Part of the class (1,853 members) were tagged as “suspected” matches and had their misleading credit report distributed by TransUnion to a third-party business. Id. at 417. For example, the named plaintiff , Sergio Ramirez, was denied the ability to purchase a car at a Nissan dealership because of an inaccurate OFAC alert on his credit report. Id. at 420. The remaining members of the class had an inaccurate OFAC alerts on their credit report, but did not have their credit reports distributed. Id. The Supreme Court concluded that only the class members who had their misleading credit report actually distributed suffered a “concrete harm” and thus had Article III standing. The Supreme Court compared the injury to a “person [who] is injured when a defamatory statement ‘ that would subject him to hatred, contempt, or ridicule’ is published to a third party.” Id. at 414. Because such a harm has a “close relationship” to harms traditionally recognized in American law, it was sufficient to establish an injury-in-fact for purposes of Article III standing. The Supreme Court rejected the claims of class members who only alleged TransUnion maintained files with inaccurate OFAC alerts. The Supreme Court concluded that “there is no ‘ historical or common law analog where the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Id. (quoting Owner-Operator Independent Drivers Association, Inc. v. Department Of Transportation , 879 F.3d 339, 344 (D.C. Cir. 2018)). The Supreme Court also rejected the class members’ argument that the increased “risk of future harm” was sufficient to confer standing. Id. at 435-36. It reasoned that although a “person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring,” actual harm is required for retrospective, monetary damages. Id. (citing Clapper, et al. v. Amnesty International USA , 568 U.S. 398, 414 (2013)). Similar to the putative class members in TransUnion , many data breach class action plaintiffs often struggle to plead any concrete harm. Accordingly, while the developing case law following TransUnion is still in its infancy and its progeny is limited, this decision is proving to be a game-changer for fracturing data breach class actions in 2024 and beyond. II. Key Rulings In Data Breach Class Actions In 2024 The significant decisions in 2024 can be grouped in several categories, which are discussed below, including: (i) rulings on discovery and procedural decisions involving class action certification; (ii) preemptive motions to strike and dismiss class claims due to defects on the face of the pleadings, such as challenges to a plaintiffs individual and class standing; and (iii) rulings on class certification including, but not limited to, decisions based on predominance and individualized inquiries relative to potential damages. 1. Discovery And Procedural Decisions Although not always dispositive, successful defenses to class certification can begin with utilizing the gamut of discovery and procedural defenses to substantive proof. Sometimes procedural defenses underlying the requirements of Rule 23 and discovery posturing are powerful tools to derail class actions. In Ford, et al. v. Sandhills Medical Foundation, Inc., 97 F.4th 252 (4th Cir. 2024), for instance, the plaintiff filed a class action in state court against the defendant for negligence, breach of implied contract, invasion of privacy, and breach of confidentiality, and alleged that the defendant failed to protect her personally identifiable information (PII) that was stolen in a 2020 cyberattack. The defendant removed the case to federal court, arguing that it was entitled to immunity under 42 U.S.C. § 233(a), which provides immunity from suits arising out of the performance of medical or related functions to qualifying health centers that receive federal grant money. The court agreed with defendant, ruling that it was immune from suit under § 233(a) because the collection of PII was a part of its medical functions, and substituted the United States as the defendant. On appeal, the Fourth Circuit vacated and remanded the district court’s ruling. The plaintiff argued § 233(a) did not apply to her case because breach of data security did not qualify as a “medical, surgical, dental, or related function” and thus the defendant was not immune from suit. Id. at 256. The Fourth Circuit agreed with the plaintiff that data security
4
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online