Empirical Analysis of Data Breach Litigation

Researchers: Sasha Romanosky, Alessandro Acquisti

Research Area: Privacy Protection

Cross Cutting Thrusts: Business Risk Analysis and Economic Implications

Abstract

Scope: The surge in popularity of social media, e-commerce, and mobile technologies has provided great benefits to consumers by enabling countless online services, reduced prices and ubiquitous communication. But the consequence of these activities occur when personal consumer information is lost or stolen, causing emotional distress, fraud and identity theft. While some dispute the validity of these harms, if indeed, they are legitimate, one would expect to see concerted efforts to recover losses through litigation. Legal privacy scholarship has typically emphasized the various ways in which plaintiffs fail when bringing legal actions against entities when their personal information is lost or stolen. However, this scholarship is based on a limited set of published judicial opinions about large-scale data breaches. Little is actually known about the characteristics and disposition of a representative set of data breach lawsuits. Using a unique sample of manually-collected data from PACER, we analyze the court dockets of over 240 federal data breach lawsuits from 1998 to 2011. We use discrete outcome regressions to better understand which breaches are being litigated and which lawsuits are being settled. Our results generally (though not entirely) support theoretical notions of litigation. We find that while breach characteristics (size, cause and types of information compromised) are positively correlated with probability of filing a lawsuit, they contribute less when predicting the outcome of the suit. Instead, the probability of settlement is mostly driven by typical legal procedural matters such as actual harm and class certification.