Empirical Analysis of Data Breach Litigation

27 Pages Posted: 14 Jul 2011

See all articles by Sasha Romanosky

Sasha Romanosky

RAND Corporation; Carnegie Mellon University - Heinz College of Information Systems and Public Policy

David A. Hoffman

University of Pennsylvania Law School; Cultural Cognition Project at Yale Law School

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Multiple version iconThere are 2 versions of this paper

Date Written: July 12, 2011

Abstract

While economists and legal scholars have examined data breaches, data breach disclosure laws, and the difficulties that plaintiffs face when seeking redress for the loss or theft of personally identifiable data, little is actually known about the suits’ progression toward disposition. Using a unique sample of manually-collected data from Westlaw and PACER, we analyze the court dockets of over 200 data breach lawsuits from 1998 to 2011, making this, to our knowledge, the first empirical examination of data breach lawsuits. We use discrete outcome regression models to estimate the probability that a data breach will result in a lawsuit, and the probability that, once filed, the case will reach settlement. We find that breaches resulting from the unauthorized disclosure or disposal of personal information are 6.9% more likely to result in lawsuit, relative to breaches caused by lost or stolen hardware, whereas breaches caused by cyber-attack are only 2.9% more likely to result in lawsuit. These results suggest that plaintiffs respond more to the careless or negligent handling by a firm of their personal information, than to the firm’s inability to withstand a cyber-attack or misfortune of losing a laptop. However, while these properties may explain the probability of lawsuit, we find that breach characteristics (size, cause and types of information lost) do not significantly predict the outcome of a data breach lawsuit. Instead, the probability of settlement appears to be driven by the presence of actual financial loss, and class certification.

Keywords: data breach, data breach litigation, docket analysis, identity theft

JEL Classification: C25, D18, K41, L86

Suggested Citation

Romanosky, Sasha and Hoffman, David A. and Acquisti, Alessandro, Empirical Analysis of Data Breach Litigation (July 12, 2011). Available at SSRN: https://ssrn.com/abstract=1884499 or http://dx.doi.org/10.2139/ssrn.1884499

Sasha Romanosky (Contact Author)

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Carnegie Mellon University - Heinz College of Information Systems and Public Policy ( email )

Pittsburgh, PA 15213-3890
United States

David A. Hoffman

University of Pennsylvania Law School ( email )

3501 Sansom Street
Philadelphia, PA 19104
United States

Cultural Cognition Project at Yale Law School

127 Wall St
New Haven, CT 06520
United States

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States
412-268-9853 (Phone)
412-268-5339 (Fax)

Register to save articles to
your library

Register

Paper statistics

Downloads
33
Abstract Views
527
PlumX Metrics