Companies Increasingly Hit With Data Breach Lawsuits: Law Firm
Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently even in cases where the number of impacted individuals is smaller, according to US law firm BakerHostetler.
BakerHostetler last week published its 2023 Data Security Incident Response Report, which is based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022.
The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).
Earlier this year, a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 ($457 million) compared to the previous year ($766 million).
However, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021. The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021). The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021.
The cost of forensic investigations has also increased. For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022.
In addition to higher ransom demands and increased forensic costs, BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in