The next wave of class action lawsuits will be the result of massive data breaches, according to the eighth annual Carlton Fields Class Action Survey released Tuesday.

The survey is based on interviews with general counsel or senior legal officers at 395 Fortune 1000 companies in the U.S.

In 2017, 28.9 percent of corporate counsel said the next wave of class action suits would come from data privacy and security. That number nearly doubled in 2018 with 54 percent of respondents believing that the next wave of class action suits will come from data privacy and security issues.

The report also said in-house lawyers are more concerned with the California Consumer Privacy Act, or CCPA, which takes effect in 2020, than they are of the European Union’s General Data Protection Regulation, or GDPR.

Kavon Adli, the founder of The Internet Law Group in Beverly Hills, California, said, however, companies should be as, if not more, concerned with the GDPR.

“I think the risk of a class action is more limited in the case of the CCPA,” Adli said.

He explained the data security is a limited area of the CCPA that provides for a right of action. Whereas the GDPR provides for a private right of action for all of its provisions.

“The CCPA is still sort of in flux. There have been some legislative processes and there may still be more before it goes into effect,” Adli said. “At the current time it is far more limited than the GDPR.”

Julianna McCabe, the director of the National Class Action Survey and a shareholder at Carlton Fields, said the state laws like the CCPA and Illinois’ Biometric Information Privacy Act make it easier to file class action suits.

“When the legislators in those states pass laws that allow consumers to bring private rights of action regarding these data issues companies are rightly concerned,” McCabe said. “California in particular is a place where class actions are filed more than in any other state in the nation. California is an issue; Illinois is an issue, and other states are starting to copy those laws that are probably going to get passed in the next three to five years.”

Edward McAndrew, a partner at DLA Piper in Washington, D.C., said the CCPA has a provision that entitles California residents to some level of damages. He also said residents do not need to prove a direct injury because of the data breach, just that the company violated the CCPA.

“Early on we saw a lot of cases being dismissed on standing grounds. With these statutory causes of action it’s going to be much more difficult to get cases dismissed at a preliminary stage,” McAndrew said. “Those cases haven’t been going into a full scale discovery period.”

Because of this, he explained there will be extensive and expensive discovery that companies will be subjected to.

“Those are going to six and seven figure expenses for these companies,” McAndrew explained.

According to the report, companies spent $2.46 billion defending class actions in 2018. That spending is the highest companies have paid in defending class actions suits since 2008. Most companies, according to the report, are facing class action lawsuits only in the United States.