News reports about massive data breaches are quickly becoming all-too common. While states have adopted data breach notification statutes and an increasing number of privacy statutes, litigation in this space remains largely by common law doctrines. Despite steady increases in litigation over time, quite little is know, systematically, about how such litigation has unfolded.
At the risk of stacking "turtles all the way down," a recent paper, Unto the (Data) Breach, sets out to gather initial data on data breach litigation. Drawing from WestLaw and PACER documents, the paper identifies 225 cases (between 2005 and 2022). While the analyses are exclusively descriptive, this is representative of helpful granular foundational work from which more technically sophisticated analyses can flow in the future. One take-away from the paper is that a comparative absence of a "cohesive data breach common law" likely exerts upward pressure on settlement activity. An excerpted abstract follows.
“Since the early 2000s, U.S. courts have begun hearing “data breach” liability cases, the inevitable result of a growing internet-connected technology infrastructure. The relatively recent development of case law signals a body of law in development, stunted by significant limiting factors that prevent the coalescence of legal principles. … This descriptive empirical study analyzes, in detail, 225 data breach cases from 2005-2022, reviewing these cases over a three-year period to descriptively identify key trends and changes within a case’s life on the docket.
This study identifies the type of plaintiff, settlement amounts, type and disposition of information compromised, claims, common motions, and key strategies most likely to result in a favorable plaintiff outcome. It also explores broad trends in data breach litigation, including acceptance of claims by courts, the status of future harms in 12(b)(1) and 12(b)(6) standing challenges, and the degree to which courts are willing to let cases proceed beyond preliminary motions….”
Comments