Julianna McCabe, Carlton Fields Julianna McCabe, Carlton Fields

The next wave of class action lawsuits will be the result of massive data breaches, according to the eighth annual Carlton Fields Class Action Survey.

The survey released Tuesday is based on interviews with general counsel or senior legal officers at 395 Fortune 1000 companies in the U.S.

In 2017, 29 percent of corporate counsel expected to see more class actions coming from data privacy and security. That number nearly doubled in 2018 to 54 percent.

The report also said in-house lawyers are more concerned with the California Consumer Privacy Act, or CCPA, which takes effect in 2020, than the E.U.’s General Data Protection Regulation, or GDPR.

But Kavon Adli, the founder of The Internet Law Group in Beverly Hills, California, said companies should be as, if not more, concerned with the GDPR.

“I think the risk of a class action is more limited in the case of the CCPA,” Adli said.

He explained data security is a limited area of the CCPA that provides for a right of action, but the GDPR provides for a private right of action for all of its provisions.

“The CCPA is still sort of in flux. There have been some legislative processes, and there may still be more before it goes into effect,” Adli said. “At the current time it is far more limited than the GDPR.”

Julianna McCabe, director of the survey and a Miami shareholder at Carlton Fields, said state laws like the CCPA and Illinois’ Biometric Information Privacy Act make it easier to file class action suits.

“When the legislators in those states pass laws that allow consumers to bring private rights of action regarding these data issues companies are rightly concerned,” McCabe said. “California in particular is a place where class actions are filed more than in any other state in the nation. California is an issue; Illinois is an issue, and other states are starting to copy those laws that are probably going to get passed in the next three to five years.”

Edward McAndrew, a partner at DLA Piper in Washington, said a CCPA provision entitles California residents to some level of damages. He also said residents do not need to prove a direct injury because of the data breach, just that the company violated the CCPA.

“Early on, we saw a lot of cases being dismissed on standing grounds. With these statutory causes of action, it’s going to be much more difficult to get cases dismissed at a preliminary stage,” McAndrew said. “Those cases haven’t been going into a full-scale discovery period.”

Because of this, he expects companies to be subject to extensive and expensive discovery demands.

“Those are going to six and seven figure expenses for these companies,” McAndrew explained.

The report said companies spent $2.46 billion defending class actions in 2018, the highest dollar figure since 2008. Most companies said they are facing class actions only in the United States.