ISBN Number: 978-1-964020-09-9 © Duane Morris LLP 2025. All rights reserved. No part of this book may be reproduced in any form without written permission of Duane Morris LLP.
DISCLAIMER The material in this Review is of the nature of general commentary only. It is not meant as or offered as legal advice on any particular issue and should not be considered as such. The views expressed are solely those of the authors. In addition, the authors disclaim any and all liability to any person in respect of anything and of the consequences of anything done wholly or partly in reliance on the contents of this Review. This disclaimer is from the Declaration of Principles jointly adopted by the Committee of the American Bar Association and a Committee of Publishers and Associations.
i
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
CITATION FORMATS All citations in the Duane Morris Data Breach Class Action Review are designed to facilitate research. If available, the preferred citation of the opinion included in the West bound volumes is used, such as Zivkovic, et al. v. Laura Christy LLC, 94 F.4th 269 (2d Cir. 2024). If the decision is not available in the preferred format, a Lexis or Westlaw cite from the electronic database is provided, such as Deyerler, et al. v. HireVue, Inc., 2024 U.S. Dist. LEXIS 110271 (N.D. Ill. June 18, 2024) or Fayad, et al. v. City Of Philadelphia, 2024 WL 1163543 (E.D. Penn. Mar. 18, 2024). If a ruling is not available in one of these sources, the full case name and docket information is included, such as Combs, et al. v. Insomnia Cookies LLC , Case No. 24-CV-2321 (N.D. Cal. Nov. 19, 2024). E-BOOK HIGHLIGHTS The Duane Morris Data Breach Class Action Review is available for use on a smartphone, laptop, tablet, or any personal electronic reader by using any e-book reader application. E-book reading allows users to quickly scroll, highlight important information, link directly to different sections of the Review, and bookmark pages for quick access at a later time. The e-book is designed for easy navigation and quick access to informative data. The e-book is available by scanning the below QR code:
ii
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
NOTE FROM THE EDITOR In recent years, the financial implications of class action settlements related to data breaches have been escalating. This trend was particularly noticeable in 202 4 , with several high-profile cases resulting in substantial settlement amounts. The sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Furthermore, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. In this respect, we hope this book will provide our clients with an analysis of trends and significant rulings that enable them to make i nformed decisions in dealing with complex litigation risks. Defense of data breach class actions is a hallmark of the litigation practice at Duane Morris. We hope this book – manifesting the collective experience and expertise of our class action defense group – will assist our clients by identifying developing trends in the case law and offering practical approaches in dealing with class action litigation.
Sincerely,
iii
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
CONTRIBUTORS
iv
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
GLOSSARY AND KEY U.S. SUPREME COURT DECISIONS Adequacy Of Representation – Plaintiffs must show adequacy of representation per Rule 23(a)(4) to secure class certification. It requires representative plaintiffs and their counsel to be capable of fairly and adequately protecting the interests of the class. Amchem Products, Inc. v. Windsor, et al. , 521 U.S. 591 (1997) – Windsor is the U.S. Supreme Court decision that elucidated the requirements in Rule 23(b), insofar as common questions must predominate over any questions affecting only individual class members and class resolution must be superior to other methods for the adjudication of the claims. Ascertainability – Although not an explicit requirement of Rule 23, some courts hold that the members of a proposed class must be ascertainable by objective criteria. Comcast Corp. v. Behrend, et al. , 569 U.S. 27 (2013) – Comcast is the U.S. Supreme Court decision that interpreted Rule 23(b)(3) to require that, for questions of law or fact common to the class, the plaintiffs’ damages model must show damages are capable of resolution on a class-wide basis. Commonality – Plaintiffs must show commonality per Rule 23(a)(2) to secure class certification. This requires that common questions of law and fact exist as to the proposed class members. Class – A group of individuals that has suffered a similar loss or alleged illegal experience on whose behalf one or more representatives seek to bring suit. Class Action – The civil action brought by one or more plaintiffs in which they seek to sue on behalf of themselves and others not named in the suit but alleged to have suffered the same or similar harm. Class Certification – The judicial process in which a court reviews the submissions of the parties to determine whether the plaintiffs have met their burden of showing that class treatment is the most appropriate form of adjudication. Collective Action – A type of representative proceeding governed by 29 U.S.C. § 216(b) where one or more plaintiffs seeks to bring suit on behalf of others who must affirmatively opt-in to join the litigation. It is applicable to claims under the Fair Labor Standards Act, the Age Discrimination in Employment Act, or the Equal Pay Act. Cy Pres Fund – In class action settlement agreements, this is the money set aside for distribution to a § 501(c) organization when class members do not return a settlement claim form and money is left over after distribution to the class. Decertification – Following an order granting conditional certification of a collective action or certification of a class action, a defendant can move for decertification based on the grounds that the members of the collective action are not actually similarly-situated or that the requirements of Rule 23 are no longer satisfied for the class action. Epic Systems Inc. v. Lewis, et al. , 138 S. Ct. 1612 (2018) – Epic Systems is the U.S. Supreme Court decision holding that arbitration agreements requiring individual arbitration and waiving a litigant ’ s right to bring or participate in class actions are enforceable under the Federal Arbitration Act. Opt-In Procedures – Under 29 U.S.C. § 216(b), a collective action member must opt-in to join the lawsuit before he or she may assert claims in the lawsuit or be bound by a judgment or settlement. Opt-Out Procedures – If a court certifies a class under Rule 23(b)(3), class members are bound by the court ’ s judgment unless they opt-out after receiving notice of the lawsuit.
v
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Numerosity – Plaintiffs must show that their proposed class is sufficiently numerous that adding each class member to the complaint would be impractical. This is a requirement for class certification imposed by Rule 23(a)(1). Ortiz, et al. v. Fibreboard Corp., 527 U.S. 815 (1999) – Ortiz is the U.S. Supreme Court ruling that interpreted Rule 23(b)(3) to require personal notice and an opportunity to opt-out of a class action where money damages are sought in a class action. Predominance – The Rule 23(b)(3) requirement that, to obtain class certification, the plaintiffs must show that common questions predominate over any questions affecting individual members. Rule 23 – This rule from the Federal Rules of Civil Procedure governs class actions in federal courts and requires that a party seeking class certification meet four requirements of section (a) and one of three requirements under section (b) of the rule. Rule 23(a) – It prescribes that a class meet four requirements for purposes of class certification, including numerosity, commonality, typicality, and adequacy of representation. Rule 23(b) – To secure class certification, a class must meet one of three requirements of Rule 23(b)(1), Rule 23(b)(2), or Rule 23(b)(3). Rule 23(b)(1) – A class action may be maintained if Rule 23(a) is satisfied and if prosecuting separate actions would create a risk of inconsistent or varying adjudications with respect to individual class members or adjudications with respect to individual class members that, as a practical matter, would be dispositive of the interests of the other members not parties to the individual adjudications or would substantially impair or impede their ability to protect their interests. Rule 23(b)(2) – A class action may be maintained if Rule 23(a) is satisfied and the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole. Rule 23(b)(3) – A class action may be maintained if Rule 23(a) is satisfied and questions of law or fact common to class members predominate over any questions affecting only individual members and a class action is superior to other available methods for fairly and efficiently adjudicating the controversy. Similarly-Situated – Under 29 U.S.C. § 216, employees may bring suit on behalf of themselves and others who are similarly-situated. The standard is not clearly defined in the statute and many courts have found that, if plaintiffs make a preliminary showing that they are similarly-situated to those they seek to represent, conditional certification is appropriate. A finding in this regard is usually not based on the merits of the claims. Superiority – The Rule 23(b)(3) requirement that a class action can be permitted only if class resolution is the superior method of adjudicating the claims. Typicality – The plaintiffs’ claims and defenses must be typical to those of proposed class members’ claims. This is required by Rule 23(a)(3). Wal-Mart Stores, Inc. v. Dukes, et al., 564 U.S. 338 (2011) – Wal-Mart is the U.S. Supreme Court ruling that tightened the commonality requirement of Rule 23(a)(2) and held that judges must conduct a “rigorous analysis” to determine whether there is a “common” contention central to the validity of the claims that is “capable of class-wide resolution.”
vi
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
TABLE OF CONTENTS
Page
I. Executive Summary ........................................................................................... 1 1. The MOVEit Data Breach Class Action ......................................................... 3 2. The U.S. Supreme Court's TransUnion Decision......................................... 3 II. Key Rulings In Data Breach Class Actions In 2024 ......................................... 4 1. Discovery An Procedural Decision ............................................................... 4 2. Dispositive Motion Decisions........................................................................ 5 3. Data Breach Class Certification Rulings .................................................... 12 III. Top Data Breach Class Action Settlements In 2024 ...................................... 14 Index Of 2024 Data Breach Class Action Rulings .................................................... 16
vii
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Data Breach Class Actions I. Executive Summary
Class action litigation in the data breach space has continued to become more prevalent with lawsuits being filed at a rapid tick after every major and not-so-major report of a breach. High-profile data breach class actions continue to create headlines on a regular basis. In recent years, myriad companies have experienced significant breach events affecting hundreds of millions of their records. Most recently, in In Re Marriott International Inc. Customer Data Security Breach Litigation , 341 F.R.D. 128 (D. Md. May 3, 2022), a federal judge in Maryland granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott and its data security vendor Accenture. This was, to date, the largest data breach case in the country. Despite the large number of data breach actions filed, however, plaintiffs are securing class certification at lower levels than compared to other areas of law. In 2024, courts granted class certification in 40% of data breach cases. This constituted a big improvement from 2023, when only 14% of class certification motions were granted.
Data breach class actions have emerged as one of the fastest growing areas in the complex litigation space. After every major (and even not-so-major report) of a breach, companies can expect negative publicity followed by one or more class action lawsuits. In recent years, blue-chip companies such as Microsoft, Wattpad, Meta/Facebook, Estee Lauder, Whisper and Advanced Info Service endured data breach class action litigation following significant data breach events affecting hundreds of millions of employee and consumer records. In 2024, there was a notable increase in data breach class actions. Data breach class actions filed within the first half of 2024 totaled 773 with a monthly average of nearly 129. This surge in data breach class actions can be traced back to several contributing factors. One of the primary catalysts for this increase is the MOVEit data breach that took place this past year, involving file transfer software and the National Public Data breach that occurred in early 2024, involving a data broker specializing in background checks. Furthermore, there has been a marked increase in the sophistication of cybercriminal activities, leading to more frequent and severe data breaches. Based on our analysis of the 2024 data breach class action landscape,
1
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
there is a significant uptick of ransomware attacks, where criminals are demanding a payment in exchange for not publishing data that they were able to obtain. But even if a company chooses to pay off a ransom, there is still a real worry that paying off a hacker does not guarantee that they will delete the data. Many believe that these payments only encourage the attacks to continue. As a result, we expect to see more large-scale data breaches impacting companies across all industries, as the shift to remote working, cloud-based storage, and the rise in sophisticated cybercriminals threatens data security. This in turn will lead to more data breach class action lawsuit filings.
While data breach actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims. While it is well- settled that individuals who have experienced direct economic injury from a breach (such as incurring fraudulent charges) have legal standing, as do those who can plausibly allege that their data was improperly accessed, the standing of group members who do not have a firm indication that their data was accessed or misused by an unauthorized party is highly contested. Plaintiffs’ attorneys typically allege several “harms” to try to establish a cognizable injury for this subset of claims. Such “injuries” may include the lost economic value of their personal information, overpayment for the defendant ’ s services, lost “benefit of the bargain,” increased spam communications, emotional distress, attenuated claims of misuse of their bank accounts, and an increased risk of future identity theft. Additionally, individual data breach plaintiffs now utilize a wide array of state law causes of action to circumvent any limitations of federal law. It is not uncommon to see negligence claims survive motions to dismiss, as ever-evolving industry guidelines for data security
may serve as the standard of care. In addition, plaintiffs often can plausibly allege that a company has a duty to take “reasonable precautions” to forestall the theft of sensitive personal information within its possession. In recent years, the financial implications of class action settlements related to data breaches also have been escalating. This trend was particularly noticeable in 2024, with several high-profile cases resulting in substantial settlement amounts. These increasing costs can be attributed to a few key factors. First, the sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Second, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. Companies of various sizes and industries are wise to invest heavily in cybersecurity. This includes not only developing a robust
2
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
cybersecurity program to safeguard the organization, but also a well-designed incident detection and response program, including a rapid response protocol and playbook that will help the organization identify, investigate, and respond promptly to a suspected cybersecurity incident. Multiple industry reports, as well as anecdotal evidence, have shown that organizations with an incident response protocol (that has been tested through tabletop exercises) not only mitigates the cost of a data breaches, but also have better defenses in any litigation or regulatory proceeding. With that being said, the playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The focus of this chapter is to survey the recent developments and settlements of the law in the area of data breach class action litigation. Class certification was granted 40% of the time, with 2 of 5 total motions being granted by the courts, and hence prompting these “mixed results.” 1. The MOVEit Data Breach Class Action Beginning in 2023 and continuing throughout 2024, the Judicial Panel on Multidistrict Litigation consolidated more than 200 class action lawsuits resulting from a Russian cybergang ’ s exploitation of a vulnerability in the file transfer software MOVEit and transferred them to the U.S. District Court for the District of Massachusetts for coordinated pretrial proceedings. The litigation is captioned as In Re MOVEit Customer Data Security Breach Litigation, Case No. 23-MD-3083, ECF 2 (initial transfer order, Oct. 4, 2023) and 1185 (transfer order number 40, Sept. 3, 2024) (D. Mass.). The suits allege that a vulnerability in Massachusetts-based Progress Software ’ s MOVEit file transfer services was exploited in May 2023. According to news sources, Russian cybergang CL0P claimed responsibility for the hack. MOVEit Transfer web apps were infiltrated by malware that was used to steal sensitive information from databases. The MOVEit data breach is considered to be the largest hack of 2023. According to the Judicial Panel on Multidistrict Litigation ’ s initial transfer order, this breach exposed the personally identifiable information of more than 55 million people. Affected entities include Shell PLC, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. On July 24, 2024, the transferee court issued an order adopting a modified bellwether structure, in which it ordered the Plaintiffs to file up to six consolidated amended complaints (CACs) and the parties to meet and confer on the defendants to be named in each CAC. As the MDL progresses, each CAC will be subject to Rule 12(b)(6) motion practice, class certification briefing, and summary judgment motions, and the CACs will be the focal point of discovery. The order further instructed the parties to propose joint bellwether scheduling and procedural orders. In response, the parties filed a 75-page joint submission in which they raised many disputes about the bellwether structure, the nature of CACs to be filed, and the proposed litigation schedule; however, they agreed, at least, that plaintiffs shall file their motions for class certification in the summer of 2025. See ECF 1161 at 46, 48 (Aug. 16, 2024). This data breach action is at the top of the watch list as we move into 2025. 2. The U.S. Supreme Court ’ s TransUnion Decision In regards to other recent jurisprudence that has impacted the data breach class action landscape, the U.S. Supreme Court ’ s decision in TransUnion LLC v. Ramirez, et al. , 594 U.S. 413 (2021), remains a game-changer for defendants. In TransUnion , a class of 8,185 individuals sued a credit report agency for failing to use reasonable procedures to ensure the accuracy of their credit reports. Id. at 417. TransUnion used a third-party software to cross-reference its database with the Office of Foreign Assets Control ’ s (OFAC) terrorist list. Id. at 419-20. The “cross-referencing” consisted only of comparing the first and last name of the individual with the first and last name of suspected terrorists on the OFAC list. Id.
3
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Part of the class (1,853 members) were tagged as “suspected” matches and had their misleading credit report distributed by TransUnion to a third-party business. Id. at 417. For example, the named plaintiff , Sergio Ramirez, was denied the ability to purchase a car at a Nissan dealership because of an inaccurate OFAC alert on his credit report. Id. at 420. The remaining members of the class had an inaccurate OFAC alerts on their credit report, but did not have their credit reports distributed. Id. The Supreme Court concluded that only the class members who had their misleading credit report actually distributed suffered a “concrete harm” and thus had Article III standing. The Supreme Court compared the injury to a “person [who] is injured when a defamatory statement ‘ that would subject him to hatred, contempt, or ridicule’ is published to a third party.” Id. at 414. Because such a harm has a “close relationship” to harms traditionally recognized in American law, it was sufficient to establish an injury-in-fact for purposes of Article III standing. The Supreme Court rejected the claims of class members who only alleged TransUnion maintained files with inaccurate OFAC alerts. The Supreme Court concluded that “there is no ‘ historical or common law analog where the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Id. (quoting Owner-Operator Independent Drivers Association, Inc. v. Department Of Transportation , 879 F.3d 339, 344 (D.C. Cir. 2018)). The Supreme Court also rejected the class members’ argument that the increased “risk of future harm” was sufficient to confer standing. Id. at 435-36. It reasoned that although a “person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring,” actual harm is required for retrospective, monetary damages. Id. (citing Clapper, et al. v. Amnesty International USA , 568 U.S. 398, 414 (2013)). Similar to the putative class members in TransUnion , many data breach class action plaintiffs often struggle to plead any concrete harm. Accordingly, while the developing case law following TransUnion is still in its infancy and its progeny is limited, this decision is proving to be a game-changer for fracturing data breach class actions in 2024 and beyond. II. Key Rulings In Data Breach Class Actions In 2024 The significant decisions in 2024 can be grouped in several categories, which are discussed below, including: (i) rulings on discovery and procedural decisions involving class action certification; (ii) preemptive motions to strike and dismiss class claims due to defects on the face of the pleadings, such as challenges to a plaintiffs individual and class standing; and (iii) rulings on class certification including, but not limited to, decisions based on predominance and individualized inquiries relative to potential damages. 1. Discovery And Procedural Decisions Although not always dispositive, successful defenses to class certification can begin with utilizing the gamut of discovery and procedural defenses to substantive proof. Sometimes procedural defenses underlying the requirements of Rule 23 and discovery posturing are powerful tools to derail class actions. In Ford, et al. v. Sandhills Medical Foundation, Inc., 97 F.4th 252 (4th Cir. 2024), for instance, the plaintiff filed a class action in state court against the defendant for negligence, breach of implied contract, invasion of privacy, and breach of confidentiality, and alleged that the defendant failed to protect her personally identifiable information (PII) that was stolen in a 2020 cyberattack. The defendant removed the case to federal court, arguing that it was entitled to immunity under 42 U.S.C. § 233(a), which provides immunity from suits arising out of the performance of medical or related functions to qualifying health centers that receive federal grant money. The court agreed with defendant, ruling that it was immune from suit under § 233(a) because the collection of PII was a part of its medical functions, and substituted the United States as the defendant. On appeal, the Fourth Circuit vacated and remanded the district court’s ruling. The plaintiff argued § 233(a) did not apply to her case because breach of data security did not qualify as a “medical, surgical, dental, or related function” and thus the defendant was not immune from suit. Id. at 256. The Fourth Circuit agreed with the plaintiff that data security
4
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
did not fall within the scope of “medical, surgical, dental, or related functions” as described in the statute. The Fourth Circuit analyzed the plain language of § 233(a), noting that “related functions” should be limited to activities closely tied to medical care. Id. at 258-60. The Fourth Circuit further determined that the breach occurred due to the defendant’s data security practices rather than its provision of medical care, which if found to be an administrative function, not directly related to health care services. The Fourth Circuit opined that § 233(a) was intended to cover damages arising from the provision of health care, and since the plaintiff’s alleged damages resulted from a data breach that occurred well after her treatment ended, it was not directly related to the provision of medical services. Accordingly, the Fourth Circuit vacated and remanded the district court’s ruling. 2. Dispositive Motion Decisions The plaintiffs in Wittmeyer, et al. v. Heartland Alliance For Human Needs & Rights, 2024 U.S. Dist. LEXIS 8803 (N.D. Ill. Jan. 17, 2024), filed a class action alleging negligence, negligence per se, breach of express and implied contract, breach of the Illinois Consumer Fraud Act and Deceptive Business Practices Act claims, and claims for declaratory and injunctive relief in connection with the defendant’s suffering of a data breach that exposed clients’ personally identifiably information (PII) and personal health information (PHI). The defendant (Heartland) filed a motion to dismiss pursuant to Rule 12(b)(6). The court granted that motion in part and denied in part. Heartland is a non-profit, anti-poverty organization that provides healthcare and other services to individuals. Id. at *1. To receive services, individuals provide Heartland with PII such as their names and social security numbers. Id. For those individuals who receive medical services, Heartland also collects and stores PHI, including medical diagnoses and medication records. Id. In January 2022, unauthorized individuals obtained access to the PII and PHI of Heartland’s clients, employees, and independent contractors. Id. In December 2022, the plaintiffs received notice that their PII and PHI were compromised in the data breach. Id. The plaintiffs alleged that they experienced various damages such as increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the data breach, and, in particular as to plaintiff Appiakorang, that someone fraudulently obtained car insurance in her name. Id. The court granted the defendant’s motion to dismiss the negligence per se, express and implied breach of contract, violation of the ICFA claim, and claims seeking declaratory judgment and injunctive relief. Id. at *7. The court, however, denied Heartland’s motion to dismiss the plaintiffs’ negligence claim. Heartland asserted that it did not owe the plaintiffs a duty to safeguard their personal information. Id. The court disagreed. It determined that it “declines to find, as a matter of law, that Heartland owed no duty to the plaintiff to safeguard their personal information.” Id. The Court granted Heartland’s motion to dismiss the plaintiffs’ negligence per se claim, reasoning that a violation of a statute only constitutes negligence per se “when it is clear that the legislature intended for the act to impose strict liability.” Id. at *3. Since the plaintiffs did not allege that either the Federal Trade Commission Act (FTCA) or Health Insurance Accountability and Portability Act (HIPAA) imposed strict liability, the court granted Heartland’s motion to dismiss. Id. at *4. The court also granted Heartland’s motion to dismiss the plaintiffs’ breach of express and implied contract claims. Id. at *4-6. The court dismissed the plaintiffs’ breach of express contract claim because they failed to allege facts in the complaint to demonstrate that the parties entered into an express contract regarding security measures for the plaintiffs’ PII and PHI. Id. at *4. While the court observed that an implied contract could exist between the parties, because the plaintiffs’ complaint did not contain any allegations that the plaintiffs suffered monetary damages as a result of the data breach, the court dismissed their breach of implied contract claim. Id. at *5-6. Finally, the Court dismissed the plaintiffs’ ICFA and declaratory judgment and injunction “claims.” Id. at *6-7. Under the ICFA, the court opined that the plaintiffs were required to plead facts sufficient to demonstrate the existence of a “real and measurable” loss, and the plaintiffs failed to plausibly plead that they suffered an economic loss. Id. In addition, the court dismissed the plaintiffs’ declaratory judgment and injunction “causes of action,” noting that while they are forms of relief, they are not cognizable, independent causes of action. Id. at *7. For these reasons, the court granted Heartland’s motion to dismiss on all claims except the traditional negligence claim. In a putative class action stemming from a data breach involving defendant NCB Management Services (NCB), In Re NCB Management Services Inc. Data Breach Litigation , 2024 U.S. Dist. LEXIS 163260 (E.D. Penn. Sept. 11, 2024), the plaintiffs alleged that NCB, a debt collection company, failed to adequately protect their personal information, which was compromised during the breach. The plaintiffs, former customers of Bank of America (BOA) and Pathward, N.A. (Pathward), alleged that NCB obtained their personally identifiable information (PII) from the financial institutions to service and collect on their accounts. The plaintiffs asserted that NCB
5
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
negligently failed to secure their PII, which led to unauthorized access, disclosure, and theft of their data. The data breach, which occurred on February 1, 2023, was part of a larger ransomware attack affecting NCB’s systems, and it was initially disclosed in March 2023. The breach ultimately affected over a million people. The plaintiffs claimed they suffered various damages, including unauthorized activity on their accounts, due to NCB’s alleged negligence in managing their data security. The plaintiffs brought claims against NCB for negligence, violations of federal and state laws, breach of contract, invasion of privacy, and unjust enrichment. NCB moved to dismiss eight of the 16 named plaintiffs, arguing that they lacked standing because they did not allege concrete injuries. NCB also sought the dismissal of 15 of the 17 claims on the grounds that the plaintiffs failed to state valid legal claims under Rule 12(b)(6). In response, the plaintiffs voluntarily dropped their claims against the bank defendants (BOA and Pathward), making those motions moot. The plaintiffs also withdrew claims related to the Fair Credit Reporting Act, the California Customer Records Act, and invasion of privacy. The court granted NCB’s motion in full. It dismissed eight plaintiffs for lack of standing due to their failure to show concrete injury, and it dismissed the remaining claims because the plaintiffs failed to state valid legal claims for which relief could be granted. Accordingly, the court granted NCB’s motion and significantly narrowed the claims against it. In Re MOVEit Customer Data Security Breach Litigation, 2024 U.S. Dist. LEXIS 224712 (D. Mass. Dec. 12, 2024), involved the MOVEit Transfer data breach caused by a cybercriminal group, Cl0p, which exploited security vulnerabilities in the software to exfiltrate personally identifiable information (PII) and protected health information (PHI) from over 2,600 entities, affecting 93 million records. The breach also involved extortion attempts by Cl0p, threatening to release the stolen data unless a ransom was pa Id. Hundreds of affected entities had the stolen data published on the web, leading to concerns about fraud and the potential misuse of the exposed data. The plaintiffs asserted that both the software company (Progress Software Corp.) and other defendants failed to take adequate precautions before and during the breach, leading to various harms, including potential fraud and future misuse of their data. Over 300 individual cases were filed, leading to the creation of the MDL in October 2023, which consolidated the cases in the U.S. District Court for the District of Massachusetts. Following the creation of the MDL, a briefing schedule was set for threshold issues, including motions to dismiss for lack of standing. The plaintiffs filed a common complaint in May 2024, which set out common factual allegations relevant to the standing analysis. The defendants moved to dismiss, alleging that the plaintiffs’ allegations failed to allege an injury-in-fact and challenging the traceability requirement for standing. With regard to injury-in-fact, the court found that the plaintiffs sufficiently alleged a material risk of further harm, an actual injury, and future risk of harm. The court took a generalized approach in looking at the totality of the allegations, instead of a more granular approach that was plaintiff-specific. For example, the court stated that if between 30 to 157 plaintiffs (out of 300+) have asserted actual injury, that was enough to apply across the board for actual injury. Id. at 21. Relative to the traceability factor, the court held that the plaintiffs plausibly alleged exposure of their data to C10p “which is fairly traceable to Defendants’ actions vis-à-vis the Data Breach.” Id. at 26. The court ruled that that the complaint could stand but that through discovery, the plaintiffs’ claims against various entities “may prove insufficient to establish liability at subsequent stages of the MDL.” Id. at 29. The court granted the motion to dismiss as to four claims that predated the date of when the alleged breach occurred, finding there was no traceability injury. Id. at 31. The court also dismissed requests for injunctive relief. Accordingly, the court granted in part and denied in part the defendants’ motion to dismiss. In this putative class action entitled De Medicis, et al. v. Ally Bank And Ally Financial, Inc., 2024 WL 1257022 (S.D.N.Y Mar. 25, 2024), the plaintiffs alleged that the defendants Ally Bank and Ally Financial, Inc. recklessly or negligently disseminated their customers’ account usernames and passwords to unnamed, unauthorized third parties through a coding error in Defendants’ website portal and failed to take reasonable measures to maintain the confidentiality of those usernames and passwords. The plaintiff, on behalf of himself and all others similarly- situated, brought this action against the defendants asserting claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, violations of the Virginia Personal Information Breach Notification Act and the North Carolina Unfair and Deceptive Trade Practices Act, and injunctive/declaratory relief under the Declaratory Judgment Act. The defendants moved to dismiss the complaint under Rule 12(b)(1) and 12(b)(6). Similar to the plaintiff’s first attempt, the court again dismissed the class action on standing grounds. In its prior opinion, the court dismissed the plaintiff’s claims for lack of Article III standing because the plaintiff failed to allege he suffered a concrete, particularized injury-in-fact or a substantial risk of future injury. In his amended complaint, the plaintiff asserted the same claims previously asserted against the defendants for negligence, negligence per se, breach of implied contract, violations of the Virginia Personal Information Breach Notification
6
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Act, and injunctive/declaratory relief under the Declaratory Judgment Act, as well as newly added claims for breach of fiduciary duty and violation of the North Carolina Unfair Trade and Deceptive Trade Practices Act. The defendants sought dismissal on the same grounds, i.e., for the plaintiff’s failure to allege an injury in fact, and in the alternative, for failure to state a claim. Specifically, the defendants alleged the plaintiff failed to cure the deficiencies of his complaint, and that the plaintiff’s new allegations neither established that he suffered an actual injury or that he had a substantial risk of future injury. As in its prior opinion, the court found that the “harm” asserted was too attenuated because “unauthorized attempts on Plaintiff’s accounts are insufficient to constitute a particularized, concrete injury, and Plaintiff’s ‘time spent’ may only constitute a present injury if he can establish a substantial risk of future injury of identity theft.” Id. at *10-20. The court further found that the plaintiff’s purported injury that he lost the ability to invest in the market at advantageous rates was not causally connected to the coding error and his loss in investment opportunity. In sum, the court dismissed the complaint and concluded that the plaintiff failed to cure the deficiencies in the amended complaint and his allegations are insufficient to establish that he suffered a concrete, particularized present injury in fact. In Logan, et al. v. Marker Group, Inc., 2024 U.S. Dist. LEXIS 126653 (S.D. Tex. July 18, 2024), the plaintiffs filed a class action alleging negligence, breach of contract, invasion of privacy, unjust enrichment, breach of confidence, and violation of the California Confidentiality of Medical Information Act (CMIA) against the defendant following a data breach that exposed their PII. The defendant moved to dismiss all counts of the plaintiffs’ complaint except the negligence claim, arguing both that the court lacked jurisdiction over two plaintiffs who had suffered no concrete injury and that the plaintiffs failed to adequately plead their remaining claims. First, the defendant contended that plaintiffs Logan and Baxter lacked standing because they did not demonstrate actual injury from the breach. The defendant argued that claims of future risk and mitigation efforts did not constitute concrete harm and that any damages related to diminution of the value of their PII were unsupported. The court agreed. It found that mitigation efforts cannot “manufacture standing” where the risk of future identity theft is hypothetical and not certainly impending. Id. at *16. As to the remaining plaintiff who had an unauthorized line of credit opened in his name, the defendant argued that the breach of implied contract claim must be dismissed because there was no mutual agreement between the parties, and that the defendant never made specific promises regarding data security. The plaintiffs asserted that an implied contract was formed based on the expectation of reasonable data protection measures, which was supported by the defendant’s website promises. The court found that the plaintiffs failed to establish that the defendant solicited or explicitly agreed to protect personal information beyond what federal law required. In turn, the court dismissed the breach of implied contract claim. The defendant also moved to dismiss the plaintiffs’ invasion of privacy claim, arguing that plaintiffs failed to provide sufficient facts to show intentional intrusion. The court agreed, and found that the plaintiffs had voluntarily provided information, and the claim was based on alleged negligence rather than intentional conduct. Accordingly, the court dismissed the invasion of privacy claim. The defendant further asserted that the plaintiffs’ claim for unjust enrichment should be dismissed because they did not confer any benefit upon them. The plaintiffs argued that their personal information, which the defendant received, was a benefit. The court concluded that the plaintiffs’ claim for unjust enrichment failed due to lack of evidence that they conferred a benefit, and dismissed the claim. In contrast, the defendant argued that the plaintiffs’ breach of confidence claim should be dismissed because it was not recognized under Texas law. The court agreed, and ruled that the plaintiffs failed to present any legal precedent for such a claim in Texas. Finally, the court concluded that the plaintiffs’ request for a declaration regarding the defendant’s current security measures could proceed (along with the negligence claim not at issue in the motion to dismiss), as it addressed an ongoing dispute about the adequacy of security practices. In Roma, et al. v. Prospect Medical Holdings, Inc., 2024 U.S. Dist. LEXIS 138947 (E.D. Penn. Aug. 5, 2024), the defendant, a large medical group with over 18,000 employees and 600,000 members, experienced a significant data breach in early August 2023. The breach involved unauthorized access to its network by a ransomware gang named Rhysida. The exposed data included a wide range of sensitive personal and health information, including Social Security numbers, financial details, medical records, and more. Rhysida claimed responsibility and put the stolen data, amounting to over one terabyte, up for sale on the dark web. The defendant notified the state Attorneys General about the breach two months later. In its notice, the defendant acknowledged the potential compromise of the data of employees and dependents, and offered free credit monitoring and identity protection services. The plaintiffs filed a class action alleging that the breach led to an increased risk of identity theft and fraud, and caused them emotional distress. The plaintiffs also reported various incidents of misuse of their personal information, such as fraudulent charges and unauthorized loans. The plaintiffs asserted that the
7
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
defendant’s failure to protect their data constituted negligence and violations of multiple laws, including the FTCA and the CMIA. The defendant moved to dismiss pursuant to Rule 12(b)(1) and Rule 12(b)(6). The court granted the motion in part, dismissing plaintiffs’ claims for negligence per se, implied contract, invasion of privacy, and violation of California’s Unfair Competition Law, and denied it in part, allowing the case to proceed to discovery on the plaintiffs’ negligence and CMIA claims. The court determined that the plaintiffs sufficiently demonstrated standing by offering evidence of their data being misused, which caused them concrete injuries. The defendant next argued that the plaintiffs failed to show a causal link between the data breach and their injuries, and that the alleged injuries were not actual damages. However, the court determined that the plaintiffs’ allegations — such as their personal information being posted on the dark web and resulting in financial losses — were sufficient to meet the causation and damage requirements for negligence. The plaintiffs’ negligence per se claim was based on an alleged violation of the FTCA, which prohibits unfair practices. The defendant contended that this claim should be dismissed because the FTCA does not provide a private right of action. The court agreed that negligence per se could not be a standalone claim but can be used as a theory supporting the negligence claim. The plaintiffs alleged that there was an implied contract requiring the defendant to protect their personal information. The defendant stated that merely sharing information does not create an implied contract to safeguard it. The court agreed. It found that the plaintiffs’ allegations did not establish an implied contract based on the defendant’s conduct, and dismissed the breach of contract claim. As to the invasion of privacy claims, the court explained that under both Pennsylvania and California law, an invasion of privacy claim requires intentional intrusion, and the plaintiffs’ claims against the defendant failed by not properly alleging that the defendant intentionally intruded on their information. Accordingly, the court granted in part and denied in part the defendant’s motion to dismiss. The court granted the defendant’s motion for summary judgment in Austin, et al. v. Fleming, Nolen & Jez, LLP , 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024). On February 6, 2023, a cybercriminal breached the defendant law firm’s servers and obtained some of its confidential client data. Id. at *1. The cybercriminal then demanded the defendant pay money to avoid the publication of the defendant’s confidential client data on the dark web. Id. After the defendant sent out data breach notice letters to their potentially affected clientele, the named plaintiff, a former client of the defendant, filed a class action complaint against the defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing. Id. The defendant moved for summary judgment on the basis that the plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach. Id. In response, the plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft. Id. The court ruled that the plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.” Id. at *4. As a result, the court only considered the defendant’s motion for summary judgment as it pertained to the plaintiff’s individual claim against the defendant. Id. The court held that none of the following allegations of harm were sufficient for the plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.” Id. at *5-6. Accordingly, the court found that because the plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper. Id. at *6. In Jones, et al. v. Sturm, Ruger & Co., 2024 U.S. Dist. LEXIS 54804 (D. Conn. Mar. 27, 2024), the plaintiffs filed a class action following a data breach of an e-commerce site hosted on a server managed by Freestyle Software, Inc. The breach compromised customers’ PII and payment card data (PCD). The plaintiffs sued Freestyle and Sturm, Ruger & Company, Inc., alleging negligence, breach of contract, and unjust enrichment. The defendants filed motions to dismiss the case for lack of Article III standing and failure to state a claim. The defendants contended that the plaintiffs failed to establish that they suffered sufficient harm and failed to allege plausible claims. As to standing, the court determined that the plaintiffs sufficiently alleged that they suffered concrete, particularized, and imminent injuries in the form of “out of pocket costs by paying a monthly fee for credit and identity protection services,” and lost time and other opportunity costs associated with “attempting to mitigate the consequences of the data breach.” Id. at *11. Accordingly, the court denied the motion to dismiss for lack of standing. The court also ruled that the plaintiffs successfully alleged that the defendants failed to implement proper security measures, leading to the data breach, such that the negligence claim could proceed. As to the breach of contract claim, the plaintiffs argued that the defendants breached an implied contract by
8
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29Made with FlippingBook - professional solution for displaying marketing and sales documents online