Data Breach = Class-Action Lawsuit

In our sue happy society, it doesn’t seem to matter how or why a breach occured. It doesn’t matter if the data was touched, manipulated, or used for any purpose (including fraud). It doesn’t matter if the data was found intact and unobserved. If you have a data security breach of just about any magnitude, it is almost certain that you will slapped with a class-action lawsuit.

The latest example is Starbucks. http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html What companies need to worry more about is theft…especially of laptops. Observe the following charts.

Data Breach Sources of Incidents Between 2000 and 2008

Data Breach Source of Incidents 2008

The #1 cause of data security breaches is stolen laptops! There are only 4 states that require data breach disclosure if the data is encrypted. 2009 will be the year of the class-action lawsuits for data breaches. It will be interesting to do some analysis 1 year from now looking at which costs more, the data breach itself (costs to reissue cards, credit monitoring, forensics, etc.) or the lawsuits.