2016 was another year in which data breaches continued to dominate the headlines, a constant reminder to people that their personal information was vulnerable and the target of criminal attacks. Yet, despite the fact that data breaches do not appear to be going away anytime soon, the risk that a company will face litigation following a data breach remains relatively low year-after-year. The reason is likely tied to the difficulty plaintiffs continue to face establishing that they were injured by a breach and, therefore, have standing as a matter of law to bring suit.
Nonetheless, fear is a powerful marketing strategy, and we continue to see misinformation disseminated to the public about the likelihood of being sued after a data breach. This is not to say that companies should not continue to devote significant resources to breach preparation, information security, and breach response. But we are firm believers in allocating resources in proportion to the risk of harm, and litigation arising from a breach generally does not occur except in cases of public breaches involving large quantities of highly sensitive information.
Bryan Cave LLP began its survey of data breach class action litigation five years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning the risk associated with data breach litigation. Our annual survey continues to be the leading authority on data breach class action litigation and is widely cited throughout the data security community.
Our 2017 report covers federal class actions initiated over a 12 month period from January 1, 2016 to December 31, 2016 (the “Period”). Our key findings are:
- Modest increase in filings. 76 class actions were filed during the Period. This represents a modest 7% increase in the quantity of cases filed as compared to the 2016 Data Breach Litigation Report (the “2016 Report”).
- Continued “lightning rod” effect. Consistent with prior years, many of these lawsuits cluster around the same high-profile breaches. When multiple filings against single defendants are removed, there were only 27 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in previous reports, wherein plaintiffs’ attorneys file multiple cases against companies who had the largest and most publicized breaches, and generally bypass the vast majority of other companies that experience data breaches.
- Decrease in filings as a function of the quantity of breaches. Approximately 3.3% of publicly reported data breaches led to class action litigation. Unlike in prior years, in which the percentage of class action lawsuits has remained relatively steady at 4 or 5% of publically reported breaches, 2016 saw a slight decrease in litigation relative to the number of breaches.
- Litigation forums cluster around location of defendants. The Northern District of California, the Middle District of Florida, and the District of Arizona were the most popular jurisdictions in which to bring suit in 2016. Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based.
- Medical industry disproportionately targeted by the plaintiffs’ bar; but may still be underweighted. Like the previous year, the medical industry was disproportionately targeted by the plaintiffs’ bar. Although 70% of publicly reported breaches related to the medical industry, only 34% of data breach class actions targeted the medical industry or health insurance providers.
- Credit card breach litigation is flat. The percentage of class actions involving the breach of credit cards stayed relatively constant as compared to the 2016 Report, with credit and debit cards data accounting for 21% of the type of data involved in data breach class actions in 2016, slightly down from 23% for the previous reporting period. This may reflect the lack of high profile credit card breaches as in past years, difficulties by plaintiffs’ attorneys proving economic harm following such breaches, and relatively small awards and settlements in previous credit card related litigation.
- Plaintiffs continue to experiment with legal theories. Plaintiffs’ attorneys continue to allege multiple legal theories. Plaintiffs alleged a total of 21 legal theories during this period.
- Negligence has emerged as the clear theory of preference. While negligence was the most popular legal theory in the 2016 (and 2015) Report, it has increased from being included in 75% of cases to being included in nearly 95% of all cases.
- Plaintiffs are focusing on sensitive categories of information. Plaintiffs’ attorneys overwhelmingly focused on breaches in this Period that involved information such as Social Security Numbers, medical treatment information, health insurance information, and security questions and answers, with 89% of cases in 2016 involving a breach of sensitive data.
Click here to read the full report.