Top 5 Stories


Data breach costs skyrocket as class-action lawsuits become more prevalent

26 October 2012

Data breaches are on the rise, and the scope of the amount of data stolen is getting wider. The rise of “Big Data” heists like the one that Sony has been dealing with for 18 months (77 million accounts were compromised) is opening up the potential for class action suits in such cases to become the norm. And that can add millions of dollars to the cost of the incident.

“Big data breaches…potentially produce large class sizes, making such lawsuits attractive to plaintiffs’ lawyers,” write Sharon Klein and Jeff Vagle, attorneys at the Pepper Hamilton law firm, which has offices nationwide. “Companies that store or process personal information face an increasing risk of class action lawsuits based not only on the company’s use of that information, but also on the theft or misuse of that personal information due to data breach.”

They note that many states, such as California and Delaware, have liberal data breach laws that allow private rights of action for security incidents regardless of the likelihood of injury. That, in turn, has facilitated the rise of class-action lawsuits.

What’s more, the cost of the lawsuits can add significantly to the cost of a data breach for a company. A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.

In the Sony example, a class action lawsuit was recently dismissed after hackers compromised the PlayStation Network in April 2011. Plaintiffs brought negligence allegations among other charges. With millions affected, any awarded damages had the potential to fat outweigh the estimated $171 million that the breach itself cost the company – though fortunately for Sony, the case was dismissed.

Klein and Vagle also warned that lawsuits can put a company (if it’s not, say, the size of Sony) out of business. In one such case (company unnamed), plaintiffs sought damages of $5,000 per customer from the defendant, which could have resulted in possible damages totaling in the tens of billions of dollars – far more than the defendant company was worth.

There are steps businesses can take to prevent such a nightmare. First, of course, is to make suredata security measures are a priority. The second step is to monitor what actualy was done with the stolen data—who was actually hurt?

“In spite of these risks, companies may be able to avoid class certification if the plaintiffs fail to establish standing to bring suit on behalf of a class,” the attorneys noted. “A pivotal question for standing is establishing injury-in-fact, which has successfully prevented certification of many purported data breach class actions. Recent cases, however, have been breaking down the court’s resistance to class certifications, raising the stakes in data breach and privacy cases.”

Companies would do well to consider their liability, especially since the size and commonality of breaches are escalating. The Verizon DBIR identifies the loss of 174 million data records in 855 separate incidents in 2011 alone. And, the Ponemon Institute found that 90% of the companies and organizations surveyed in a recent study had had at least one data breach. Further, the advent of cloud computing and the housing of millions of records in central locations in data centers can mean enormous losses of data from a single breach, “which can equal very large classes of potential plaintiffs,” the attorneys concluded.

This article is featured in:
Cloud Computing  •  Data Loss  •  Identity and Access Management  •  Industry News


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×