January 5, 2022 - Arbitration, Class Action, Privacy

Privacy Litigation 2021 Year in Review: Data Breach Litigation

Cyber incidents top the list of issues keeping in-house counsel up at night. And as we continue to see the number of incidents climb, we continue to see class actions filed in their wake. So what are the highlights from 2021 and what can we expect in the coming year?

Class Action Filing Trends

We count 36 major data breach class actions filed this past year, treating multiple cases filed against a single defendant as one major class action.[1] This is a significant increase over the 25 major class actions filed last year. Here’s what we are seeing in these cases:

Plaintiff’s counsel continue to jockey for position. Plaintiff’s attorneys continue to try to beat others to the courthouse.  In five of the major data breach cases filed, plaintiffs filed the first-filed case within a week of announcement of the breach.  On average, cases were filed within four weeks of the announcement. Three of the cases were the subject of MDL proceedings; 21 of them were consolidated.

What was stolen. In 26 cases, plaintiffs alleged exfiltration of social security numbers, significantly more than the number of cases we saw last year. Last year, the majority of cases concerned allegedly compromised payment card information. This kind of information allegedly was compromised in about one-third of the cases this year, and about half of the cases concerned alleged exfiltration of sensitive medical data.

Who was impacted. As compared to 15% of the cases last year, plaintiffs in about one-third of the cases this year were employees. The rest of the plaintiffs were customers, patients, or account holders.

Novel liability theories. We saw further evolution of plaintiff’s counsel’s theories in the last year. In a suit filed in response to the Colonial Pipeline ransomware attack, for example, plaintiff alleges that consumers and gas station owners were harmed by increased gas prices as a result of the company’s negligence.[2] And a federal court in Los Angeles followed other courts in rejecting plaintiff’s theory that the value of his personal information decreased due to the breach.[3]

To learn more, read our client alert.