How to estimate legal costs from a data breach.

CTRL+F to jump to these topics

Disclosure Complexity: How much work is the initial disclosure?

A breach disclosure efforts will include the following cost areas:

  • Legal Fees: Lawyers will advise on what disclosures are required. Industry regulation, contract commitments, international, federal, and state.
  • Employee Time: First, there will be effort in deciding how to deliver the news. Your organization might not be good at delivering news outside of your normal channels with targeting to specific victim cohorts. (“50k accounts were accessed, 1k, had data viewed, and 35 were compromised, so we need to email three cohorts in N jurisdictions”)
  • Both: A large group of comms, engineering, and lawyers will fight over the language of the actual disclosure. There may be meetings simply to debate word choices trading between human language and liability.

Next: A matter of whether you’ll be sued or not.

Litigation Probability: Will it even happen?

A data breach can’t have major litigation costs if no one sues you.

Next: If we see litigation, how expensive is it?

Multiple Litigators: If litigation happens, how many litigators?

Data breach follow up may come from a single plaintiff or consolidated class action. A medium profile class action can develop million dollar costs just from the consolidation process into a single class action case. These are the administrative costs simply to handle the process of being sued. You might need representation to handle multiple plaintiffs. Counsel might need to appear for those cases before they consolidate which would be a cost to consider before litigation even begins.

Class Actions: Becoming more likely with consumer tech.

The ability for class actions to form has increased as law firms are able to better target victims and encourage them to join in class actions. See the following example of advertisements on Facebook generated immediately after the Zynga data breach:

Discovery Costs: Ranging from zero to absurd.

Discovery is a pre-trial phase where parties are expected to produce evidence for each other. This is often discussed as eDiscovery in terms of automated discovery methods.

Settlement Costs: Highly variable depending on the business.

Settlement costs vary dramatically and I wanted to get a better sense of how these fluctuate.

Indemnification Costs: Your contract language may multiply costs.

You are on the hook for incident response costs for your customers if you have contracts with cyber breach indemnification language with them.

Sample contract language from educause

Trial Costs: Did you go to trial or not? Was it lengthy?

It’s widely cited that 90–95% of civil cases will settle before trial. You can find some reference class analysis using published statistics from state courts.

Regulation: Temporary or permanent modifications to business.

The takeaway

Yes, data breaches are expensive 🙄. But why? I’ve published a few essays on breach costs.

  1. This review of legal costs (You’re reading it)
  2. Valuation of non-monetary penalties
  3. Estimating the $ of a security incident
  4. Imposed risk (The value of risk organizations)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store