Analyzing Causation and Damages in Data Breach Litigation
In a matter involving a major US retail chain, there were allegations that, because of the retailer's negligence in securing customer data, personal account information was stolen from a group of cardholders who had made purchases at the retailer's stores. The Analysis Group team supported Professor Barnett in outlining the types of data that would be required to conduct a proper statistical assessment of the breach, and in analyzing factors associated with the at-risk population, including the types of transactions involved and the "fraud window" at issue.
In a similar suit involving several large US grocers, a massive data breach occurred, potentially compromising the account numbers and expiration dates on more than 4 million credit and debit cards that had been used at the grocery stores during a three-month period. The breach was alleged to have been caused by the method in which software had been installed on servers at the supermarkets.
Supported by the Analysis Group team, and using appropriate benchmarks, Professor Barnett examined several factors, including the "incremental fraud rate" -- or the change in the rate of credit card fraud observed during the time period in which the supermarkets' systems were breached. He adopted a similar approach in assessing the statistical validity of damages estimates put forth in the case of an information breach involving a large US processor of credit and debit card payments whose systems were hacked, potentially compromising tens of millions of cards.