"Companies Increasingly Hit With Data Breach Lawsuits: Law Firm"

According to US law firm BakerHostetler, lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently, even in cases where the number of impacted individuals is smaller.  Last week, the company published its 2023 Data Security Incident Response Report based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022.  The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%).  Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).  Data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021.  The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021).  The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021.  The cost of forensic investigations has also increased.  For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022.  In addition to higher ransom demands and increased forensic costs, the company also found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit.  Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022.  Four of the lawsuits filed last year were in response to incidents where fewer than 1,000 people were impacted, and 14 lawsuits were filed over incidents that hit between 1,000 and 100,000 people.  The company noted that another category of lawsuits has also increased: privacy-related class actions.  BakerHostetler is aware of more than 50 lawsuits filed since August 2022 against hospital systems that allegedly shared patient identities and online activities via third-party website analytics tools without the user’s knowledge and consent.

SecurityWeek reports: "Companies Increasingly Hit With Data Breach Lawsuits: Law Firm"