Breach, Data Security, Incident Response, TDR

Study finds many turn to lawsuits following a data breach

More than half of American consumers would sue a company that loses its personal information, according to a survey released Wednesday by IT firm Unisys.

The twice-a-year Unisys Security Index, which polled 1,000 Americans on information security concerns, found that 53 percent would take legal action in the event of a data breach. Another 87 percent would change their passwords, and 76 percent would close their accounts.

Legal complaints against breached firms seem more common now than ever, especially when the defendants are organizations with which the claimant has no close relationship. For example, the U.S. Department of Defense recently was hit with a $4.9 billion class-action lawsuit stemming from the breach of computer backup tapes containing the personal information of nearly five million current and former U.S. soldiers.

"The larger the breach, the larger the possibility that some legal action would follow," lawyer Brendon Tavelli, an associate at Washington, D.C.-based Proskauer, told SCMagazineUS.com on Wednesday. "There's not that personal connection with the company. They're just consumers, in the broadest sense of the term."

Still, the likelihood of a courtroom victory is unlikely for consumers, unless they are able to show that the breach personally led to damages, such as non-reimbursed credit card fraud charges.

"So far, they've been notoriously unsuccessful," said Tavelli, whose firm successfully defended Bank of New York Mellon several years ago following the loss of a backup tape containing the personal data of millions. "Most of the case tort laws require you to suffer some type of harm."

But legal sentiment may be changing, if a recent court ruling is any indication. An appeals court in Boston last month ruled that a lawsuit could continue against grocery chain Hannaford Bros., which was compromised of more than four million credit and debit card numbers in late 2007. A three-judge panel ruled that fees paid by consumers for identity theft insurance and new cards, taken as a proactive measure following the breach, could constitute as financial damages.

The decision by the 1st U.S. Circuit Court of Appeals reversed a lower court's ruling and could pave the way for similar judgments. Experts said they are not familiar with any other example in which a federal appeals court allowed such a case to proceed.

"It was only a matter of time before someone would demonstrate harm to get over the lack-of-damages hurdle," Tavelli said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.