Duane Morris Data Breach Class Action Review — 2024

for plaintiffs to attempt to show standing and successfully plead duty, causation, and damages, thereby providing additional momentum for the plaintiffs’ class action bar. The U.S. Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190 (2021), has presented a fundamental threshold challenge for many data breach class action plaintiffs – i.e. , whether the plaintiff suffered a concrete injury such that he or she has standing to assert a claim. In TransUnion , the Supreme Court ruled that certain putative class members, who did not have their credit reports shared with third parties, did not suffer concrete harm and, therefore, lacked standing to sue. Since the TransUnion decision, standing has emerged as a key defense to data breach litigation because the plaintiffs often have difficulty demonstrating that class members suffered concrete harm. Courts, however, have continued to disagree over the application of TransUnion in the data breach context and have handed down varying decisions. For instance, whereas some courts have found allegations of mere access to personal information insufficient, courts have disagreed as to the amount of harm and level of causation plaintiffs must plead to maintain a claim. In Ruskiewicz, et al. v. Oklahoma City University, 2023 U.S. Dist. LEXIS 178928 (W.D. Okla. Oct. 4, 2023), for example, the plaintiff alleged that an unauthorized third party accessed and stole her personal information during a data breach, released it into the public domain, and, because of the data breach, she faced a heightened risk of identity theft. The plaintiff claimed that she was required to take mitigation measures, including “placing ‘ freezes’ and ‘ alerts’ with credit reporting agencies, contacting [her] financial institutions, closing or modifying financial accounts, and closely reviewing [her] credit reports.” Id. at *5. The court granted the defendant’s motion to dismiss on the basis that a plaintiff suing for damages and injunctive relief from a data breach based on a risk that fraud or identity theft may occur in the future, without any facts to show a misuse of the data had occurred, failed to allege a concrete injury and lacked standing. Id. at *6; see, e.g. , Holmes v. Elephant Insurance Co. , 2023 U.S. Dist. LEXIS 110161 (E.D. Va. June 26, 2023) (holding that allegations regarding an increased risk of harm from future fraud or identity theft and time spent on preventative and mitigation efforts, such as monitoring credit and financial documents, did not demonstrate Article III standing). In Bohnak, et al. v. Marsh & McLennan Co., 2023 U.S. App. LEXIS 22390 (2d Cir. Aug. 24, 2023), by contrast, the plaintiff alleged that an unauthorized third party accessed her name and Social Security number through a targeted data breach. The district court granted the defendants’ motion to dismiss for lack of standing, finding that the risk of future misuse of her personal information did not give rise to standing. On appeal, the Second Circuit reversed. It held that, under TransUnion , “disclosure of private information” is sufficiently “concrete” for purposes of Article III, and the fact that plaintiff alleged that she incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft” and “lost time” and other “opportunity costs” associated with attempting to mitigate the consequences of the data breach, was sufficient. Id. at *19; see Florence, et al. v. Order Express, Inc., 2023 U.S. Dist. LEXIS 89410 (N.D. Ill. May 23, 2023) (finding loss of privacy resulting from data breach, including the mitigation costs, constituted a concrete injury). Courts continue to grapple with the application of TransUnion in the data breach context, where many plaintiffs are unaware or unable to identify any concrete harm traceable to the alleged exposure of their information. Thus, while it is well-settled that individuals who have experienced direct economic injury from a breach (such as fraudulent charges) have legal standing, courts have disagreed as to the standing of persons who have not contended that an unauthorized party misused their data. Plaintiffs who clear the standing hurdle as to their own claims relative to their ability to demonstrate an injury from the alleged data breach have continued to face a larger and more daunting obstacle at the class certification phase. Indeed, only 16% of the class certification decisions issued in data breach cases in 2023 came out in favor of plaintiffs. Some of this difficulty arises from the problem of uninjured class members.

2

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online