Get access

Empirical Analysis of Data Breach Litigation


  • This research was supported by CyLab at Carnegie Mellon under Grants DAAD19-02-1-0389 and W911NF-09-1-0273 from the Army Research Office, by Temple Law Schools Conwell Corps Program, and by the Information Law Institute at New York University School of Law. We thank Antima Chakraborty, Carol Anne Donohoe, Ian Everhart, Caitlin Jones, Kevin Leary, and Jake Oresick for their research assistance. We also thank Paul Bond, Aaron Burnstein, Jim Graves, Fainna Kagan, Amelia Haviland, Mark Melodia, Kristen Matthews, Peter Oh, Barrie Nault, David Navetta, Mohammad Rahman, Theresa Romanosky, Boris Segalis, Brendon Tavelli, seven anonymous attorneys, and the anonymous reviewers and editors of JELS for their valuable insights and suggestions.


In recent years, many lawsuits have been filed by individuals seeking legal redress for harms caused by the loss or theft of their personal information. However, very little is known about the drivers, mechanics, and outcomes of those lawsuits, making it difficult to assess the effectiveness of litigation at balancing organizations' usage of personal data with individual privacy rights. Using a unique and manually collected database, we analyze court dockets for more than 230 federal data breach lawsuits from 2000 to 2010. We investigate two questions: Which data breaches are being litigated? and Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. Moreover, defendants settle 30 percent more often when plaintiffs allege financial loss, or when faced with a certified class action suit. By providing the first comprehensive empirical analysis of data breach litigation, our findings offer insight into the debate over privacy litigation versus privacy regulation.