Related Stories

  • Sony PS3 hacked again
    Sony’s policy of maintaining control over what software can run on its PS3 console has been undermined – some suggest permanently – by the release of the PS3 LVO decryption keys.
  • Sony data breach lawsuit largely dismissed
    A class-action suit against Sony over a PlayStation Network data breach in April of 2011 has been largely dismissed, after months of consumer backlash and high-profile recriminations against the company.
  • LulzSec Sony Pictures hackers were school chums
    The two hackers from the nefarious cybercriminal group LulzSec arrested in conjunction with the Sony Pictures data breach have turned out to be college friends, sharing a history of cyber-research and seemingly well-meaning training in the arts of security intrusion and detection.
  • 2011: Year of the Database Hack?
    Sony, RSA, Epsilon, Citi, or insert your healthcare organization’s name here – 2011 has been all about the database hack. IBM’s Phil Neray says organizations, especially SMEs, continue adding to their expenses by taking a reactive approach to their database security.

Top 5 Stories


Data breach costs skyrocket as class-action lawsuits become more prevalent

26 October 2012

Data breaches are on the rise, and the scope of the amount of data stolen is getting wider. The rise of “Big Data” heists like the one that Sony has been dealing with for 18 months (77 million accounts were compromised) is opening up the potential for class action suits in such cases to become the norm. And that can add millions of dollars to the cost of the incident.

“Big data breaches…potentially produce large class sizes, making such lawsuits attractive to plaintiffs’ lawyers,” write Sharon Klein and Jeff Vagle, attorneys at the Pepper Hamilton law firm, which has offices nationwide. “Companies that store or process personal information face an increasing risk of class action lawsuits based not only on the company’s use of that information, but also on the theft or misuse of that personal information due to data breach.”

They note that many states, such as California and Delaware, have liberal data breach laws that allow private rights of action for security incidents regardless of the likelihood of injury. That, in turn, has facilitated the rise of class-action lawsuits.

What’s more, the cost of the lawsuits can add significantly to the cost of a data breach for a company. A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.

In the Sony example, a class action lawsuit was recently dismissed after hackers compromised the PlayStation Network in April 2011. Plaintiffs brought negligence allegations among other charges. With millions affected, any awarded damages had the potential to fat outweigh the estimated $171 million that the breach itself cost the company – though fortunately for Sony, the case was dismissed.

Klein and Vagle also warned that lawsuits can put a company (if it’s not, say, the size of Sony) out of business. In one such case (company unnamed), plaintiffs sought damages of $5,000 per customer from the defendant, which could have resulted in possible damages totaling in the tens of billions of dollars – far more than the defendant company was worth.

There are steps businesses can take to prevent such a nightmare. First, of course, is to make suredata security measures are a priority. The second step is to monitor what actualy was done with the stolen data—who was actually hurt?

“In spite of these risks, companies may be able to avoid class certification if the plaintiffs fail to establish standing to bring suit on behalf of a class,” the attorneys noted. “A pivotal question for standing is establishing injury-in-fact, which has successfully prevented certification of many purported data breach class actions. Recent cases, however, have been breaking down the court’s resistance to class certifications, raising the stakes in data breach and privacy cases.”

Companies would do well to consider their liability, especially since the size and commonality of breaches are escalating. The Verizon DBIR identifies the loss of 174 million data records in 855 separate incidents in 2011 alone. And, the Ponemon Institute found that 90% of the companies and organizations surveyed in a recent study had had at least one data breach. Further, the advent of cloud computing and the housing of millions of records in central locations in data centers can mean enormous losses of data from a single breach, “which can equal very large classes of potential plaintiffs,” the attorneys concluded.

This article is featured in:
Cloud Computing  •  Data Loss  •  Identity and Access Management  •  Industry News


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×