Most data breaches occur because companies fail to implement adequate safeguards to protect personal identifiable information, and data breaches are growing in scope and sophistication. A study by NetDiligence concluded that the average cost per breach is $3.7 million, which includes the litigation defense cost. However, not all data breaches result in identify theft, and most courts recognize that a data breach without a subsequent identity theft is not sufficient injury to confer standing to sue. On the other hand, some courts have found that a data breach increased the risk of identity, which was an injury that would confer standing to sue.
Assuming there is standing to sue, plaintiffs need to plead that the data breach resulted in a cognizable injury. This is one reason why a company should act quickly to investigate a breach incident as soon as they learn about it. From the company perspective, being able to sever the nexus between the breach incident and any causation will be the difference between dismissing a case early or having to potentially litigate the case to a decision.
It is also important from the company’s perspective to get a handle on the extent of the data breach, because a recent case in the Eleventh Judicial Circuit has created a lengthy period whereby response costs may be necessary well after the breach incident. A lengthy period of time between the incident and causation does not automatically destroy the nexus between the two events.