Archives

Sasha Romanosky, David Hoffman, & Alessandro Acquisti, Docket Analysis of Data Breach Litigation

By privacylaw | Posted on

Sasha Romanosky, David Hoffman, & Alessandro Acquisti, Docket Analysis of Data Breach Litigation

Comment by: Kristen Mathews

PLSC 2011

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461

Workshop draft abstract:

The proliferation of data breach disclosure (security breach notification) laws has prompted a flurry of lawsuits filed by alleged victims of identity theft against corporations that suffer a breach. Using data collected from Westlaw and PACER, we perform docket analysis on a sample of data breach lawsuits over the period from 1999 to 2010. This method of empirical legal research involves collecting, mining and coding relevant data from court documents (such as the complaints and judicial rulings). While much economic and legal scholarship has been written about data breaches, breach disclosure legislation, and the difficulties that consumers face from breach litigation, to our knowledge, this is the first research that attempts to empirical analyze the lawsuits, themselves.

In this working paper, we present preliminary results showing that the trend of known lawsuits appears to generally follow (and lag) the trend in reported data breaches. Since about mid-2006, the time taken for plaintiffs to organize and file a complaint has been steadily increasing, though the time to dispose of these suits has been steadily decreasing. Moreover, the overall duration of a data breach lawsuit is 15 months, on average. We also find that the settlement rate of data breach lawsuits is substantially lower in our sample (26%) compared with estimates found in other legal scholarship (67%). Finally, the average number of records lost is statistically much higher for known lawsuits than for the sample of all reported breaches (9.5m compared with 340k) and financial institutions are over-represented in breach litigation relative to the sample of known breaches, while government agencies and educational institutions are under-represented. Further, we use a probit regression to estimate the probability that a data breach will result in a lawsuit, and a multinomial logit model to examine the characteristics of lawsuits that impact particular outcomes of data breach lawsuits.

Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

By privacylaw | Posted on

Andrew Clearwater, Reducing Data Security Breaches Through Enhancements in Property, Tort and Contract Law

Comment by: Kristen Mathews

PLSC 2011

Workshop draft abstract:

The power inequalities that exist when information is transferred between individuals and bureaucracies have left consumers vulnerable to data breaches. While data breach disclosure laws have improved consumer protection and informed the marketplace of security risks, consumers are not entirely rational and they continue to suffer from behavioral biases that hinder their ability to reduce or avoid loss. Many breach notification letters go ignored, and those that are read provide little recourse as most consumers do not know how to act on the information. Many consumers whose data is exposed do not suffer any actual incident of identity theft, moreover, and are thus faced with the nearly impossible challenge of demonstrating a particularized injury under tort law. The mere fear of future identity theft is generally insufficient to warrant damages.

Courts applying tort and contract law generally incorporate prior assumptions about privacy that fail to mitigate or compensate for the rapid escalation of data breaches today. For instance, Bell v. Acxiom Corp. demonstrates that standing requirements can be hard to meet due to the lack of a concrete or particularized harm for many victims of data breaches. Additionally, Key v. DSW Inc. shows that courts are reluctant to analogize the need for credit monitoring in breach cases to the need for medical monitoring in product liability cases. Only where a special relationship exists, as it did in Bell v. Mich. Council, No. 246684, have courts found a duty to safeguard personal data.

This paper investigates the problem of data breaches through the lenses of property, tort, and contract law and analyzes proposals in each of these areas to reduce security breaches, or at least compensate consumers for their harm. Proposals investigated include: a right to personal information alienability paired with a well policed personal information market; the creation of new causes of action such as “breach of trust;” the creation of an affirmative duty to secure personal data for all data stewards that maintain consumers’ personal information; and improving the chances of consumer success under breach of contract theory by shifting the burden of proof on damages to the data steward.