cybersecurity program to safeguard the organization, but also a well-designed incident detection and response program, including a rapid response protocol and playbook that will help the organization identify, investigate, and respond promptly to a suspected cybersecurity incident. Multiple industry reports, as well as anecdotal evidence, have shown that organizations with an incident response protocol (that has been tested through tabletop exercises) not only mitigates the cost of a data breaches, but also have better defenses in any litigation or regulatory proceeding. With that being said, the playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The focus of this chapter is to survey the recent developments and settlements of the law in the area of data breach class action litigation. Class certification was granted 40% of the time, with 2 of 5 total motions being granted by the courts, and hence prompting these “mixed results.” 1. The MOVEit Data Breach Class Action Beginning in 2023 and continuing throughout 2024, the Judicial Panel on Multidistrict Litigation consolidated more than 200 class action lawsuits resulting from a Russian cybergang ’ s exploitation of a vulnerability in the file transfer software MOVEit and transferred them to the U.S. District Court for the District of Massachusetts for coordinated pretrial proceedings. The litigation is captioned as In Re MOVEit Customer Data Security Breach Litigation, Case No. 23-MD-3083, ECF 2 (initial transfer order, Oct. 4, 2023) and 1185 (transfer order number 40, Sept. 3, 2024) (D. Mass.). The suits allege that a vulnerability in Massachusetts-based Progress Software ’ s MOVEit file transfer services was exploited in May 2023. According to news sources, Russian cybergang CL0P claimed responsibility for the hack. MOVEit Transfer web apps were infiltrated by malware that was used to steal sensitive information from databases. The MOVEit data breach is considered to be the largest hack of 2023. According to the Judicial Panel on Multidistrict Litigation ’ s initial transfer order, this breach exposed the personally identifiable information of more than 55 million people. Affected entities include Shell PLC, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. On July 24, 2024, the transferee court issued an order adopting a modified bellwether structure, in which it ordered the Plaintiffs to file up to six consolidated amended complaints (CACs) and the parties to meet and confer on the defendants to be named in each CAC. As the MDL progresses, each CAC will be subject to Rule 12(b)(6) motion practice, class certification briefing, and summary judgment motions, and the CACs will be the focal point of discovery. The order further instructed the parties to propose joint bellwether scheduling and procedural orders. In response, the parties filed a 75-page joint submission in which they raised many disputes about the bellwether structure, the nature of CACs to be filed, and the proposed litigation schedule; however, they agreed, at least, that plaintiffs shall file their motions for class certification in the summer of 2025. See ECF 1161 at 46, 48 (Aug. 16, 2024). This data breach action is at the top of the watch list as we move into 2025. 2. The U.S. Supreme Court ’ s TransUnion Decision In regards to other recent jurisprudence that has impacted the data breach class action landscape, the U.S. Supreme Court ’ s decision in TransUnion LLC v. Ramirez, et al. , 594 U.S. 413 (2021), remains a game-changer for defendants. In TransUnion , a class of 8,185 individuals sued a credit report agency for failing to use reasonable procedures to ensure the accuracy of their credit reports. Id. at 417. TransUnion used a third-party software to cross-reference its database with the Office of Foreign Assets Control ’ s (OFAC) terrorist list. Id. at 419-20. The “cross-referencing” consisted only of comparing the first and last name of the individual with the first and last name of suspected terrorists on the OFAC list. Id.
3
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online