A comprehensive analysis of class action lawsuits involving data security breaches filed in United States District Courts.
Both 2017 and 2018 saw several high-profile companies suffering large data breaches affecting tens of millions of people. News outlets and social media made quick work of headlines and consumers were reminded, yet again, that their personal information was vulnerable and subject to theft. The now-tired adage, “it’s not a matter of if, but when you will be breached” was trotted out by experts and the media alike, making it sound as if a data breach inevitably leads to a class action lawsuit against the targeted company.
But the untold story was the 600+ publicly reported data breaches per year that did not make the news and that did not result in class action litigation. Despite numerous large and public data breaches, the risk that a company will face litigation following a data breach remains relatively low year-after-year, between 4-6%, consistent with prior years’ studies published by our firm.
Despite the numbers, news outlets and players in the cybersecurity space can be powerful purveyors of misinformation, and we continue to see organizations misunderstand their risks of litigation after a data breach. Our goal is to help companies accurately evaluate the costs and risks flowing from a data breach and allocate resources in proportion to the risk of harm.
Bryan Cave Leighton Paisner began its survey of data breach class action litigation six years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning the risk associated with data breach litigation. Our annual survey continues to be the leading authority on data breach class action litigation and is widely cited throughout the data security community.
Our 2019 report covers federal class actions initiated between January 1, 2017 and December 31, 2018. The data is split into two periods that cover January 1, 2017 to December 31, 2017 and January 1, 2018 to December 31, 2018. Our key findings are:
Forecast: Based on the consistency of data over the last six years, we anticipate that 2019 will produce similarly low numbers of class action lawsuits filed compared to the overall number of reported breaches. However, we do not expect this trend to continue following the effective date of the California Consumer Privacy Act (“CCPA”) in January 2020. The CCPA is on target to be the first state law to provide statutory damages to individuals affected by a data breach. California residents whose information is breached will have the ability to bring suit against companies that are subject to CCPA compliance. With its express reference to “class actions,” and the ability to recover attorney’s fees for successful plaintiffs, it seems inevitable that we will see a significant uptick in data breach class actions filed in California courts.
1. There were 76 complaints filed in 2016. See Bryan Cave Leighton Paisner, 2017 Data Breach Litigation Report.
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.