This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:
"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."
Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:
"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."
Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:
"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."
57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.
Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:
"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."
Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.
I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.