What is data breach?
A data breach is an occurrence involving the intentional or unintentional release of confidential information into an unprotected environment. It serves as the trigger for many state and federal reporting requirements. Data breaches result from cyber-hacking, employee misconduct, bad business practices, and the disposal of devices containing confidential information, or from mishaps as innocuous as an employee leaving a laptop in a coffee shop. Data breach may involve disclosure of financial information, personal health information personally identifiable information, trade secrets and intellectual property.
The numbers speak for themselves
Data breaches, and consequently data breach lawsuits, are on the rise. These statistics from the Ponemon Institute and Net Diligence exhibit their potential economic impact:
- $5.85 million: Average cost per data breach for U.S. company
- $509,237: Average notification cost per breach
- $3,324,959: Average lost business costs per breach
- $574,984: Average cost of defense of a data breach lawsuit
- $258,099: Average settlement for a data breach lawsuit
No entity is immune from a data breach. Recent examples include:
- Goodwill Industries confirmed a breach involving stolen customer credit card information.
- Home Depot is investigating a breach that may have allowed hackers to access customers’ debit and credit card information. It is possible the breach extends across all 2,200 of Home Depot’s U.S. stores.
- LinkedIn agreed to settle a consolidated class action lawsuit stemming from a 2012 data breach that compromised 6.5 million hashed passwords.
- Community Health Systems Inc., an operator of 206 hospitals in 29 states, experienced a network breach that exposed 4.5 million individuals’ personal information.
Data breach lawsuits come in a variety of shapes and sizes, in both federal and state court. They range from large class actions to those filed by a single person and are filed not only by consumers, but also by banks, credit card companies and other financial institutions. The most prevalent data breach lawsuits are filed by breach victims and involve causes of action for negligence, breach of contract, negligence per se, unjust enrichment, breach of fiduciary duty, unfair deceptive trade practice, and injunctive relief or specific performance. Plaintiffs in such lawsuits typically seek damages for unauthorized charges, damage to credit, cost of credit monitoring, cost of replacement credit cards, time and expenses incurred to investigate, anxiety and emotional distress, unjust enrichment damages, and an increased risk of future harm.
Data breach plaintiffs face difficulties overcoming defenses lack of standing and failure to demonstrate a cognizable injury under the Rule 12(b)(6) paradigm. In 2011, a class of data breach victims in Whitaker, et. al. v. Health Net of Ca., Inc. filed suit for a data breach that occurred when IBM lost nine servers containing 800,000 Health Net customers’ confidential information. The plaintiffs contended they had standing to sue because of the threat of loss. The judge rejected plaintiffs’ argument, and dismissed the lawsuit because “the threat plaintiffs allege [was] wholly conjectural and hypothetical.”
To date, data breach victims have only been marginally successful in breach lawsuits, but the battlefield is ever-changing. Recent filings have sought to broaden plaintiffs’ arsenal of weapons to include actions such as negligent misrepresentation and apply products liability theories of breach of warranty and strict liability. Legal scholars and professionals in the data security industry predict that it is only a matter of time before the attorneys who represent data breach victims discover a successful avenue for recovery — a development that will significantly increase the cost of data breach litigation and data breach insurance coverage.
In light of the significant costs associated with data breaches, companies can ill afford to wait until they experience one to implement protective measures. Organizations can reduce the risk of a breach by appointing a security professional to manage data protection processes, training employees on data security, and developing incident management and response plans. Additionally, companies should consider engaging third parties to improve protection initiatives and support breach remediation efforts should one occur. Empirical studies have shown that proactive data security measures have a distinct impact on reducing the total price tag for a data breach. An ounce of prevention is worth a terabyte of cure.