It is often said that the law lags technology, and nowhere is this truer than in the case of the internet. Nearly three decades ago, companies began moving their business operations online and started collecting more and more sensitive data of website visitors and online consumers. As companies did so, a robust marketplace for the illegal sale of personal data grew, incentivizing cyber criminals to hack networks accessible via the internet.

The pace and scale of data breaches today is simply breathtaking. In 2020, U.S. companies publicly reported 3,950 data breaches, according to the Verizon Data Breach Investigations Report − a number that likely understates the total number of breaches, as many breaches are not reported. Ransomware, in particular, was a scourge to U.S. companies last year. Ransomware attacks increased by 485% over the prior year and routinely resulted in ransom payments of seven or even eight figures, according to Info Security Magazine. Despite renewed focus by the U.S. government on stopping hackers, and widespread efforts by U.S. companies to harden their security through encryption, multi-factor authentication, and shifting to cloud-based applications, the pace of data breaches has not slowed down in 2021. If anything, the pace has increased.

As more data breaches occur, litigation inevitably follows. Beginning in the late aughts, plaintiffs’ lawyers began filing lawsuits in the wake of reported data breaches. Courts were initially skeptical that these claims alleged a sufficient injury. But the breaches continued, and the lawsuits continued to follow, and over time federal courts have adopted a more sophisticated analysis of standing. It is now routine for a company that reports a data breach to face class-action litigation.

We are in the midst of a legal revolution as consumers seek damages for violation of their online rights. In 2020, there were roughly 1,000 data breach or data privacy lawsuits filed in the U.S, most of them class actions. Included in this count are lawsuits asserting claims under the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Protection Act (BIPA), and state wiretap claims – which provide for statutory damages. We’re also counting data breach class actions that assert common law claims. In the breach context, these common law claims typically seek damages for fraudulent charges, the costs of credit monitoring, and the time lost by consumers cancelling credit cards or monitoring their accounts in the wake of a breach.

At the current pace of new filings, we are likely to see over 1,200 data breach class actions or data privacy claims filed in 2021. Plaintiffs’ lawyers are asserting new and creative damages theories, such as the “benefit of the bargain” theory, which holds that some percentage of the price paid by a consumer for a product is attributable to data security, or claiming that there is an inherent value to personal data that can be quantified by reference to the marketplace, both legal and illegal, for the sale of personal information.

At the same time, online technology providers routinely face claims premised on the undisclosed collection and sharing of personal information. Several companies’ online tracking practices have spurred class-action lawsuits and regulatory enforcement actions. Data breach and data privacy settlements have slowly increased and now routinely hit nine figures.

Given the revolutionary impact of the internet, it is somewhat surprising that there are no legal treatises on the marketplace tracking the growth of these new kinds of digital rights litigations. A new title, Cyber Litigation: Data Breach, Data Privacy & Digital Rights, attempts to fill this gap by focusing on civil litigation addressing new online rights and obligations. In addition to data privacy and data breach litigation, this book addresses other kinds of emerging cyber claims such as website accessibility claims, webscraping claims, disputes under the Payment Card Industry (PCI) data security standards, and cyber-coverage disputes. The common link among these kinds of cyber-litigation is that they all involve the collection, access, sharing, protection, or use of online information. It is a certainty these lawsuits will continue. It is a certainty they will increase.

This guest post was written by Philip N. Yannella, author of Cyber Litigation: Data Breach, Data Privacy & Digital Rights and practice leader of Ballard Spahr’s Privacy & Data Security Group and the firm’s Cybersecurity Incident Response Team. He provides clients with 360-degree advice on the transfer, storage, and use of digital information.