For the last five years, BCLP has published the leading analysis of data breach class action litigation.1 As part of that study, BCLP has reviewed every data breach class action complaint against a private company filed in (or removed to) federal court.2 Among other variables, BCLP tracked the legal theories asserted by plaintiffs in data breach litigation.
As our 2019 Data Breach Litigation Report indicates, the most popular legal theory utilized by plaintiffs in data breach class action litigation is negligence. Indeed, while 47% of data breach class actions complaints asserted negligence as the primary (or only) legal theory, an additional 45% of data breach class action complaints asserted negligence as a secondary, or alternative, legal theory. As a result, 92% of data breach class action complaints alleged negligence as a legal theory of recovery.3
BCLP anticipates that in 2020, the most popular legal theory will shift from negligence to the CCPA, as plaintiffs attempt to pursue the statutory damages referenced within Section 1798.150 of the Act. While the CCPA may become the most popular legal theory, based upon historical trends, plaintiffs are likely to continue to allege additional legal theories including negligence.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. See 2019 Data Breach Litigation Report available at https://www.bclplaw.com/images/content/1/6/v6/163774/2019-Litigation-Report.pdf.
2. See 2019 Data Breach Litigation Report available at https://www.bclplaw.com/images/content/1/6/v6/163774/2019-Litigation-Report.pdf. Note that the 2019 Data Breach Litigation Report excludes state court litigation as state courts are inconsistent in their publication of filed complaints and, as a result, inclusion of state-filed complaints that were not removed to federal court would inadvertently over-represent or under-represent the quantity of filings in any state depending upon whether a particular state (or a particular court) publishes electronic versions of case filings.
3. See 2019 Data Breach Litigation Report at 14, 17 available at https://www.bclplaw.com/images/content/1/6/v6/163774/2019-Litigation-Report.pdf.