Managing legal risks: trends in data privacy & security class action litigation (fourth quarter 2013)

Managing Legal Risks:
Trends in Data Privacy & Security
Class Action Litigation
Publication Date: February 2014
Authors: Shahin Rothermel & David Zetoony
Scope: Fourth Quarter 2013
Page 2 of 9
Managing Legal Risks:
Trends in Data Privacy & Security Class Action Litigation
(Fourth Quarter 2013)
Executive Summary
This report analyzes data-related class action complaints filed against private entities between October and December 2013 (Q4). The following are key findings concerning complaints over this period:
 A total of 145 data-related class action complaints were filed during Q4.
 Consistent with previous quarters, the majority of complaints (84%) involve data privacy (i.e., collection, use, and sharing) as opposed to data security (i.e., safeguarding) (16%).1
 Telemarketing remained the most common primary legal theory alleged (63%).2
 The United States District Court for the Northern District of Illinois (31%) replaced the Northern District of California (11%) as the most popular federal forum. California (3%) replaced Illinois (2%) as the most popular state forum.
 In terms of industry sectors, health (18%), debt collection (14%), and retail (12%) received the largest number of complaints.
 90% of complaints allege putative national classes, an increase from 68% in the previous quarter.
 Consumers’ contact information was the leading type of data at issue, with mobile phone numbers being the largest category (37%).
 Approximately 82 plaintiffs’ firms were involved in data-related litigation. While a few firms were involved in two or more cases, Edelman, Combs, Latturner, & Goodwin, LLC, filed substantially more cases than other plaintiffs’ firms. With one exception, however, complaints filed by the Edelman firm alleged violations of the TCPA.
Part 1: Primary Legal Theories
The majority of complaints (84%) focused on data privacy related issues – such as the propriety of a company’s collection, intentional sharing, or use of information. Data security – the protection of information from unintentional access or acquisition – was the primary focus in 16% of complaints.
1 See Methodology Section for discussion of the reliability of comparison between quarters.
2 For a discussion of class action litigation involving the TCPA see Gajewski & Zetoony, Managing Legal Risks: Trends in Mobile, Text Message, Fax, and Telephone TCPA Class Action Litigation (Sept. 2013).
Page 3 of 9
This is relatively consistent with the proportion of privacy and security complaints observed throughout 2013.
The largest category of complaints continue to relate to alleged telemarketing violations under the TCPA (63%). The next largest categories involved the Fair Credit Reporting Act (“FCRA”) (9%), and breach of contract (5%).
Part 2: Volume of Litigation
A total of 145 complaints were filed during the period. Although there were more privacy complaints filed in each month of the quarter, the number of complaints involving data security
Page 4 of 9
increased slightly during the second half of Q4, during which time the number of complaints involving data privacy decreased slightly. The following chart shows the quantity of litigation in Q4.
Part 3: Favored Courts
The number of complaints filed in the Northern District of Illinois have remained high (31%), although fewer complaints were filed in Illinois state court (2% of complaints) than in California state courts (3% of complaints). The following chart shows the courts in which complaints were filed.
Page 5 of 9
Part 4: Litigation By Industry
Almost every industry has been targeted by class action plaintiffs, although the number of class action complaints against retail (home goods, retail general, and fashion/clothing), health-related companies (18%), and debt collectors (14%) remained particularly high. The following chart provides a breakdown of complaints by the defendant’s industry.
Part 5: Scope of Alleged Class (National v. State)
As indicated in the following chart, a large majority of complaints (90%) alleged a putative class that is national in scope (even if it also alleged one or more single-state subclasses).
Page 6 of 9
Part 6: Variety of Legal Theories Alleged
Complaints filed during the period alleged 16 legal theories. The following chart provides a breakdown of all of the legal theories alleged. The percentages collectively exceed 100% as many complaints include more than one legal theory.
The theories alleged in class action complaints in Q4 were more concentrated than in prior periods, with TCPA as the most common theory alleged (63%).
Part 7: Data Fields At Issue
Complaints filed during the period involved approximately 11 different types of data. The most common fields at issue were consumer mobile phone numbers (37%), fax numbers (23%), and credit and debit card information (10%). The following chart provides a breakdown of the complaints by the primary data field at issue.
Page 7 of 9
Part 8: Plaintiffs’ Firms
Approximately 82 plaintiffs’ firms were involved in filing the class action complaints during the period; most firms filed less than 4 complaints. Edelman, Combs, Latturner, & Goodwin, LLC filed significantly more data security and privacy class-action complaints (30) in Q4 than most other plaintiffs’ firms.
Part 9: Methodology
Bryan Cave’s previous whitepaper analyzing data privacy and security class action litigation trends followed the practice cited by other researchers who have analyzed trends in data-related class action complaints of using Westlaw’s “Pleadings” database. See, e.g., Sasha Romanosky, et. al., Empirical Analysis of Data Breach Litigation, 11 J. Empirical Legal Stud. 74, at 82 (2014) (concluding that Westlaw Pleadings coverage should not create a significant selection bias). This quarter, however, we expanded the universe of cases to include those identified in either the Westlaw Pleadings database or the Westlaw Dockets database. The latter source significantly expanded the quantity of complaints identified for the quarter. In light of the additional source of complaints, comparisons of the total volume of complaints filed in Q4 with those identified in Q1-Q3 (which involved searches of only Westlaw Pleadings) may not be appropriate. While this report does include relative comparisons between quarters, those comparisons may also be subject to selection biases.
Complaints included within the data analyzed by this report were identified within the Westlaw Pleadings and Dockets library as containing the phrase “class action,” derivations of the phrases “personal information” or “personal data,” and either the term “breach,” “privacy,” or “security.” Searches were also run to identify any class action complaints filed during the period that specifically referenced the Telephone Consumer Protection Act (“TCPA”), the Children’s Online Privacy Protection Act (“COPPA”), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”), the Health Insurance Portability and Accountability Act (“HIPPA”), the Video Privacy Protection Act (“VPPA”), the Fair Credit Reporting Act (“FCRA”), the Electronic Communications Privacy Act (“ECPA”), and point-of-sale (“POS”) statutes, including the Song Beverly Credit Card Act. These cases were then reviewed for relevanceand
Page 8 of 9
complaints alleging suit against government entities were excluded. As stated above, this report covers those complaints filed in the fourth quarter of 2013.
Page 9 of 9
ABOUT THE AUTHORS
Shahin Rothermel is a member of the firm’s
antitrust, competition, and consumer protection
group and routinely assists clients with data security
and data privacy issues.
Bryan Cave LLP
Washington D.C.
[email protected]
202-508-6206
David Zetoony is the leader of the firm’s
consumer protection group. David’s practice
focuses on advertising, data privacy, and data
security.
Bryan Cave LLP
Washington D.C.
[email protected]
202-508-6030
Bryan Cave LLP
Bryan Cave is a leading international law firm with offices in 24 cities and 12 countries. The firm
routinely defends clients in private litigation and regulatory enforcement actions, and provides advice and
counseling concerning legal compliance.
In addition to providing analysis based upon years of experience, Bryan Cave analyzes data in order to
identify legal trends and leading indicators of legal risk.
If you would like to receive future consumer protection informational publications automatically, please
contact [email protected]. Any questions or comments concerning this report, or
requests for permission to quote, or reuse it, should be addressed to the authors above.