Abstract
In recent years, many lawsuits have been filed by individuals seeking legal redress for harms caused by the loss or theft of their personal information. However, very little is known about the drivers, mechanics, and outcomes of those lawsuits, making it difficult to assess the effectiveness of litigation at balancing organizations’ usage of personal data with individual privacy rights. Using a unique and manually-collected database, we analyze court dockets for over 230 federal data breach lawsuits from 2000 to 2010. We investigate two questions: Which data breaches are being litigated, and which data breach lawsuits are settling. Our results suggest that the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. Moreover, defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit. By providing the first comprehensive empirical analysis of data breach litigation, our findings offer insights in the debate over privacy litigation versus privacy regulation.
Highlights
The surge in popularity of social media, e-commerce, and mobile services is proof of the benefits consumers are enjoying from information and communication technologies
Our analysis reveals that federal data breach lawsuits typically exhibit a number of significant characteristics
Our analysis suggests that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit
Summary
The surge in popularity of social media, e-commerce, and mobile services is proof of the benefits consumers are enjoying from information and communication technologies These same technologies can create harm when personal consumer information is lost or stolen, causing emotional distress or monetary damage from fraud and identity theft. Given that as few as 15% of all federal lawsuits produce reported opinions (Hoffman et al, 2007), any conclusions reached from examining particular, high-profile cases are likely unrepresentative of the full population of data breach lawsuits It remains still unclear what characteristics these lawsuits possess, and how “successful” they have been. We believe that answering these questions will help inform firms, consumers, and policy makers regarding the risks associated with the collection and use of personal information, and the characteristics and outcomes of federal data breach litigation.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
