A comprehensive analysis of class action lawsuits involving data security breaches filed in United States District Courts.

Both 2017 and 2018 saw several high-profile companies suffering large data breaches affecting tens of millions of people. News outlets and social media made quick work of headlines and consumers were reminded, yet again, that their personal information was vulnerable and subject to theft. The now-tired adage, “it’s not a matter of if, but when you will be breached” was trotted out by experts and the media alike, making it sound as if a data breach inevitably leads to a class action lawsuit against the targeted company.

But the untold story was the 600+ publicly reported data breaches per year that did not make the news and that did not result in class action litigation. Despite numerous large and public data breaches, the risk that a company will face litigation following a data breach remains relatively low year-after-year, between 4-6%, consistent with prior years’ studies published by our firm.

Despite the numbers, news outlets and players in the cybersecurity space can be powerful purveyors of misinformation, and we continue to see organizations misunderstand their risks of litigation after a data breach. Our goal is to help companies accurately evaluate the costs and risks flowing from a data breach and allocate resources in proportion to the risk of harm.

Bryan Cave Leighton Paisner began its survey of data breach class action litigation six years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning the risk associated with data breach litigation.  Our annual survey continues to be the leading authority on data breach class action litigation and is widely cited throughout the data security community.

Our 2019 report covers federal class actions initiated between January 1, 2017 and December 31, 2018. The data is split into two periods that cover January 1, 2017 to December 31, 2017 and January 1, 2018 to December 31, 2018. Our key findings are:

  • Increase in filings since 2016.
    • 2017: 152 class actions were filed during 2017. This represents a 100% increase in the quantity of cases filed as compared to the 2017 Data Breach Litigation Report (“2016”).[1]
    • 2018: 103 class actions were filed during 2018. This represents a 48% decrease in the quantity of cases filed as compared to 2017, but a 26% increase for 2016.
  • Continued “lightning rod” effect. The majority of the complaints cluster around 2-4 high-profile breaches. When multiple filings against a single defendant are removed, there were 26 unique defendants in 2017 and 36 unique defendants in 2018. This indicates a continuation of the “lightning rod” effect noted in previous reports, wherein plaintiffs’ attorneys file multiple cases against companies who had the largest and most publicized breaches, and generally bypass the vast majority of other companies reporting data breaches.
  • Increase in filings as a function of the quantity of breaches.
    • 2017: Approximately 4.0% of data breaches publicly reported in 2017 led to class action litigation. This is a slight increase from 2016, in which only 3.3% of publicly reported data breaches led to class action litigation relative to the number of breaches.
    • 2018: 7% of data breaches publicly reported in 2018 led to class action litigation in 2018. This is a 1.7% increase from 2017 and a 2.4% increase from 2016, indicating a steady increase in class action litigation relative to the number of breaches.
  • California is a preferred litigation forum regardless of the location of defendant. Unlike previous years, the choice of forum, while occasionally motivated by the states in which the defendant companies are based, were more likely to be in either the Northern District of California or the Central District of California. These two districts accounted for 28% of all class action data breach litigation during 2017 and 39% of all class action data breach litigation during 2018.
  • Medical record breach litigation declined. The percentage of class actions involving the breach of medical records fell from 2016, with medical information accounting for 3% of litigation in 2017 and 1% in 2018. This may reflect a lack of high profile medical record breaches or an increase in attention to data breaches involving other types of records.
  • Plaintiffs continue to use an increasing number of legal theories. Plaintiffs’ attorneys continue to allege multiple legal theories. Plaintiffs alleged a total of 24 legal theories during 2017 and 26 legal theories during 2018.  
  • Negligence is still a clear theory of preference. Negligence, the most popular legal theory in 2016, remained the primary theory (first legal count) in approximately 50% of all class action complaints and was alleged in over 90% of all class action complaints during both 2017 and 2018.

Forecast: Based on the consistency of data over the last six years, we anticipate that 2019 will produce similarly low numbers of class action lawsuits filed compared to the overall number of reported breaches. However, we do not expect this trend to continue following the effective date of the California Consumer Privacy Act (“CCPA”) in January 2020. The CCPA is on target to be the first state law to provide statutory damages to individuals affected by a data breach. California residents whose information is breached will have the ability to bring suit against companies that are subject to CCPA compliance. With its express reference to “class actions,” and the ability to recover attorney’s fees for successful plaintiffs, it seems inevitable that we will see a significant uptick in data breach class actions filed in California courts. 

View the full report here.

1. There were 76 complaints filed in 2016. See Bryan Cave Leighton Paisner, 2017 Data Breach Litigation Report

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.