US law firm BakerHostetler’s 2023 Data Security Incident Response Report, based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022, reveals that lawsuits filed against companies that have suffered a data breach are increasingly common.
The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%).
Although a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 compared to the previous year, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021.
The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021). The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021.
BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022.
Another category of lawsuits has also increased: privacy-related class actions. The law firm is aware of more than 50 lawsuits filed since August 2022 against hospital systems that allegedly shared patient identities and online activities via third-party website analytics tools without the user’s knowledge and consent.
The firm is currently defending more than 200 lawsuits related to privacy or data security.
