Unto the (Data) Breach (original) (raw)

2024, University of Richmond Law Review (forthcoming)

Since the early 2000s, U.S. courts have begun hearing "data breach" liability cases, the inevitable result of a growing internet-connected technology infrastructure. The relatively recent development of case law signals a body of law in development, stunted by significant limiting factors that prevent the coalescence of legal principles. To date, no holistic empirical exploration of data breach cases has offered sufficient detail to explore these factors. This descriptive empirical study analyzes, in detail, 225 data breach cases from 2005-2022, reviewing these cases over a three-year period to descriptively identify key trends and changes within a case's life on the docket. This study identifies the type of plaintiff, settlement amounts, type and disposition of information compromised, claims, common motions, and key strategies most likely to result in a favorable plaintiff outcome. It also explores broad trends in data breach litigation, including acceptance of claims by courts, the status of future harms in 12(b)(1) and 12(b)(6) standing challenges, and the degree to which courts are willing to let cases proceed beyond preliminary motions. These results will provide crucial information for litigating parties, their counsel, judges, and policy makers. 1 Charlotte Tschider is an Associate Professor of Law at the Loyola University Chicago School of Law. I would like to thank Matthew Sag, Justin (Gus) Hurwitz, David Thaw, Steven Bellovin, and the Law and Technology Workshop participants for their comments on an earlier version of this article. A special thanks to Jay Edelson and Aaron Charfoos for their perspectives on data breach litigation and for offering their expertise with my classes on this topic. I would especially like to thank Annalisa Kolb for her exceptional research skills generating and validating cases in this study.