As part of our ongoing series analyzing the 2016 BakerHostetler Data Security Incident Response Report, this article takes a closer look at the factors that play a role in whether an entity will face a regulatory investigation or litigation as a result of a data breach. As the title suggests, the size of breach is a key factor.
Of all the potential ramifications of a data breach, none causes a greater level of stress than the possibility of a regulatory investigation or class action lawsuit. They are time consuming, disruptive to business operations, and can result is significant financial liability in the form of fines, assessments and damages. And yet, not every data breach results in an investigation or litigation. To answer this question, we analyzed a multitude of factors from over 300 incidents that occurred in 2015, including the nature of the breach, the client’s size and industry, how and when the breach was discovered, and the type of information affected and how the breach occurred. In the end, the number of affected individuals was the strongest indicator of whether a regulatory investigation or litigation would occur.
On average, 23% of companies that publically disclosed a breach received an inquiry from a state attorney general or federal regulator. However, that numbers increases when the size of the breach is factored in. For example, for breaches involving less than 100,000 affected individuals, only 18% of companies received a regulatory inquiry. In contrast, for incidents involving more than 100,000 affected individuals, the percentage jumps to 85%. Most telling, 100% of companies disclosing a breach affecting 1,000,000 or more affected individuals were the subject of a regulatory investigation or inquiry.
On the litigation front, only 4% of companies that publically disclosed a breach were sued in connection with that data breach. However, that number jumps to 43% for breaches involving more than 100,000 affected individuals. For breaches involving 1,000,000 or more affected individuals, that number leaps to nearly 100%.
A word of caution, each breach is unique and both regulators and plaintiffs are not subject to any restriction on the number of individuals that must be affected before an investigation or litigation can proceed. Still, the correlation between the size of a breach and the likelihood of a regulatory investigation makes sense. After all, state regulators have limited resources and are unable to investigate every incident. Moreover, larger breaches tend to be more severe, with a greater impact on a state’s population. It follows that a regulator would want to focus on the larger incidents. Similarly, plaintiffs, in particular class action plaintiffs, have different motivations for filing lawsuits, such as the likelihood of success and the amount of damages that is potentially recoverable. An increase in the number of affected individuals correlates to a larger potential damages award, a greater potential settlement amount and a larger possible contingency fee for the class action attorneys. Again, this does not mean lawsuits are not filed for smaller breaches, but given the expense associated with litigation, it makes sense that class action attorneys would favor larger breaches.
At the end of the day, most entities are generally unable to control the size of a breach. Nevertheless, this highlights the importance of early detection, verification of data exfiltration, and if possible, efforts to limit the number of affected individuals through the use of forensic evidence. In addition, entities that are faced with large data breaches should set realistic expectations regarding the likelihood of a regulatory investigation or litigation.