ClaimHour

Blog · June 9, 2026 · 16-minute read

Privacy class action attorney time tracking: BIPA per-scan fee petition arithmetic under Cothron, the CCPA § 1798.150 cybersecurity expert call cycle, and state privacy AG parallel investigation billing

Privacy class action practice has a fee petition problem that no other consumer class action context produces in the same form: the Cothron per-scan statutory damages theory creates potential BIPA exposure so large that even a successful class settlement captures less than one percent of the maximum — triggering the most aggressive Hensley degree-of-success proportionality challenge in any consumer class action — and the biometric scan count expert whose call cycle generates the largest billing gap is simultaneously the expert whose methodology determines the settlement value and the expert whose analytical work the defendant targets in the fee petition.

TL;DR

Total: 53.1 untracked hours = $23,895–$39,825/year. The scan count expert is the pivot of the Cothron settlement value calculation and the Hensley degree-of-success argument — the same calls that drove the settlement are the calls missing from the fee petition record.

The BIPA per-scan fee petition and the Cothron scan count expert call cycle: 21.6 untracked hours = $9,720–$16,200/year

Cothron v. White Castle System, Inc., 2023 IL 128004, held that a separate Illinois Biometric Information Privacy Act violation — and a separate right of action under BIPA § 20, 740 ILCS 14/20 — accrues each time a covered entity scans or transmits an individual's biometric identifier without complying with the Act's notice, written consent, and retention schedule requirements. The practical consequence for BIPA class action practice was immediate and arithmetically extreme: the per-person statutory damages exposure ($1,000 per negligent violation, $5,000 per reckless or intentional violation under BIPA § 20) was multiplied by the total scan count across the class period, not the total number of class members.

The arithmetic: before Cothron, a BIPA class of 5,000 hourly employees at maximum statutory exposure = 5,000 persons × $1,000 per negligent violation = $5 million. After Cothron, the same class of 5,000 employees scanning fingerprints twice daily across 252 working days per year over a three-year class period = 7,560,000 scans × $1,000 = $7.56 billion. A $12 million BIPA class settlement — a substantial result by any pre-Cothron measure — now represents 0.16% of the per-scan maximum. This is the fee petition's structural problem: the Hensley v. Eckerhart, 461 U.S. 424 (1983), degree-of-success analysis requires courts to assess whether the plaintiff "achieved a level of success that makes the hours reasonably expended a satisfactory basis for making a fee award" — and the defendant's fee challenge begins with the observation that the settlement captured one-sixth of one percent of the statutory maximum.

The biometric scan count expert is the solution to this problem and the source of its largest billing gap simultaneously. The expert determines the total scan count for the class period, the database integrity of the employer's timekeeping records, the exclusions for anomalous entries, and the Cothron exposure calculation at each statutory tier. The expert's methodology is also the foundation of the plaintiff's degree-of-success argument: that the settlement represents a reasonable recovery given the annihilating-damages risk the Cothron court itself acknowledged, the defendant's financial capacity, and the expected value of litigating to judgment. Every call in which the expert explained the scan count methodology, modeled the Cothron exposure at different settlement values, or analyzed the defendant's database export is a call that arrived on the expert's computational and analysis timeline — not the attorney's billing calendar.

BIPA scan count expert call types and their timing structure: (a) Initial database extraction and validation call (35–50 min) — the expert calls when the employer's timekeeping and biometric database export has been processed and the preliminary scan count is ready; this call arrives on the expert's data-processing timeline, typically 3–5 weeks after the database production; (b) Class period scope and exclusions methodology call (40–55 min) — after applying the class definition to filter eligible scans, the expert calls to review the exclusion categories (anomalous scan-and-clear entries, test scans, maintenance scans, scans outside the class period) and confirm the net scan count; this call arrives when the expert's filtering analysis is complete; (c) Cothron per-scan exposure modeling call (35–50 min) — the expert models the aggregate statutory exposure at each BIPA tier ($1,000 negligent, $5,000 intentional/reckless) and at various settlement discount rates for mediator preparation; this call arrives when the exposure model is ready, typically within 2 weeks of the class period scope call; (d) Mediator pre-session BIPA exposure preparation call (30–45 min) — the mediator schedules a pre-submission call to confirm the parties' respective exposure analyses before the joint mediation session; this call arrives on the mediator's case docket schedule; (e) Settlement authority escalation and class representative confirmation call (25–40 min) — each class representative confirms settlement authority on their own availability, typically in the days following a mediator recommendation; for employed class representatives, these calls arrive during the class representative's breaks or before/after work on the corporate calendar; (f) Post-settlement scan count verification call (20–35 min) — after the settlement is reached, the expert confirms the scan count and exposure calculation to be disclosed in the settlement agreement and fee petition; this call arrives when the expert's final report is ready.

Arithmetic: 4 active BIPA class matters in the class certification and settlement phase × 14 calls (6 expert analytical calls, 4 class representative confirmation calls, 3 mediator coordination calls, 1 post-settlement verification call) × 42 min average × 55% untracked = 21.6 hours = $9,720–$16,200/year at $450–$750/hr.

The fee petition consequence: the In re Bluetooth Headset Products Liability Litigation, 654 F.3d 935 (9th Cir. 2011), common-fund lodestar cross-check requires courts to compare the percentage-of-fund fee request against the documented lodestar. When the scan count expert's 14 calls per class action are reconstructed into 3–4 block-billed "BIPA expert consultation" entries, the documented lodestar for the most expert-intensive phase of the case is materially understated — inflating the implied multiplier on the percentage fee request into the range that triggers cross-check reduction. The defendant's billing expert does not need to challenge individual call entries; the temporal clustering and duration aggregation of the reconstructed entries are sufficient to support the block-billing consistent-methodology inference under Welch v. Metropolitan Life Insurance Co., 480 F.3d 942 (9th Cir. 2007), applied to the entire billing record.

The CCPA § 1798.150 cybersecurity expert call cycle and CAFA AG notice advisory: 17.4 untracked hours = $7,830–$13,050/year

Cal. Civ. Code § 1798.150(a)(1) creates a private right of action for California residents whose personal information is subject to "unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information." The "reasonable security" standard is the technical battleground: unlike BIPA, where liability turns on whether the biometric collection procedure violated a statutory notice and consent protocol, § 1798.150 liability turns on whether the defendant's security posture — assessed against a recognized security framework — fell below an objective standard of care. This requires a cybersecurity expert whose forensic analysis generates a call cycle entirely driven by the expert's log analysis and technical investigation timeline.

The cybersecurity expert's breach analysis generates calls that arrive when each analytical phase is complete — when the forensic log analysis identifies the attack vector, when the control mapping against the applicable framework is finished, when the data classification analysis determines what categories of personal information were compromised. None of these phases arrives on a schedule the attorney can predict; all arrive on the expert's internal investigation workflow.

CCPA § 1798.150 cybersecurity expert call types and timing structure: (a) Preliminary attack vector and breach scope call (40–55 min) — the expert calls when the forensic log analysis has identified the exploited vulnerability and the access timeline; this call arrives on the expert's log-processing timeline, typically 4–8 weeks after the engagement begins; (b) Reasonable security assessment methodology call (35–50 min) — the expert calls when the comparison of the defendant's security controls against the applicable framework (CIS Controls, NIST SP 800-53, NIST Cybersecurity Framework, or sector-specific standard) is complete; this call arrives when the framework mapping is finished; (c) Data classification and Cal. Civ. Code § 1798.82 notification scope call (30–45 min) — the expert calls when the analysis of the compromised data categories (names and SSNs, payment card data, health records, account credentials) is complete and the notification obligation scope under California's data breach notification law is determined; this call arrives on the expert's data categorization timeline; (d) NIST or CIS Controls framework update advisory call (20–35 min) — when the National Institute of Standards and Technology issues a new revision of NIST SP 800-53 or when the Center for Internet Security updates the CIS Controls, the expert calls to discuss whether the updated framework affects the reasonable security assessment; these calls arrive on the government publication schedule; (e) CAFA § 1715(b) AG notice response advisory call (25–40 min) — 28 U.S.C. § 1715(b) requires class counsel to notify each state AG of a proposed settlement within 10 days of the settlement filing; the 90-day CAFA waiting period before settlement approval generates state AG response calls on each state's enforcement calendar; California, Colorado, Connecticut, Texas, and Virginia all have active data privacy enforcement programs, and AG staff attorneys call or email class counsel with questions about the settlement's scope, claims administration timeline, and relief for state residents during the 90-day window.

Arithmetic: 5 § 1798.150 class matters in the liability assessment and settlement phase × 10 calls (3 cybersecurity expert analytical calls, 2 data classification and notification scope calls, 2 framework update advisories, 3 CAFA AG notice response calls) × 38 min average × 55% untracked = 17.4 hours = $7,830–$13,050/year at $450–$750/hr.

Cal. Civ. Code § 1798.150(a)(2) provides that "the court shall award a reasonable attorney's fee and costs to a prevailing plaintiff" — mandatory fee shifting for successful § 1798.150 plaintiffs. The fee petition must document the cybersecurity expert's analytical work with sufficient entry-level specificity to show that the hours spent on the reasonable security assessment were reasonably necessary to the § 1798.150 claim. Block-billed "cybersecurity expert consultation — 9 hours" entries that reconstruct multiple expert calls from a 6-week forensic analysis period are the fee petition's weakest evidence: they collapse the expert's distinct analytical phases (attack vector, control mapping, data classification) into a single undifferentiated time block, preventing the court from assessing whether each phase represented a reasonable investment of attorney time. The CAFA AG notice response advisory calls compound the problem because they arrive in a 45-day burst during the 90-day waiting period — a period when the billing record typically shows no case activity, creating a temporal gap that the defendant's billing expert will use to argue the advisory calls were either not performed or not logged.

The multistate privacy AG parallel investigation advisory gap: 14.1 untracked hours = $6,345–$10,575/year

When a data breach that is the subject of a CCPA § 1798.150 class action also triggers enforcement interest from multiple state AGs — a pattern that has become routine for major breaches since California's CPRA enforcement commenced in 2023, Colorado CPA enforcement in July 2023, Connecticut CTDPA enforcement in July 2023, Texas TDPSA enforcement in July 2024, and Virginia VCDPA enforcement in January 2023 — plaintiff class counsel operates at the intersection of two separate enforcement proceedings with independent timelines. The AG investigations and the private class action are parallel tracks, not a single proceeding, and the advisory calls they generate for plaintiff class counsel arrive on the enforcement agency's investigation calendar, not the attorney's billing schedule.

NAAG multistate coordination: the National Association of Attorneys General maintains a multistate enforcement coordination infrastructure through which state AGs can designate a lead state and coordinate investigation strategy, civil investigative demand timing, and settlement terms across multiple jurisdictions. When California, Colorado, Connecticut, and Virginia coordinate a NAAG multistate investigation into the same data breach that is the subject of the CCPA class action, the coordinating AG's staff attorney becomes the point of contact for all four states — and calls from the coordinating AG's office arrive on the NAAG coordination meeting schedule, which is entirely outside the attorney's billing calendar.

Multistate AG parallel investigation call types and timing structure: (a) AG civil investigative demand receipt and scope advisory call (35–50 min) — when the AG (or lead NAAG coordinating AG) issues a civil investigative demand or investigative subpoena to the class defendant, the defendant's counsel calls the class attorney to assess whether the CID scope overlaps with the pending class action's discovery; this call arrives when the CID is served, on the AG's investigation timeline; (b) AG consent decree settlement coordination call (30–45 min) — when the AG reaches or proposes a consent decree with the defendant, the lead AG's staff attorney calls class counsel to discuss whether the class settlement terms are consistent with the AG's injunctive relief; arriving on the AG's negotiation timeline; (c) CPRA California Privacy Protection Agency enforcement coordination call (25–40 min) — the CPRA created the California Privacy Protection Agency with independent enforcement authority separate from the California AG; CPPA enforcement staff call class counsel regarding § 1798.150 settlement terms that may affect CPPA's separate enforcement action; these calls arrive on the CPPA's independent enforcement calendar; (d) NAAG lead-state coordination call (25–35 min) — when three or more states are coordinating, the lead state's staff attorney calls class counsel for a status conference on the NAAG coordination meeting schedule; (e) State notification law compliance advisory call (20–30 min) — class representatives who are California residents receive calls to confirm compliance with Cal. Civ. Code § 1798.82 notification timing requirements; these calls arrive when the class representative has reviewed the settlement notice and has questions about state law compliance.

Arithmetic: 6 parallel investigation matters × 8 AG advisory calls × 32 min average × 55% untracked = 14.1 hours = $6,345–$10,575/year at $450–$750/hr.

The fee petition consequence: the AG parallel investigation advisory calls are includible in the § 1798.150 fee petition lodestar as time reasonably expended in connection with the class action — coordinating with the AG's settlement terms, assessing whether the AG's consent decree affects the class relief, and advising on the CAFA § 1715(b) notice implications of the AG's concurrent enforcement. But these calls arrive in concentrated bursts — when the AG issues its CID, when the AG proposes its consent decree, when the NAAG coordination meeting produces a multistate enforcement agreement — creating the temporal clustering pattern that the Welch consistent-methodology inference targets. A record that shows a three-week burst of AG advisory entries in April 2025 followed by silence until the AG consent decree announcement in September 2025 exhibits the temporal gap pattern that defendants use to argue the advisory work was not performed during the gap period. Fees-on-fees under Missouri v. Jenkins, 491 U.S. 274 (1989), for the fee petition preparation entries are the first target of the consistent-methodology inference applied to the AG advisory gap: if the merits billing record exhibits the temporal clustering pattern, the fee petition preparation entries — which the defendant's billing expert reviews to see whether the reconstruction pattern persists into the fee petition phase itself — receive the same percentage reduction as the merits entries.

Three diagnostics for privacy class action billing gap identification

Diagnostic 1 — Scan count expert call stack audit. For the most recent BIPA class action in the class certification or settlement phase, pull the billing entries for the period between expert retention and the settlement agreement date. Count the number of entries referencing biometric expert, scan count, BIPA database, or Cothron. Then count the number of substantive phone calls or video conferences you had with the expert during the same period. If the entry count is less than 60% of the conversation count, the scan count expert call cycle is running below 40% capture — and the Bluetooth cross-check multiplier on any fee petition filed against this record will be inflated by the undocumented expert hours.

Diagnostic 2 — CCPA cybersecurity expert phase capture rate. For the most recently completed § 1798.150 class matter, identify the date range from expert engagement through the CAFA § 1715(b) 90-day waiting period end date. Count the number of billing entries with a duration less than 60 minutes referencing cybersecurity expert, breach forensics, reasonable security, CIS Controls, NIST, or AG notice. Then count the number of substantive conversations you recall having with the cybersecurity expert and state AG staff attorneys during the same period. A ratio below 1.3 entries per conversation indicates below-50% capture across the cybersecurity assessment and CAFA notice advisory period — the two phases that the fee petition must document most specifically to support the § 1798.150 "reasonable security" argument.

Diagnostic 3 — AG parallel investigation advisory log. For any matter currently subject to a state AG investigation parallel to the private class action, identify the number of state AGs with active enforcement interest (count each AG as a separate enforcement track). For each enforcement track, count the number of billing entries referencing AG investigation, NAAG coordination, consent decree, or AG advisory in the past 90 days. Then count the number of actual AG contact events (CIDs received, AG staff attorney calls, CPPA enforcement correspondence, NAAG coordination meeting outcomes). If the billing entry count is less than 50% of the AG contact event count, the parallel investigation advisory gap is above the systematic reconstruction rate — and every uncaptured AG advisory call in the current matter is a Welch pattern-setter for the fee petition when this case eventually settles.

How ClaimHour fits privacy class action practice

If your BIPA practice generates biometric scan count expert calls when the database extraction is complete at 9:45 a.m. on a Tuesday, CCPA cybersecurity expert calls when the attack vector forensic report is ready at 4:15 p.m. on a Thursday, and California Privacy Protection Agency enforcement staff calls on a Friday afternoon when the coordinating AG's office has reviewed the CAFA notice — and none of those calls appear in your billing system because they all arrived on someone else's schedule — ClaimHour was built for that gap. The passive capture logs every call (iOS call metadata: duration, timestamp, direction, not content), every email advisory session, and every document review session. The 2-minute evening digest surfaces each unmatched call for matter attribution. No audio, no call content, no email bodies stored. Privilege is preserved under ABA Formal Opinion 512. At $450–$750/hr, 53 additional tracked hours per year = $23,850–$39,750 of previously unlogged time before the fee petition — and the contemporaneous per-call records that eliminate the Welch temporal clustering pattern that produces the Bluetooth cross-check inflation and the degree-of-success proportionality challenge in Cothron BIPA settlements.

Get early access

Related questions

How does BIPA's mandatory fee-shifting standard under § 20 differ from the Hensley lodestar in practice?

BIPA § 20 mandatory fee shifting means the prevailing plaintiff is entitled to fees as a matter of right — unlike the discretionary ERISA § 502(g)(1) standard. But mandatory entitlement does not exempt the fee petition from Hensley's contemporaneous-records requirement. Because the defendant cannot argue the fee is unwarranted, the challenge pivots entirely to whether the documented hours are reconstructed or contemporaneous — and the hours most likely missing (scan count expert calls, mediator preparation calls, class representative confirmation calls) are the hours in the most technically complex and highest-value phases of the BIPA case.

How does the Cothron per-scan ruling change BIPA fee petition arithmetic?

Before Cothron, per-person exposure meant a settlement of $12 million could represent 200% of the $6 million theoretical maximum for a 6,000-member class — clearly successful. After Cothron, the same $12 million settlement against a $7.56 billion per-scan maximum for the same class represents 0.16% recovery — and the defendant argues Hensley degree-of-success proportionality. Plaintiff counsel must explain why the settlement represents genuine success given the annihilating-damages risk, the defendant's financial capacity, and the expected-value calculation. The scan count expert's methodology is the foundation of that argument — which is exactly the expert whose call cycle is most likely missing from a reconstructed billing record.

How does CCPA § 1798.150 fee shifting differ from BIPA's fee provision in practice?

BIPA fee petitions pivot on the scan count — how many biometric collections violated § 15(a)–(e). CCPA § 1798.150 fee petitions pivot on the reasonable security assessment — whether the defendant's security posture fell below the standard measured by CIS Controls, NIST SP 800-53, or applicable sector standards. The cybersecurity expert's forensic analysis (attack vector, control mapping, data classification) generates the call cycle that arrives on the expert's investigation timeline. The CAFA § 1715(b) 90-day AG notice window adds a second advisory call cycle — five active state AG enforcement programs — with no BIPA parallel.

Do state privacy AG parallel investigations affect the plaintiff class action fee petition?

Yes, in three ways: (1) AG consent decree injunctive relief affects the Hensley degree-of-success analysis — courts assess whether the class settlement's relief was supplemented or duplicated by the AG remedy; (2) AG advisory calls (consent decree coordination, CID scope analysis, NAAG meeting outcomes) are includible in the class action fee petition lodestar as time reasonably expended on the claims; (3) NAAG multistate coordination calls arrive in concentrated bursts when the lead state's enforcement meetings produce results, generating the temporal clustering pattern the Welch inference targets.

How does the Bluetooth common-fund lodestar cross-check apply to BIPA settlements?

In re Bluetooth requires the implied multiplier on a common-fund fee request to be reasonable. When the scan count expert's 14 calls per class action are reconstructed into 3–4 block-billed entries, the documented lodestar understates the expert phase, inflating the implied multiplier. A $10 million BIPA settlement with a $1.5 million fee request implies a 3.75x multiplier on a reconstructed $400,000 lodestar — but a 2.1x multiplier on the actual $710,000 contemporaneous lodestar accounting for the missing 21.6 expert-call hours. The 3.75x implied multiplier triggers cross-check scrutiny that 2.1x would not.

What does contemporaneous BIPA billing look like in a successful fee petition?

Four structural characteristics distinguish contemporaneous from reconstructed BIPA records: (1) each scan count expert call as a separate 25–55 minute entry identifying the specific analytical topic; (2) each class representative status call as a separate 15–30 minute entry identifying the class representative's role and the question raised; (3) each mediator preparation call dated within the week before the session with the preparation topic specified; (4) each CAFA AG notice response advisory within the 90-day window identifying the state and the specific inquiry. This per-call entry structure exhibits the duration variance and temporal distribution of contemporaneous capture, eliminating the block-billing pattern the defendant's billing expert is retained to identify.

Further reading