In this episode of Law, disrupted, John is joined by Norman (Norm) E. Siegel, partner at Stueve Siegel Hanson LLP in Kansas City, Missouri. He is the lead plaintiffs’ counsel in the $450 million settlement of a data breach class action against T-Mobile. Norm has been involved in many high-profile data breach cases, and served as lead counsel in the three largest data breach settlements reached to date: cases against T-Mobile, Equifax, and Capital One. Together, these settlements totaled over $2 billion in cash and other relief. Norm was recently named by Law360 as a “Titan of the Plaintiff’s Bar” for his work in class action litigation.The conversation begins by discussing how data breach litigation has evolved in the past 10 years. John asks about the type of claims that are typically asserted in these nationwide class actions. Norm explains that plaintiffs typically assert common law tort claims in these cases, especially negligence, breach of confidence and invasion of privacy. He adds that when the plaintiffs have an express contract with the defendant, such as when they have accounts with the defendant, they will often assert claims for breach of an express or implied contract that the defendant would keep the plaintiff’s information confidential. John and Norm turn their focus to recent California legislation establishing statutory damages for data breaches in general, as well as for breaches involving medical information. Because both acts are relatively new, the case law interpreting them is still developing. John and Norm discuss the role that expert testimony, California Attorney General’s Guidelines, and FTC recommendations play in determining what data security measures the defendant should have implemented in these cases.  They also discuss how to navigate the complexities of having both a nationwide class and a subclass of California plaintiffs who have recourse under these statutes in the same case.The conversation then moves to legislation in other states, as well as the prospects for federal legislation establishing uniform national standards regarding data security similar to the standards in Europe under the GDPR. John and Norm discuss recent attempts at such legislation and the obstacles that have prevented it from passing this far.They then discuss standing issues in data breach cases, and the key decisions, including Spokeo and TransUnion, that have recently clarified how standing may be established. They also discuss the issue of whether a defendant owes a duty to protect confidential information if it has no contract with a plaintiff and how that issue impacted the Equifax and Capital One cases.  John moves the conversation to the issues that discovery tends to focus on in data breach cases. Norm explains that defendants’ discovery has evolved from focusing on the measures they took to guard data to deposing plaintiffs about what damage they did or did not suffer because of a data breach. Norm adds that the plaintiffs’ discovery focuses primarily on their damages, but also on the defendant’s history of previous security breaches.This leads to a discussion of damages theories and how they have evolved in the past five years. John and Norm discuss alternatives to just compensating for out-of-pocket losses, including damages for the lost benefit of the bargain in contract cases, unjust enrichment, the time and effort spent to repair the breach, and nominal damages. They also explore the benefits to the plaintiff class of requiring the defendant to take specific measures to prevent future security breaches and to help plaintiffs to protect themselves when breaches occur.Finally, John and Norm discuss the settlement process, including how to allocate settlement amounts among the plaintiffs and the process to get a successful settlement for both sides. Norm believes that settlements result from always putting out high-qualit