2016 Data Breach Litigation Report

A Comprehensive Analysis of Class Action Lawsuits Involving Data Security Breaches Filed in United States District Courts
April 6, 2016

Executive Summary

Data security breaches – and data security breach litigation – dominated the headlines in 2015 and continue to do so in 2016. Continuous widely publicized breaches have led to 30,000 articles a month being published that reference data breach litigation. Law firms have collectively published more than 156,000 articles on the topic.1

While data breach litigation is an important topic for the general public, and remains one of the top concerns of general counsel, CEOs, and boards alike, there remains a great deal of misinformation reported by the media, the legal press, and law firms. At best this is due to a lack of knowledge and understanding concerning data breach litigation; at worst some reports border on sensationalism or fearmongering.

Bryan Cave LLP began its survey of data breach class action litigation four years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities with reliable and accurate information concerning data breach litigation risk. We are proud that our annual survey has become the leading authority on data breach class action litigation and is widely cited throughout the data security community.

Our 2016 report covers litigation initiated over a 15 month period from the fourth quarter of 2014 through the fourth quarter of 2015 (the “Period”).2 Our key findings are:

  • 83 cases were filed during the Period. This represents a nearly 25% decline in the quantity of cases filed as compared to the 2015 Data Breach Litigation Report (the “2015 Report”).3
  • When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches. As with the overall quantity of cases filed, the quantity of unique defendants also declined as compared to the 2015 Report; approximately 16% fewer unique defendants were named in litigation.
  • Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years. The stability in the conversion rate is explained by a decrease in the number of publicly reported data breaches. While further research would be needed to separate correlation from causation, it appears that the decline in the absolute quantity of data breach class action litigation, and the absolute quantity of data breach class action litigation defendants, may be primarily due to a decline in the overall quantity of reported breaches. At this point there is no evidence to suggest that the decline in litigation is attributable to other causes (e.g., disinterest by the plaintiff’s bar, lack of success of previous litigation, etc.).
  • The Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois are the most popular jurisdictions in which to bring suit. Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based.
  • Unlike in previous years, the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers.4 The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches. As a result, we do not expect the overweighting of the medical professions for breach litigation to necessarily continue into the coming year.
  • There was a 76% decline in the percentage of class actions involving the breach of credit cards as compared to the 2015 Report. The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements in previous credit card related breach litigation.
  • While plaintiffs’ attorneys continue to allege multiple legal theories, there appears to be some movement toward consolidation. For example, although plaintiffs alleged 20 legal theories, that represents a 16% decline from the 2015 Report, which identified 24 legal theories.
  • Favored legal theories continue to emerge. Specifically, while negligence was the most popular legal theory in the 2015 Report, with 67% of cases including a count of negligence, nearly 75% of cases now include a count of negligence.
  • Unlike in previous years in which plaintiffs’ attorneys focused on breaches of information that was arguably of a less sensitive variety (e.g., credit card numbers), plaintiffs’ attorneys overwhelmingly focused on breaches in this Period that involved information that is traditionally considered “sensitive” such as Social Security Numbers.

Click here to read the full report.

[1] Google News Search for “Data Breach Litigation” conducted on March 22, 2016 (covers 30 days); Lexology.com search for “Data Breach Litigation” conducted on March 25, 2016.
[2] The study period included October 1, 2014 through December 31, 2015.
[3] Complaints filed against Government agencies were excluded from the 2015 report and included in the 2016 report. Therefore, the decline in overall complaints filed would be even further pronounced if Government agencies were excluded from the 2016 Report. See Bryan Cave LLP, 2015 Data Breach Litigation Report: A Comprehensive Analysis of Class Action Lawsuits Involving Data Security Breaches Filed in United States District Courts
[4] Privacy Rights Clearinghouse estimates that in the Period, 68 of the 282 publicly reported breaches involved the medical industry.  See http://www.PrivacyRights.org (last viewed March 22, 2016).