Empirical Analysis of Data Breach Litigation

• Date: 01 March 2014
• Author: Sasha Romanosky,Alessandro Acquisti,David Hoffman
• Published date: 01 March 2014
• DOI: http://doi.org/10.1111/jels.12035

Empirical Analysis of Data

Breach Litigation

Sasha Romanosky, David Hoffman, and Alessandro Acquisti*

In recent years, many lawsuits have been filed by individuals seeking legal redress for harms

caused by the loss or theft of their personal information. However, very little is known about

the drivers, mechanics, and outcomes of those lawsuits, making it difficult to assess the

effectiveness of litigation at balancing organizations’ usage of personal data with individual

privacy rights. Using a unique and manually collected database, we analyze court dockets for

more than 230 federal data breach lawsuits from 2000 to 2010. We investigate two questions:

Which data breaches are being litigated? and Which data breach lawsuits are settling? Our

results suggest that the odds of a firm being sued are 3.5 times greater when individuals

suffer financial harm, but 6 times lower when the firm provides free credit monitoring.

Moreover, defendants settle 30 percent more often when plaintiffs allege financial loss, or

when faced with a certified class action suit. By providing the first comprehensive empirical

analysis of data breach litigation, our findings offer insight into the debate over privacy

litigation versus privacy regulation.

I. Introduction

The surge in popularity of social media, e-commerce, and mobile services is proof of the

benefits consumers are enjoying from information and communication technologies.

However, these same technologies can create harm when personal consumer information

is lost or stolen, causing emotional distress or monetary damage from fraud and identity

theft.1Since 2005, an estimated 543 million records have been lost from over 2,800 data

*Address correspondence to Sasha Romanosky, New York University School of Law, 406 Wilf Hall, 139 MacDougal St.,

New York, NY 10012; email: sromanos@cmu.edu. Romanosky is a Microsoft Research Fellow at the Information Law

Institute, New York University School of Law; Hoffman is the James E. Beasley Professor of Law at Temple University

Beasley School of Law; Acquisti is an Associate Professor of Information Technology and Public Policy at the Heinz

College of Carnegie Mellon University.

This research was supported by CyLab at Carnegie Mellon under Grants DAAD19-02-1-0389 and W911NF-09-1-

0273 from the Army Research Office, by Temple Law Schools Conwell Corps Program, and by the Information Law

Institute at New York University School of Law. We thank Antima Chakraborty, Carol Anne Donohoe, Ian Everhart,

Caitlin Jones, Kevin Leary, and Jake Oresick for their research assistance. We also thank Paul Bond, Aaron Burnstein,

Jim Graves, Fainna Kagan, Amelia Haviland, Mark Melodia, Kristen Matthews, Peter Oh, Barrie Nault, David Navetta,

Mohammad Rahman, Theresa Romanosky, Boris Segalis, Brendon Tavelli, seven anonymous attorneys, and the

anonymous reviewers and editors of JELS for their valuable insights and suggestions.

1See Solove (2010) for a description of the potential harms associated with breaches of personal information.

bs_bs_banner

Journal of Empirical Legal Studies

Volume 11, Issue 1, 74–104, March 2014

74

breaches,2and identity theft caused $13.3 billion in consumer financial loss in 2010 (BJS

2011). In response, federal legislators have introduced numerous bills that define appro-

priate business practices regarding the collection and protection of consumer informa-

tion,3and federal regulators have drafted privacy frameworks for consumer data protection

(Department of Commerce 2010; FTC 2010). A significant concern for policymakers,

therefore, is balancing ex ante regulation with ex post litigation to protect both consumer

and commercial interests. For instance, the Department of Commerce inquired: “should

baseline commercial data privacy legislation include a private right of action?” (Department

of Commerce 2010:30). At issue is the degree to which the current liability regime suffi-

ciently addresses modern privacy harms, or whether a new, more effective federal liability

standard is required.

On one hand, a weak litigation regime would be ineffective at deterring a firm’s

harmful or negligent behavior. Lawsuits that are inappropriately disposed of eliminate a

plaintiff’s ability to obtain appropriate relief for legitimate harms. For example, a case was

successfully brought against Rite Aide for carelessly tossing pharmacy labels and employ-

ment applications in a public trash dumpster.4In the settlement, Ride Aide agreed to “a

comprehensive information security program that is reasonably designed to protect the

security, confidentiality, and integrity of personal information collected from or about

consumers.”5Without legal action, such careless practices may have never been corrected.

On the other hand, a heavy-handed litigation regime could impose excessive legal

fees and damage awards and—according to some—stifle innovation. For instance, Netflix,

an online movie rental site, offered a $1 million prize to anyone who could sufficiently

improve its movie recommendation algorithm. To facilitate the contest, Netflix published

(what was believed to be) anonymized rental information for a sample of its users. Due to

lawsuits stemming from the reidentification of these data, Netflix cancelled a subsequent

contest. While the total social value of such innovation may be limited, the Netflix case

provides one example of how litigation can impact firms’ product development.

Our research attempts to offer novel insight into this debate by providing the first

comprehensive empirical analysis of data breach litigation, and investigates the drivers,

mechanisms, and outcomes of data breach litigation.

Determining whether current U.S. privacy laws are too weak or too strong is not easy.

It is difficult (and perhaps impossible) to assess the aggregate costs and benefits for both

consumers and firms of different privacy regimes in purely monetary terms (Romanosky &

2See Privacy Rights Clearinghouse, http://www.privacyrights.org/data-breach, last accessed Jan 22, 2012.

3For example, the Cyber Security and American Cyber Competitiveness Act of 2011 (S.21), the Data Security and

Breach Notification Act of 2011 (S.1207), the Commercial Privacy Bill of Rights Act 2011 (S.799), the Personal Data

Privacy and Security Act of 2011 (S.1151), the Data Breach Notification Act (S.1408), the Personal Data Protection

and Breach Accountability Act of 2011 (S.1535), the Secure and Fortify Electronic Data Act of 2011 (H.R.2577), and

the Cybersecurity Enhancement Act of 2011 (H.R. 2096).

4See In re Rite Aid Corp., FTC File No. 072-3121 (July 27, 2010).

5Id.

Empirical Analysis of Data Breach Litigation 75