An emerging line of case law could pave the way for a whole new generation of cyber negligence cases. In Calhoun v. Google, 526 F. Supp. 3d 605 (N.D. Cal. 2021), the Northern District of California significantly expanded a “growing trend across courts … to recognize the lost property value” of data and affirmatively held that people have a “property interest in their personal information.” Id. at 635. This holding solidifies many arguments that plaintiffs in both data breach and privacy litigation have been advancing for years. Also, it provides a more direct path for future plaintiffs to assert negligence as a cause of action in various types of litigation involving data. While the reach of this holding is broad, the more immediate changes may be seen in data breach litigation, which has historically contended with various procedural hurdles.
As cyber incidents and data breaches became more common, commentators anticipated that litigation stemming from such incidents would explode. Yet, while the number of lawsuits stemming from cyber incidents and data breaches did indeed increase, various procedural hurdles, such as establishing standing to bring suit and proving damages necessary to seek recovery, have slowed or ended these cases before they could fuel the runaway train that had been feared. The Calhoun decision significantly weakens some of these procedural hurdles and opens a more direct path forward for future litigants in these cases to assert negligence as a viable cause of action.
