered a $1 million prize to anyone who could sufficiently improve its movie recommendation algorithm. To facilitate the contest, Netflix published (what was believed to be) anonymized rental information for a sample of its users. Due to lawsuits stemming from the reidentification of these data, Netflix cancelled a subsequent contest. While the total social value of such innovation may be limited, the Netflix case provides one example of how litigation can impact firms' product development.
Our research attempts to offer novel insight into this debate by providing the first comprehensive empirical analysis of data breach litigation, and investigates the drivers, mechanisms, and outcomes of data breach litigation.
Determining whether current U.S. privacy laws are too weak or too strong is not easy. It is difficult (and perhaps impossible) to assess the aggregate costs and benefits for both consumers and firms of different privacy regimes in purely monetary terms (Romanosky & Acquisti 2009). However, even just understanding the landscape of privacy litigation is a problem. Little is known about the trends in data breach litigation—which breaches are litigated and which are not, and with what outcomes. While there exists some legal scholarship regarding data breach litigation (Citron 2007, 2011; Rice 2007; Serwin 2009), it typically examines a narrow subset of lawsuits, focusing on high-profile cases or those with published opinions. Unfortunately, given that as few as 15 percent of all federal lawsuits produce reported opinions (Hoffman et al. 2007), any conclusions reached from examining particular, high-profile cases are likely unrepresentative of the full population of data breach lawsuits. Consequently, it remains still unclear what characteristics these lawsuits actually possess, and how “successful” they have been.
To our knowledge, no empirical research involving data breach lawsuits has been conducted. The purpose of this article is to address this research and policy gap by investigating empirically a representative collection of federal data breach lawsuits and their outcomes. We overcome common sample selection issues by searching Westlaw and acquiring data directly from court dockets (PACER), in combination with other publicly available data sources.
In addition to presenting rich descriptive information about these lawsuits, we explore two sets of questions. First, what kinds of data breaches are being litigated in federal court, and why? Second, what kinds of data breach lawsuits are settling, and why? Our first question examines federal lawsuits resulting from reported data breaches, while the second question includes all known federal lawsuits related to the unauthorized disclosure of personal information.
Our analysis reveals that federal data breach lawsuits typically exhibit a number of significant characteristics. First, plaintiffs seek relief for one or more of: actual loss from identity theft (e.g., financial or medical fraud), emotional distress, cost of preventing future losses (e.g., credit monitoring and identity theft insurance), and the increased risk of future harm. Second, the lawsuits are usually private class actions, though some are brought by public entities such as the Federal Trade Commission or state attorneys general. Third, defendants are typically large firms such as banks, medical/insurance entities, retailers, or other private businesses. Fourth, complaints allege a staggering range of both common-law (tort, breach of contract) and statutory causes of action. And fifth, the vast majority of cases either settle, or are dismissed, either as a matter of law, or because the plaintiff was unable to demonstrate actual harm.
In addition, we find that that the odds of a firm being sued are 3.5 times greater when individuals suffered financial harm, but over 6 times lower when the firm provides free credit monitoring to those affected by the breach. Moreover, the odds of a firm being sued as a result of improperly disposing of data are 3 times greater relative to breaches caused by lost/stolen data, and 6 times greater when the data breach involved the loss of financial information. Our analysis suggests that defendants settle 30 percent more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. The odds of a settlement are found to be 10 times greater when the breach is caused by a cyber attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31 percent.
By providing a comprehensive empirical analysis of data breach litigation, these findings offer insight into the debate over privacy litigation versus privacy regulation. Specifically, we believe that answering these questions will help inform firms, consumers, and policymakers regarding the risks associated with the collection and use of personal information, and the characteristics and outcomes of federal data breach litigation.
The next section provides background literature related to data breaches, docket analysis, and litigation. We then examine which breaches are litigated and, conditional on suit, which cases settle. Discussions of limitations and final conclusions complete the article.
