Class action litigation in the consumer fraud area has exponentially increased over the past several years. Most consumer fraud class actions come with the possibility of excessive payouts for corporations. We hope the Duane Morris Consumer Fraud Class Action Review – 2023 will demystify some of the complexities of consumer fraud class action litigation through our analysis of trends and significant rulings that enable corporate counsel to make informed decisions in dealing with complex litigation risks.
ISBN Number: 979-8-9876757-8-6 © Duane Morris LLP 2024. All rights reserved. No part of this book may be reproduced in any form without written permission of Duane Morris LLP.
DISCLAIMER The material in this Review is of the nature of general commentary only. It is not meant as or offered as legal advice on any particular issue and should not be considered as such. The views expressed are solely those of the authors. In addition, the authors disclaim any and all liability to any person in respect of anything and of the consequences of anything done wholly or partly in reliance on the contents of this Review. This disclaimer is from the Declaration of Principles jointly adopted by the Committee of the American Bar Association and a Committee of Publishers and Associations.
i
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
CITATION FORMATS All citations in the Duane Morris Data Breach Class Action Review are designed to facilitate research. If available, the preferred citation of the opinion included in the West bound volumes is used, such as Baysal, et al. v. Midvale Indemnity Co., 78 F.4th 976 (7th Cir. 2023). If the decision is not available in the preferred format, a Lexis cite from the electronic database is provided, such as Moehrl, et al. v. National Association of Realtors, 2023 U.S. Dist. LEXIS 53299 (N.D. Ill. Mar. 29, 2023). If a ruling is not available in one of these sources, the full case name and docket information is included, such as Yates, et al. v. Traeger Pellet Grills , Case No. 19-CV-723 (D. Utah Sept. 7, 2023). eBOOK HIGHLIGHTS The Duane Morris Data Breach Class Action Review is available for use on a smartphone, laptop, iPad, or any personal electronic reader by using any eBook reader application. eBook reading allows users to quickly scroll, highlight important information, link directly to different sections of the Review, and bookmark pages for quick access at a later time. The eBook is designed for easy navigation and quick access to informative data. The eBook is available by scanning the below QR code:
ii
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
NOTE FROM THE EDITORS In recent years, the financial implications of class action settlements related to data breaches have been escalating. This trend was particularly noticeable in 2023, with several high-profile cases resulting in substantial settlement amounts. The sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Furthermore, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. In this respect, we hope this book will provide our clients with an analysis of trends and significant rulings that enable them to make informed decisions in dealing with complex litigation risks. Defense of data breach class actions is a hallmark of the litigation practice at Duane Morris. We hope this book – manifesting the collective experience and expertise of our class action defense group – will assist our clients by identifying developing trends in the case law and offering practical approaches in dealing with class action litigation.
Sincerely,
Gerald L. Maatman, Jr.
Jennifer A. Riley
General Editor February 22, 2024
General Editor February 22, 2024
iii
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
CONTRIBUTORS
Elisabeth Bassani
Emilee Crowther
Ethan Feldman
Derek Franklin
Alex Karasik
Ryan Monahan
Christian Palacios
George Schaller
Bryan Shapiro
Brandon Spurlock
Tyler Zmick
iv
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
GLOSSARY AND KEY U.S. SUPREME COURT DECISIONS Adequacy Of Representation – Plaintiffs must show adequacy of representation per Rule 23(a)(4) to secure class certification. It requires representative plaintiffs and their counsel to be capable of fairly and adequately protecting the interests of the class. Amchem Products, Inc. v. Windsor, et al. , 521 U.S. 591 (1997) – Windsor is the U.S. Supreme Court decision that elucidated the requirements in Rule 23(b), insofar as common questions must predominate over any questions affecting only individual class members and class resolution must be superior to other methods for the adjudication of the claims. Ascertainability – Although not an explicit requirement of Rule 23, some courts hold that the members of a proposed class must by ascertainable by objective criteria. Comcast Corp. v. Behrend, et al. , 569 U.S. 27 (2013) – Comcast is the U.S. Supreme Court decision that interpreted Rule 23(b)(3) to require that, for questions of law or fact common to the class, the plaintiffs’ damages model must show damages are capable of resolution on a class-wide basis. Commonality – Plaintiffs must show commonality per Rule 23(a)(2) to secure class certification. This requires that common questions of law and fact exist as to the proposed class members. Class – A group of individuals that has suffered a similar loss or alleged illegal experience on whose behalf one or more representatives seek to bring suit. Class Action – The civil action brought by one or more plaintiffs in which they seek to sue on behalf of themselves and others not named in the suit but alleged to have suffered the same or similar harm. Class Certification – The judicial process in which a court reviews the submissions of the parties to determine whether the plaintiffs have met their burden of showing that class treatment is the most appropriate form of adjudication. In federal courts, the process is governed by Rule 23 of the Federal Rules of Civil Procedure. Cy Pres Fund – In class action settlement agreements, this is the money set aside for distribution to a § 501(c) organization when class members do not return a settlement claim form and money is left over after distribution to the class. Epic Systems Inc. v. Lewis, et al. , 138 S. Ct. 1612 (2018) – Epic Systems is the U.S. Supreme Court decision holding that arbitration agreements requiring individual arbitration and waiving a litigant ’ s right to bring or participate in class actions are enforceable under the Federal Arbitration Act. Opt-Out Procedures – If a court certifies a class under Rule 23(b)(3), class members are bound by the court ’ s judgment unless they opt-out after receiving notice of the lawsuit. Numerosity – Plaintiffs must show that their proposed class is sufficiently numerous that adding each class member to the complaint would be impractical. This is a requirement for class certification imposed by Rule 23(a)(1). Ortiz, et al. v. Fibreboard Corp., 527 U.S. 815 (1999) – Ortiz is the U.S. Supreme Court ruling that interpreted Rule 23(b)(3) to require personal notice and an opportunity to opt-out of a class action where money damages are sought in a class action. Predominance – The Rule 23(b)(3) requirement that, to obtain class certification, the plaintiffs must show that common questions predominate over any questions affecting individual members.
v
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Rule 23 – This rule from the Federal Rules of Civil Procedure governs class actions in federal courts and requires that a party seeking class certification meet four requirements of section (a) and one of three requirements under section (b) of the rule. Rule 23(a) – It prescribes that a class meet four requirements for purposes of class certification, including numerosity, commonality, typicality, and adequacy of representation. Rule 23(b) – To secure class certification, a class must meet one of three requirements of Rule 23(b)(1), Rule 23(b)(2), or Rule 23(b)(3). Rule 23(b)(1) – A class action may be maintained if Rule 23(a) is satisfied and if prosecuting separate actions would create a risk of inconsistent or varying adjudications with respect to individual class members or adjudications with respect to individual class members that, as a practical matter, would be dispositive of the interests of the other members not parties to the individual adjudications or would substantially impair or impede their ability to protect their interests. Rule 23(b)(2) – A class action may be maintained if Rule 23(a) is satisfied and the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole. Rule 23(b)(3) – A class action may be maintained if Rule 23(a) is satisfied and questions of law or fact common to class members predominate over any questions affecting only individual members and a class action is superior to other available methods for fairly and efficiently adjudicating the controversy. Superiority – The Rule 23(b)(3) requirement that a class action can be permitted only if class resolution is the superior method of adjudicating the claims. Typicality – The plaintiffs’ claims and defenses must be typical to those of proposed class members’ claims. This is required by Rule 23(a)(3). Wal-Mart Stores, Inc. v. Dukes, et al., 564 U.S. 338 (2011) – Wal-Mart is the U.S. Supreme Court ruling that tightened the commonality requirement of Rule 23(a)(2) and held that judges must conduct a “rigorous analysis” to determine whether there is a “common” contention central to the validity of the claims that is “capable of class-wide resolution.”
vi
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
TABLE OF CONTENTS
Page
1. Introduction……. .................................................... ............................................1 2. Key Rulings In Data Breach Class Actions....................................................... 7 3. Top Data Breach Class Action Settlements Of 2023 ..................................... 21 4. Table Of 2023 Class Action And Collective Action Litigation Rulings ......... 23
vii
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
I. Introduction The volume of data breach class actions exploded in 2023, and their unique challenges, including issues of standing and uninjured class members, continued to vex the courts, leading to inconsistent outcomes. Data breach has emerged as one of the fastest growing areas of class action litigation. After every major (and not-so-major report) of a data breach, companies now can expect the resulting negative publicity to prompt one or more class action lawsuits, saddling companies with the significant costs of responding to the data breach as well as the significant costs of dealing with high-stakes class action lawsuits on multiple fronts. Companies unfortunate enough to fall victim to data breaches in 2023 faced class actions, including copy- cat and follow-on class actions across multiple jurisdictions, at an increasing rate. In 2023, we saw a notable increase in data breach class actions as compared to 2022. Plaintiffs filed approximately 246 data breach class actions within the first half of 2023, roughly equivalent to the total number of filings for the entirety of 2022. On average, plaintiffs filed 44.5 data breach class actions per month during 2023 through the end of August, marking a significant increase from the average of 20.6 per month that we saw in 2022. From September 2023 to the end of the year, Plaintiffs filed over 450 additional data breach class actions (including those in privacy areas), for an average of over 125 a month.
Several factors likely contributed to this surge in data breach class actions in 2023, including the MOVEit data breach. The shift to remote work, rise of cloud-based storage, and the escalation of sophisticated cybercriminal activity has threatened data security like never before, giving rise to more large-scale data breaches across industries and thereby prompting more lawsuits. In 2023, the Judicial Panel on Multidistrict Litigation consolidated more than 100 class actions arising from an alleged Russian cybergang’s exploitation of a vulnerability in the file transfer software MOVEit. See In Re MOVEit Customer Data Security Breach Litigation , MDL No. 3083 (J.P.M.L. Oct. 4, 2023). Further, whereas data breach actions pursued a decade ago faced little prospect of success, recent court decisions provided a roadmap
1
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
for plaintiffs to attempt to show standing and successfully plead duty, causation, and damages, thereby providing additional momentum for the plaintiffs’ class action bar. The U.S. Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190 (2021), has presented a fundamental threshold challenge for many data breach class action plaintiffs – i.e. , whether the plaintiff suffered a concrete injury such that he or she has standing to assert a claim. In TransUnion , the Supreme Court ruled that certain putative class members, who did not have their credit reports shared with third parties, did not suffer concrete harm and, therefore, lacked standing to sue. Since the TransUnion decision, standing has emerged as a key defense to data breach litigation because the plaintiffs often have difficulty demonstrating that class members suffered concrete harm. Courts, however, have continued to disagree over the application of TransUnion in the data breach context and have handed down varying decisions. For instance, whereas some courts have found allegations of mere access to personal information insufficient, courts have disagreed as to the amount of harm and level of causation plaintiffs must plead to maintain a claim. In Ruskiewicz, et al. v. Oklahoma City University, 2023 U.S. Dist. LEXIS 178928 (W.D. Okla. Oct. 4, 2023), for example, the plaintiff alleged that an unauthorized third party accessed and stole her personal information during a data breach, released it into the public domain, and, because of the data breach, she faced a heightened risk of identity theft. The plaintiff claimed that she was required to take mitigation measures, including “placing ‘ freezes’ and ‘ alerts’ with credit reporting agencies, contacting [her] financial institutions, closing or modifying financial accounts, and closely reviewing [her] credit reports.” Id. at *5. The court granted the defendant’s motion to dismiss on the basis that a plaintiff suing for damages and injunctive relief from a data breach based on a risk that fraud or identity theft may occur in the future, without any facts to show a misuse of the data had occurred, failed to allege a concrete injury and lacked standing. Id. at *6; see, e.g. , Holmes v. Elephant Insurance Co. , 2023 U.S. Dist. LEXIS 110161 (E.D. Va. June 26, 2023) (holding that allegations regarding an increased risk of harm from future fraud or identity theft and time spent on preventative and mitigation efforts, such as monitoring credit and financial documents, did not demonstrate Article III standing). In Bohnak, et al. v. Marsh & McLennan Co., 2023 U.S. App. LEXIS 22390 (2d Cir. Aug. 24, 2023), by contrast, the plaintiff alleged that an unauthorized third party accessed her name and Social Security number through a targeted data breach. The district court granted the defendants’ motion to dismiss for lack of standing, finding that the risk of future misuse of her personal information did not give rise to standing. On appeal, the Second Circuit reversed. It held that, under TransUnion , “disclosure of private information” is sufficiently “concrete” for purposes of Article III, and the fact that plaintiff alleged that she incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft” and “lost time” and other “opportunity costs” associated with attempting to mitigate the consequences of the data breach, was sufficient. Id. at *19; see Florence, et al. v. Order Express, Inc., 2023 U.S. Dist. LEXIS 89410 (N.D. Ill. May 23, 2023) (finding loss of privacy resulting from data breach, including the mitigation costs, constituted a concrete injury). Courts continue to grapple with the application of TransUnion in the data breach context, where many plaintiffs are unaware or unable to identify any concrete harm traceable to the alleged exposure of their information. Thus, while it is well-settled that individuals who have experienced direct economic injury from a breach (such as fraudulent charges) have legal standing, courts have disagreed as to the standing of persons who have not contended that an unauthorized party misused their data. Plaintiffs who clear the standing hurdle as to their own claims relative to their ability to demonstrate an injury from the alleged data breach have continued to face a larger and more daunting obstacle at the class certification phase. Indeed, only 16% of the class certification decisions issued in data breach cases in 2023 came out in favor of plaintiffs. Some of this difficulty arises from the problem of uninjured class members.
2
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
By definition, individuals who did not suffer injury as the result of the defendant’s conduct cannot maintain claims, and courts do not have the power to award them relief. As the U.S. Supreme Court reiterated in TransUnion , “Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.” TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190, 2208 (quoting Tyson Foods v. Bouaphakeo , 577 U.S. 442, 466 (2016). “[S]tanding is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” Id. Courts have continued to grapple with the application of these concepts in the class certification context. In particular, they disagree over whether to certify a class, a plaintiff must demonstrate that every putative class member has standing or, stated differently, must demonstrate that the class excludes those individuals who did not suffer harm. In TransUnion , the Supreme Court expressly left open the question of “whether every class member must demonstrate standing before a court certifies a class.” Id. at n.4. Such a requirement has significant consequences in the data breach context. In Steinmetz, et al. v. Brinker International, Inc. , 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), for instance, the plaintiffs alleged that hackers targeted Chili’s restaurant systems, stole customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at *2-3. Two named plaintiffs also alleged that, after their visits to Chili’s, they had unauthorized charges on their credit cards. Id. After the district court certified a nationwide class and California state-wide class, the Eleventh Circuit vacated the district court’s ruling. The Eleventh Circuit held that, although the plaintiffs alleged a concrete injury sufficient to demonstrate Article III standing, the phrase “data accessed by cybercriminals” in both class definitions was too broad and the class would have to be limited to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at *15. The Eleventh Circuit determined that the district court needed to refine the class definition to include those two categories only and then conduct a new predominance analysis as to uninjured individuals who simply had their data accessed. Similarly, in Attias, et al. v. Carefirst, Inc., 344 F.R.D. 38 (D.D.C. Mar. 28, 2023), the plaintiffs filed a class action alleging that unauthorized individuals accessed the names, birth dates, email addresses, and subscriber identification numbers for over a million insureds. The district court denied plaintiffs’ motion for class certification. The court found that the plaintiffs met the requirements for Rule 23(a), but it expressed concerns about predominance. The court found potential individualized issues related to demonstrating class-wide injury-in-fact, particularly if the injuries for some class members were only future speculative injuries. For these reasons, the court ruled that the plaintiffs failed to meet the predominance requirement of Rule 23 and denied the motion for class certification. Given the potency of the standing defense, we anticipate that it will continue to occupy a center-stage role in data breach litigation, particularly as plaintiffs attempt to maneuver around negative precedent at the outset to state a claim, only to encounter a similar obstacle at the class certification stage on a broader scale. Class action litigation in the data breach space has continued to become more routine with lawsuits being filed after every major and not-so-major report of a breach and through many high-profile data breach cases that create headlines on a regular basis. In recent years, companies such as Microsoft, Wattpad, Meta/Facebook, Estee Lauder, Whisper and Advanced Info Service, have experienced significant breach events affecting hundreds of millions of their records. Most recently, in In Re Marriott International Inc. Customer Data Security Breach Litigation , 341 F.R.D. 128 (D. Md. May 3, 2022), a federal judge in Maryland granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott and its data security vendor Accenture. This was, to date, the largest data breach case in the country. We expect to see more large-scale data breaches impacting companies across industries as the shift to remote working, cloud-based storage, and the rise in sophisticated cybercriminals
3
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
threatens data security.
Despite the large number of data breach actions filed, plaintiffs are rarely granted class certification. In 2023, certification was only granted in 14% of cases. 1. Overview Data breach class actions have emerged as one of the fastest growing areas in the complex litigation space. After every major (and even not-so-major report) of a breach, companies can expect negative publicity followed by one or more class action lawsuits. In recent years, blue-chip companies such as Microsoft, Wattpad, Meta/Facebook, Estee Lauder, Whisper and Advanced Info Service endured data breach class action litigation following significant data breach events affecting hundreds of millions of employee and consumer records.
In 2023, there was a notable increase in data breach class actions. Data breach class actions filed within the first half of 2023 totaled 246, roughly equivalent to the total number of cases for the entire year of 2022. The monthly average of data breach class actions for 2023 stood at 44.5 until the end of August, marking a significant rise from the 2022 average of 20.6. This surge in data breach class actions in 2023 can be traced back to several contributing factors. One of the primary catalysts for this increase is the MOVEit data breach that took place this past year, involving file transfer software. Furthermore, there has been a marked increase in the sophistication of cybercriminal activities, leading to more frequent and severe data breaches. Based on our analysis of the 2023 data breach class action landscape, there is a significant uptick of ransomware attacks, where criminals are demanding a payment in exchange for not publishing data that they were able to obtain. But even if a company chooses to pay off a ransom, there is still a real worry that paying off a hacker does not guarantee that they will delete the data. Many believe that these payments will only encourage the attacks to continue. As a result, we expect to see more large-scale data breaches impacting companies across all industries, as the shift to remote working, cloud-based storage, and the rise in sophisticated cybercriminals threatens data security. This is turn will lead to more data breach class action lawsuit filings. While data breach actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims. While it is well-settled that individuals who have experienced direct economic injury from a
4
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
breach (such as incurring fraudulent charges) have legal standing, as do those who can plausibly allege that their data was improperly accessed, the standing of group members who do not have a firm indication that their data was accessed or misused by an unauthorized party is highly contested. Plaintiffs’ attorneys typically allege several “harms” to try to establish a cognizable injury for this subset of claims. Such “injuries” may include the lost economic value of their personal information, overpayment for the defendant ’ s services, lost “benefit of the bargain,” and an increased risk of future identity theft. Additionally, individual data breach plaintiffs now utilize a wide array of state law causes of action to circumvent any limitations of federal law. It is not uncommon to see negligence claims survive motions to dismiss, as industry guidelines for data security may serve as the standard of care. In addition, plaintiffs often can plausibly allege that a company has a duty to take “reasonable precautions” to forestall the theft of sensitive personal information within its possession. In recent years, the financial implications of class action settlements related to data breaches also have been escalating. This trend was particularly noticeable in 2023, with several high-profile cases resulting in substantial settlement amounts. These increasing costs can be attributed to a few key factors. First, the sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Second, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The focus of this chapter is to survey the recent developments and settlements of the law in the area of data breach class action litigation. Certification were issued in several cases in 2023, with mixed results. In 2023, class certification was granted 14% of the time, with 1 of 7 total motions being granted by the courts. 2. The MOVEit Data Breach Class Action Although this class action is in its infant stages, the Judicial Panel on Multidistrict Litigation has consolidated more than 100 class-action lawsuits resulting from a Russian cybergang ’ s exploitation of a vulnerability in the file transfer software MOVEit. That litigation is entitled In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023). On October 4, 2023, a five-member panel led by Judge Karen K. Caldwell determined that that 101 lawsuits filed in more than 20 districts should be consolidated and assigned to U.S. District Judge Allison D. Burroughs of the U.S. District Court for the District of Massachusetts. The suits allege that a vulnerability in Massachusetts-based Progress Software Corp. ’ s MOVEit file transfer services was exploited in May 2023. According to news sources, Russian cybergang CL0P claimed responsibility. MOVEit Transfer web apps were infiltrated by malware that was used to steal sensitive information from databases. CL0P has sent ransom notes to upper-level executives at companies that have been hacked. The group threatens to publish files to its website, which leaks private data to the public, if organizations decline to pay up. The long-term fallout of the MOVEit data breach is still unfolding. The MOVEit data breach is considered to be the largest hack of 2023. According to the Judicial Panel on Multidistrict Litigation ’ s transfer order, this breach exposed the personally identifiable information of more
5
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
than 55 million people. Affected entities include Shell PLC, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. While the panel heard many arguments against consolidation and centralization, Judge Caldwell determined that all actions can be expected to share common and complex factual questions as to how the MOVEit vulnerability occurred, as well as the circumstances of the unauthorized access and Progress Software ’ s response. The panel recognized that while some of the suits target the customer-facing providers of the software and not MOVEit ’ s manufacturer, that does not mean that discovery in those actions must cease while common discovery is being conducted against other defendants in the MDL. Similarly, the panel put distance between this case and its decision to deny centralization in the litigation entitled In Re Accellion Inc. Customer Data Security Breach Litigation, 543 F. Supp. 3d 1372 (J.P.M.L. 2021), noting a difference in the software at the center of the litigation, the larger number of cases in the MOVEit litigation, and MOVEit owner Progress Software ’ s central role in it. Some plaintiffs opposing MOVEit centralization argued that, instead of a singular breach, there were numerous successive intrusions into different servers affecting different customer-facing defendants. But the panel opined this argument does not change the fact that MOVEit ’ s vulnerability is at the core of all cases. The panel chose the District of Massachusetts because more cases are pending there than in any other district and Progress Software is headquartered in the state, thereby increasing access to relevant employees, databases, documents, witnesses and other evidence. This data breach litigation is at the top of the watch list as we move into 2024. 3. The U.S. Supreme Court ’ s TransUnion Decision In regards to other recent jurisprudence that has impacted the data breach class action landscape, the U.S. Supreme Court ’ s decision in TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190 (2021), remains a game-changer for defendants. In TransUnion , a class of 8,185 individuals sued a credit report agency for failing to use reasonable procedures to ensure the accuracy of their credit reports. Id. TransUnion used a third-party software to cross-reference its database with the Office of Foreign Assets Control ’ s (OFAC) terrorist list. Id. at 2201. The “cross-referencing” consisted only of comparing the first and last name of the individual with the first and last name of suspected terrorists on the OFAC list. Id. Part of the class (1,853 members) were tagged as “suspected” matches and had their misleading credit report distributed by TransUnion to a third-party business. Id. at 2200. For example, the named plaintiff , Sergio Ramirez, was denied the ability to purchase a car at a Nissan dealership because of an inaccurate OFAC alert on his credit report. Id. at 2201. The remaining members of the class had an inaccurate OFAC alerts on their credit report, but did not have their credit reports distributed. Id. The Supreme Court concluded that only the class members who had their misleading credit report actually distributed suffered a “concrete harm” and thus had Article III standing. The Supreme Court compared the injury to a “person [who] is injured when a defamatory statement ‘ that would subject him to hatred, contempt, or ridicule’ is published to a third party.” Id. at 2209. Because such a harm has a “close relationship” to harms traditionally recognized in American law, it was sufficient to establish an injury-in-fact for purposes of Article III standing. The Supreme Court rejected the claims of class members who only alleged TransUnion maintained files with inaccurate OFAC alerts. The Supreme Court concluded that “there is no ‘ historical or common law analog where the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Id. (quoting Owner-Operator Independent Drivers Association, Inc. v. Department Of Transportation , 879 F.3d 339, 344 (D.C. Cir. 2018)). The Supreme Court also rejected the class members’ argument that the increased “risk of future harm” was sufficient to confer standing. Id. at 2210. It reasoned that although a “person exposed to a risk of future harm may pursue forward-looking, injunctive relief to
6
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
prevent the harm from occurring,” actual harm is required for retrospective, monetary damages. Id. (citing Clapper, et al. v. Amnesty International USA , 568 U.S. 398, 414 (2013)). Similar to the putative class members in TransUnion , many data breach class action plaintiffs will likely be unable to plead any concrete harm. Accordingly, while the developing case law following TransUnion is still in its infancy and its progeny is limited, this decision could be a game-changer for fracturing data breach class actions in 2024 and beyond. I. Key Rulings In Data Breach Class Actions The significant decisions in 2023 can be grouped in several categories, which are discussed below, including: (i) rulings on discovery and procedural decisions involving class action certification; (ii) preemptive motions to strike and dismiss class claims due to defects on the face of the pleadings, such as challenges to a plaintiffs individual and class standing; (iii) rulings denying class certification based predominance and individualized inquiries relative to potential damages; and (iv) rulings granting class certification. 1. Discovery And Procedural Decisions Although not dispositive motions, successful defenses to class certification can begin with utilizing the gamut of discovery and procedural defenses to substantive proof. Sometimes procedural defenses underlying the requirements of Rule 23 and discovery posturing are powerful tools to derail class actions. In In Re T-Mobile 2022 Customer Data Security Breach Litigation, 2023 U.S. Dist. LEXIS 97670 (J.P.M.L. June 2, 2023), the plaintiffs filed several related actions alleging that the defendant was subject to a data breach that resulted in millions of T-Mobile subscribers’ data to be leaked by hackers onto the internet. The plaintiff moved pursuant to 28 U.S.C. § 1407 to centralize the litigation in the U.S. District Court for the Western District of Washington or, alternatively, the Western District of Missouri. The litigation consisted of 11 actions pending in eight districts. All plaintiffs supported centralization, although the plaintiffs in five actions supported centralization in the Western District of Washington, and the plaintiffs in one action supported centralization in the Western District of Missouri, and the plaintiff in one action requested centralization in the District of Kansas or, alternatively, the Western District of Missouri, and represented that plaintiffs in four other actions also supported centralization in the District of Kansas. The plaintiffs in two actions requested centralization in the Southern District of California or another California district. Id. at *1. The defendants supported centralization in the Western District of Missouri or the District of Kansas. The Judicial Panel on Multi-District Litigation (JPML) found that common questions of fact existed in all the actions, and ruled that centralization in the Western District of Missouri would best serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation. The JPML determined that common factual questions would include: (i) T-Mobile ’ s data security practices and whether those practices met industry standards; (ii) how the unauthorized actor obtained access to T- Mobile ’ s system; (iii) the extent of the personal information affected by the breach; and (iv) when T-Mobile knew or should have known of the breach. Id. at *2. Therefore, the JPML opined that centralization would eliminate duplicative discovery, prevent inconsistent pretrial rulings, and conserve the resources of the parties, their counsel, and the judiciary. Id. at *3. Accordingly, the JPML centralized the actions in the Western District of Missouri. The Eleventh Circuit ruled on amendments to complaints in Sheffler, et al. v. Americold Realty Trust, 2023 U.S. App. LEXIS 14458 (11th Cir. June 9, 2023). The plaintiffs, a group of former employees, filed a class action alleging that their sensitive personally identifiable information (PII) was exposed in a data breach incident. The district court granted the defendant ’ s motion to dismiss, and denied the plaintiffs’ motion for leave to amend their complaint. On appeal, the Eleventh Circuit vacated the district court ’ s ruling. The plaintiffs alleged that their PII was improperly accessed during a ransomware attack on the defendant ’ s systems. The district court concluded the plaintiffs’ negligence claim failed because their foreseeability
7
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
allegations were not sufficiently specific and that the plaintiffs failed to allege the existence of a contract. The plaintiffs moved for an order vacating the dismissal and allowing them leave to file a second amended complaint to add more specific allegations about the foreseeability of a data breach. The district court found that the plaintiffs needed to meet the stringent standards of Rules 59 and 60, not the more lenient standard of Rule 15, and the plaintiffs failed to meet that standard. On appeal, the plaintiffs argued that the district court erred by using the stringent Rule 59(e) standard, rather than the more lenient Rule 15 standard. The Eleventh Circuit ruled that the district court, in denying leave to amend, did not find that the proposed amendment would be futile, that there was undue delay, or that the defendant would be prejudiced by the amendment. Id. at *6. Thus, the Eleventh Circuit concluded that the district court erred in denying leave to amend, and vacated the ruling. Finally, in Griggs, et al. v. NHS Management LLC, 2023 U.S. Dist. LEXIS 109607 (N.D. Ala. June 26, 2023), the plaintiffs filed a class action bringing claims for negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of confidence, and breach of fiduciary duty in connection with a data breach at defendant ’ s health care company. The plaintiff asserted that the breach included personal identifying information (PII) including the plaintiff ’ s name, date of birth, Social Security number, medical information, and health insurance information. The plaintiff contended that the defendant was responsible for the data breach because of its failure to follow industry standard practices for securing sensitive information and inadequately training its employees in data security policies and procedures. The court entered an order requiring the parties to provide supplemental briefing on the existence of subject- matter jurisdiction under the Class Action Fairness Act (CAFA). After supplemental briefing, the court found that the plaintiff failed to establish the threshold requirements for CAFA jurisdiction. The court reasoned that the plaintiff failed to plausibly allege minimal diversity because she did not allege that any other putative class member was a citizen of Alabama or Delaware, where the plaintiff and defendant were located. The court found that the plaintiff ’ s factual allegations did not provide sufficient information for the court to determine the citizenship of any putative class members. Therefore, based on the allegations in the complaint, the court determined that it could not find that it had jurisdiction over the plaintiff ’ s claims. 2. Dispositive Motion Decisions In certain instances, defendants also derailed class actions at the pleading stage in 2023 by raising subject-matter jurisdictional attacks on standing for individual and class claims. As a strategy that asserts a jurisdictional bar to class certification, it requires the defendant to show that the individuals bringing the class action failed to allege a concrete and particularized harm that was caused by the defendant. Courts have not provided litigants much leeway in how they plead injury and causation in the data breach context, which is why challenges to a plaintiff ’ s standing has become the leading issue in data breach cases, especially at the motion to dismiss stage. The pay-off for a successful motion dismissing class claims due to lack of standing is often a significant victory for a defendant. It has the potential to eliminate the class claims, which also avoids the costs of class-wide discovery if the case proceeds forward as a single plaintiff claim, which severely limits the bottom line total exposure. The First Circuit in Webb, et al. v. Injured Workers Pharmacy, LLC, 2023 U.S. App. LEXIS 16650 (1st Cir. June 30, 2023), ruled on the plaintiffs’ standing to bring their claims. The plaintiffs brought a putative class action against the defendant asserting various state law claims related to a data breach that allegedly exposed their personally identifiable information (“PII”) and the PII of over 75,000 other patients. Id. at *2. Plaintiff Webb asserted that as a result of the breach, she feared for the safety of her information, spent time monitoring and accounting her PII, and experienced trauma from the event. Id. at *4-5. In 2021, Webb ’ s PII was used to file a fraudulent 2021 tax return. Id. at *5. Plaintiff Charley alleged similar fears and concerns as to Plaintiff Webb. Id. The defendant moved to dismiss the complaint for lack of Article III standing under Rule 12(b)(1), and for failure to state a claim as to each of the complaint ’ s asserted claims pursuant to Rule 12(b)(6). Id. The district court granted the defendant ’ s motion and dismissed the case under Rule 12(b)(1), finding that the plaintiffs lacked Article III standing because their complaint did not plausibly allege an injury-in-fact. Id. The district court reasoned that the complaint ’ s allegations that the
8
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
fraudulent tax return filed in Webb ’ s name did not sufficiently allege a connection between the data breach and this false return. Id. at *6-7. The district court also opined that the complaint ’ s other allegations - that the potential future misuse of the plaintiff ’ s PII was not sufficiently imminent to establish an injury-in-fact and that actions to safeguard against this risk - could not confer standing either. Id. at *7. The district court did not reach the defendant ’ s Rule 12(b)(6) arguments because the case was dismissed under Rule 12(b)(1). Id. On the plaintiffs’ appeal, the First Circuit reversed the district court ’ s ruling. It held that the plaintiffs plausibly alleged a concrete injury-in-fact. In regards to Plaintiff Webb, the First Circuit concluded that “the complaint plausibly alleged a concrete injury in fact as to Webb based on the plausible pleading that the data breach resulted in the misuse of her PII by an unauthorized third party (or third parties) to file a fraudulent tax return.” Id. at *10-11. The First Circuit rejected the district court ’ s conclusion that the complaint did not plausibly allege a connection between the data breach and the filing of the false tax return. Id. at *13. Instead, the First Circuit opined “[t]here is an obvious temporal connection between the filing of the false tax return and the timing of the data breach.” Id. Turning to Plaintiff Charley, the First Circuit held that in light of the plausible allegations of some actual misuse, the complaint plausibly alleged a concrete injury in fact based on the material risk of future misuse of Charley ’ s PII and a concrete harm caused by the exposure to this risk. Id. at *15. Further, the First Circuit asserted that the totality of the complaint plausibly alleged an imminent and substantial risk of future misuse of the Plaintiffs’ PII. Id. at *19. In addition, the First Circuit found the complaint ’ s allegations satisfied the traceability and redressability standing requirements. Id. at *21. The complaint alleged that the defendant ’ s actions led to the exposure and actual or potential misuse of the plaintiffs’ PII, thereby making their injuries “fairly traceable to IWP ’ s conduct.” Id. As to redressability, the First Circuit stated that “monetary relief would compensate [the plaintiffs] for their injur[ies], rendering the injur[ies] redressable.” Id. at *22. The First Circuit thus held that the plaintiffs supported each of their five causes of action for damages with at least one injury-in-fact caused by the defendant and redressable by a court order. Id. Finally, the First Circuit affirmed the district court ’ s ruling that the plaintiffs lacked standing to seek injunctive relief, stating that they faced “much the same risk of future cyberhacking as virtually every holder of private data.” Id. at *24. For these reasons, the First Circuit affirmed the district court ’ s holding that Plaintiffs lacked standing to seek injunctive relief. In Whitfield, et al. v. ATC Healthcare Services, LLC, 2023 U.S. Dist. LEXIS 147602 (E.D.N.Y. Aug. 22, 2023), the plaintiff, a former employee and Illinois citizen, filed a class action alleging that the defendant, a Georgia-based healthcare staffing company with its principal place of business in New York, subjected her and others’ highly sensitive personal identifying information (PII) and personal health information (PHI) when it was subjected to a data breach by cybercriminals. The plaintiff further alleged that she spent time and effort dealing with the consequences of the breach and that subsequently, her debit card and bank account were compromised three times. The defendant confirmed to employees after the breach that the employee information exposed included “names, Social Security numbers, driver ’ s licenses, financial account information, usernames, passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures and employer-assigned identification numbers.” Id. at *3. The defendant filed a motion to dismiss the claims pursuant to Rule 12(b)(1) or Rule 12(b)(6). The court denied the motion in part and granted it in part. The defendant contended that the plaintiff lacked standing based on her failure to establish that the defendant caused her a concrete injury, and that she instead asserted speculative allegations of a risk of non-imminent, future harm. The plaintiff argued that the defendant ’ s failure to prevent the data breach caused concrete injuries, including a “disclosure of private information,” identity theft, lost time and expenses, emotional damages, and the “lost benefit of the bargain.” Id. at *7. The court agreed with the plaintiff that her alleged injuries established standing under Article III and thereby denied the motion to dismiss pursuant to Rule 12(b)(1). The defendant further argued that the claims should be dismissed for failure to state a claim and failure to plausibly plead attendant damages. The court rejected this argument on the basis that a data breach victim who plausibly alleges a post-breach misuse of her PII/PHI, which the plaintiff did, may seek associated damages. Finally, the court determined that the plaintiff pled facts sufficient to support her claim under the Illinois Biometric Information Privacy Act, which prohibits the disclosure or dissemination of a person ’ s biometric identifiers or information without that person ’ s consent. Id. at *19. For these reasons, the court denied the defendant ’ s motion to dismiss.
9
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35Made with FlippingBook - professional solution for displaying marketing and sales documents online