CCPA Security FAQs: What legal theory are plaintiffs most likely to assert in a data breach class action in addition to the CCPA?

Given that California (and many others) have adopted GDPR-like measures, this could be an interesting read. On a specific point, negligence underpins just about all legal actions so you should look at how to show that your business has not been negligent by adopting best practise in security and privacy measures…:


For the last five years, BCLP has published the leading analysis of data breach class action litigation.1  As part of that study, BCLP has reviewed every data breach class action complaint against a private company filed in (or removed to) federal court.2  Among other variables, BCLP tracked the legal theories asserted by plaintiffs in data breach litigation.

As our 2019 Data Breach Litigation Report indicates, the most popular legal theory utilized by plaintiffs in data breach class action litigation is negligence.  Indeed, while 47% of data breach class actions complaints asserted negligence as the primary (or only) legal theory, an additional 45% of data breach class action complaints asserted negligence as a secondary, or alternative, legal theory.  As a result, 92% of data breach class action complaints alleged negligence as a legal theory of recovery.3

BCLP anticipates that in 2020, the most popular legal theory will shift from negligence to the CCPA, as plaintiffs attempt to pursue the statutory damages referenced within Section 1798.150 of the Act.  While the CCPA may become the most popular legal theory, based upon historical trends, plaintiffs are likely to continue to allege additional legal theories including negligence.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. See 2019 Data Breach Litigation Report available at

2. See 2019 Data Breach Litigation Report available at Note that the 2019 Data Breach Litigation Report excludes state court litigation as state courts are inconsistent in their publication of filed complaints and, as a result, inclusion of state-filed complaints that were not removed to federal court would inadvertently over-represent or under-represent the quantity of filings in any state depending upon whether a particular state (or a particular court) publishes electronic versions of case filings.

3. See 2019 Data Breach Litigation Report at 14, 17 available at

Read the original article here