When news broke less than five years ago that Target had suffered a data breach compromising millions of customers' payment card information, several financial institutions looked to Carlson Lynch Sweet Kilpela & Carpenter, and name partner Gary Lynch in Pittsburgh, to help recover damages.

Now, Lynch has been appointed as co-lead counsel in a national multidistrict litigation brought by over 70 financial institutions against Equifax, related to the company's 2017 data breach.  He is also involved in data breach cases against Home Depot, Wendy's and Arby's, among others.

With cybersecurity breaches only expected to rise, data privacy litigation is now the busiest part of Lynch's practice. He spoke with The Legal about how the work has evolved for him and his firm since he became involved in the Target case. Answers have been edited for length and clarity.

What does it mean for you and your firm to be appointed to co-lead this case?

Obviously that's a tremendous honor to be selected by the court to lead the claim. It's really a combination of a lot of work we've gotten. We've been carving out a little bit of a niche with regard to representing financial institutions in claims involving these breaches.

This is a little different because it involves the personal identifying information of the customers [rather than payment card information alone], so it involves an increased risk for the financial institutions.

How much of your business is related to these types of actions?

My personal practice, I would say this is probably 75 to 90 percent of what I do—data breach and privacy litigation. Some of the firm helps me pursue these cases … it's at least 20 to 25 percent of the firm's practice.

How did this niche evolve?

The privacy and data breach area has been burgeoning. It's probably the fastest-growing area for plaintiffs class action work that I see. … We've just ridden that wave.

The idea of representing the financial institutions as part of that … is just a little twist that came from my involvement in the Target case.

[Before the Target breach] my personal practice had been traditional consumer protection and wage-and-hour litigation on behalf of plaintiffs, usually in a class context.

When an opportunity like this arises to create a niche, how do you mold your practice to seize on that opportunity?

We got involved in that [Target] case and took the initiative [to seek out those clients], but the rest of it just evolved organically … it grows naturally, just from the circumstances of it.

What are the implications of this particular action for consumer data issues, and for the financial institutions involved?

The interesting thing about the Equifax case is it involves the data of 145 million consumers. … It implicates almost everyone in this country that's of the age or circumstances to pursue credit.

How does this case compare to the others you've worked on in this type of litigation?

The only comparison I would make from this case to the payment card cases is that both of those cases presented the opportunity to use a legal process to drive a change in how businesses operate.

Have you seen any change in business practices?

There has been a move in the industry [following the Target breach] to chip technology. … I think that stepped up the conversion to chip technology. Whether that will fix the problem remains to be seen. … It feels like the data thieves are always a couple steps ahead.

What do you think lies ahead for data breach litigation?

I don't see any end in sight, until the various industries take decisive action. The problem we've had in the payment card breach area is that the ones who control the area aren't always front-line responsible [for a breach] … by aligning those interests, the risks and the people who have control over it, that's the best way to get change.