Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently even in cases where the number of impacted individuals is smaller, according to US law firm BakerHostetler.
BakerHostetler last week published its 2023 Data Security Incident Response Report, which is based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022.
The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).
Earlier this year, a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 ($457 million) compared to the previous year ($766 million).
However, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021. The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021). The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021.
The cost of forensic investigations has also increased. For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022.
In addition to higher ransom demands and increased forensic costs, BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022.
Four of the lawsuits filed last year were in response to incidents where fewer than 1,000 people were impacted, and 14 lawsuits were filed over incidents that hit between 1,000 and 100,000 people.
Another category of lawsuits has also increased: privacy-related class actions. BakerHostetler is aware of more than 50 lawsuits filed since August 2022 against hospital systems that allegedly shared patient identities and online activities via third-party website analytics tools without the user’s knowledge and consent.
The law firm says it’s currently defending more than 200 lawsuits related to privacy or data security.
BakerHostetler’s report also looks at incident response trends, threat actor techniques, trends focusing on specific sectors and areas, state privacy and data collection laws, digital assets, and transactional data privacy and security.
Related: Capita Confirms Data Breach After Ransomware Group Offers to Sell Stolen Information
Related: Ransomware Attack Hits Health Insurer Point32Health
Related: Payments Giant NCR Hit by Ransomware