Report: Nearly One in Five Ransomware Attacks Leads to a Lawsuit

Almost one in five ransomware attacks led to a lawsuit in 2023, according to recent data published by Comparitech. Over the past couple of years, according to the report, “Lawsuits filed following ransomware attacks have increased, with the overall average over the last five years standing at 12%.”

Attacks by the Numbers

“Across just over 3,000 confirmed ransomware attacks, 355 lawsuits have been filed,” the report states. “Of the cases that have been completed (255 in total), 59% of these were successful, e.g. led to a data breach settlement, resulted in the company being fined for failing to safeguard systems and/or data, or were settled through mediation/out of court. A further 57 (25%) led to voluntary dismissals by the plaintiffs. This could suggest out-of-court settlements were reached in these cases, too.” Only 25 cases were dismissed by judges.

Furthermore, according to the report, “In 112 cases, settlement figures were provided. These figures totaled over $245 million with the average settlement being $2.2 million. 2023 saw an average settlement figure of nearly $2.1 million.” In addition, “Organizations have been hit with nearly $10 million worth of penalties. These penalties tend to be enforced due to the company failures before, during, or after a ransomware attack…Attacks in 2023 have seen a record-breaking 123 lawsuits being filed.” In total, 283,346,702 individual records are known to have been impacted in the ransomware attacks with lawsuits filed, the report found, with data breaches being the main reason for lawsuit filings.

Ransomware Lawsuits by Industry

“Health care saw the highest percentage of lawsuits filed following ransomware attacks,” according to the report. “Since 2018, 111 out of 521 attacks (21%) have seen lawsuits being filed. Forty-three percent have been successful—or 87% when including voluntary dismissals.”

On the other hand, the education sector “has the lowest success rate at just 20%, but this increases significantly when considering voluntary dismissals (93%). Businesses have a higher success rate for lawsuits with 73% (or 90% including voluntary dismissals).”

When considering sub-industries, the report states that construction has a 100% success rate, although the sector has seen fewer attacks and lawsuits filed overall. Likewise, the service, technology, and transportation industries have seen high lawsuit success rates as well.

Factors Contributing to Increased Lawsuit Frequency

Commenting on the findings, CLM member Edward F. Donohue, partner, Hinshaw & Culbertson LLP, says, “Two known factors in consumer litigation have contributed to the increase in the frequency of lawsuits based on ransomware attacks recently identified by Comparitech,” says. “First, the frequency of incidents generally triggers self-reporting to an increasingly broader population of affected consumers. Thus, there is growing recognition and acceptance of the fact that statutory duties to self-report data breaches include ransomware attacks.

“For example,” Donohue elaborates, “California Civil Code Section 1798.2 requires the reporting of instances when personal health care data protected by the California Medical Information Act is “acquired by an unauthorized person.” An argument has been made that denial of access to patient data alone does not equate with extraction and misuse and thus “acquisition” of the underlying data. Instead, the ransom demand is generally predicated on a threat to publish and/or misuse the data. Existing laws were enacted to address breaches resulting in actual theft of private personal information.

“However, in August 2021 the California Attorney General Rob Bonta issued an advisory that ransomware attacks must in fact be self-reported under the statute. Increasingly, other states are in accord in applying this requirement under similar privacy laws.

“Second,” continues Donohue, “the success rate in pursuing such claims naturally impacts frequency. Again, trends are pro-consumer.

“In Clapper v. Amnesty International USA, 568 U.S. 398, 411-12 (2013), the U.S. Supreme Court ruled that Amnesty International could not sue the government for the alleged potential future mitigation expense resulting from by an intelligence breach by the NSA.

“However, more recent decisions have generally declined to follow Clapper,” he adds. “In the 2020 Marriott Customer Data Security Breach Litigation, Judge Paul Grimm held that an imminent threat of identity theft supported standing to sue. The court noted that private personal information had an inherent tangible value subject to compromise in the event of a breach.

“Though ransomware blocks access to the victim’s data, to maintain their credibility, hackers generally do not appropriate and misuse the underlying data, at least if they are paid. A consumer’s claim of actual or potential misuse may be rejected as unduly speculative.

“Nevertheless, plaintiffs have been successful in to sustaining ransomware claims on other grounds. In Moore v. Centrelake Medical Group, Inc., 83 Cal. App. 5th 515 (2022), the court held that claims of false advertising could be made against a medical group based on alleged misrepresentations on data security found on the group’s website.

“Based on these evolving liability theories it is not surprising that Comparitech found that plaintiffs succeeded in obtaining recoveries in more than half of the suits that were brought,” Donohue concludes.