Data Breach Litigation on the Rise as Law Continues to Evolve

Have you been notified that you were the target of a data breach, or that your business was hacked?  If so, you’re far from alone. Lawsuits relating to cybersecurity are constantly evolving and on the rise.

A recent report from Malwarebytes found a 235 percent increase in cyber attacks on corporate targets in the past 12 months and that Trojans are the biggest malware threat – up 650 percent from the same time last year.

The average cost of a malware attack on a company is $2.6 million, according to Accenture, a global professional services company. That’s an increase of 11 percent from the previous year. The cost is based on what an organization spends to discover, investigate, contain and recover from cyber attacks over a four-consecutive-week period, as well as expenditures that result in after-the-fact activities.

Meantime, the average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190), according to the Ponemon Institute, which conducts independent research on data protection and emerging information technologies.

Because cybersecurity is a relatively new and evolving area of law, we are at a crossroads when it comes to data breach litigation. Courts don’t always agree on what constitutes harm. Establishing standing is still a challenge for many data breach plaintiffs and few data breach cases have attained class action status.

As we explained in this article for Law360, establishing injury requires plaintiffs to show concrete and particularized harm.

However, courts have been split in their application of the concrete harm pleading requirement. Some have held that there is no Article III standing when there is no actual theft of identity or fraud that occurs as the result of a data breach. Other courts have found standing based on allegations of substantial risk of future injury. The U.S. Supreme Court has not yet clarified the law on data breach standing.

Several class action lawsuits have, however, resulted in settlements. For example, in February, Wendy’s agreed to pay $50 million to settle a class-action lawsuit resulting from a data breach that impacted 1,000 of its restaurants in 2015 and 2016.

And, in April, Washington State University settled a class-action lawsuit for $4.7 million resulting from a 2017 data breach following the theft of some portable hard drives that contained personal and health data of some 1.2 million people.

As you might imagine, litigation relating to cyber breaches is one that will continue to evolve in the coming years as both businesses and their customers find themselves targets of cyber attacks.

Pardo Jackson Gainsburg & Shelowitz, PL has an expert team of attorneys specializing in data breach litigation. If you or your company have been the target of a data breach or your personal data has been compromised by a third party, you have rights that need to be protected. To the extent that a data breach results in damage to you and your company, there may be an entitlement to compensation. You should consult with an attorney if you have been the subject of a data breach to fully understand and evaluate your legal options and strategy. For more information contact Nicole Rekant at (786) 800-3344 or email