Empirical Analysis of Data Breach Litigation

Abstract

While economists and legal scholars have examined data breaches, data breach disclosure laws, and the difficulties that plaintiffs face when seeking redress for the loss or theft of personally identifiable data, little is actually known about the suits’ progression toward disposition. Using a unique sample of manually-collected data from Westlaw and PACER, we analyze the court dockets of over 200 data breach lawsuits from 1998 to 2011, making this, to our knowledge, the first empirical examination of data breach lawsuits. We use discrete outcome regression models to estimate the probability that a data breach will result in a lawsuit, and the probability that, once filed, the case will reach settlement. We find that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit. These results suggest that plaintiffs respond more to the careless or negligent handling by a firm of their personal information, than to the firm’s inability to withstand a cyber-attack or misfortune of losing a laptop. However, while these properties may explain the probability of lawsuit, we find that breach characteristics (size, cause and types of information lost) do not significantly predict the outcome of a data breach lawsuit. Instead, the probability of settlement appears to be driven by the presence of actual financial loss, and class certification.