Home page logo

funsec logo funsec mailing list archives

What Comes After A Data Breach? Reduce Legal Risk
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 24 Jun 2013 19:50:11 -0400

Don't protect the data, just provide the credit monitoring service
after its lost....


You’re breached; it’s above the fold in the paper. Customers are
fearful. What do you do? At a minimum start with providing credit
monitoring for victims to reduce litigation risk.

Researchers at Carnegie Mellon University (CMU) and Temple University
calculated that companies have a six-fold lower risk of being sued in
federal court if they provided credit monitoring to victims

Litigation risk increased ten-fold if the breach was caused by a
cyber-attack (vs. lost, stolen or improperly disclosed data). The
paper, ”Empirical Analysis of Data Breach Litigation,” also concluded
that the “odds of a firm being sued as a result of improperly
disposing data are three times greater relative to breaches caused by
lost/stolen data, and six times greater when the data breach involved
the loss of financial information.”

CMU lead researcher Sasha Romanosky obtained publicly reported breach
records from DATALOSSdb then cross-referenced them with WestLaw and
PACER (Public Access to Court Electronic Records) to perform the
analysis of 230 federal lawsuits between 2000 and 2010.

Although news headlines are heavy on security breaches, the research
evidence in the study suggests only 4% of publicly reported breaches
led to federal litigation, and of that, roughly half are settled.
Settlements tend to range from $500 to $15K per plaintiff, who are
commonly seeking restitution as a result of the impact of fraud and
identity theft from the breach.

The number of plaintiffs for any single breach is wide ranging, and
attorneys are more likely to pick up cases with a larger number of
victims to increase fees. Average attorney fees for cases were $1.2
million, according to the CMU study.

Companies with higher sensitivity and more regulated data, such as
financial and medical firms are generally at higher risk of
litigation. For example, the study concluded that a breach of medical
information over other data categories increased the probability of
case settlement by 31%. Breaches that occur with less sensitive, less
regulated data–for example, e-mail addresses only, would be less
likely to find themselves in litigation.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
  • What Comes After A Data Breach? Reduce Legal Risk Jeffrey Walton (Jun 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]