Duane Morris Data Breach Class Action Review — 2024

By definition, individuals who did not suffer injury as the result of the defendant’s conduct cannot maintain claims, and courts do not have the power to award them relief. As the U.S. Supreme Court reiterated in TransUnion , “Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.” TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190, 2208 (quoting Tyson Foods v. Bouaphakeo , 577 U.S. 442, 466 (2016). “[S]tanding is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” Id. Courts have continued to grapple with the application of these concepts in the class certification context. In particular, they disagree over whether to certify a class, a plaintiff must demonstrate that every putative class member has standing or, stated differently, must demonstrate that the class excludes those individuals who did not suffer harm. In TransUnion , the Supreme Court expressly left open the question of “whether every class member must demonstrate standing before a court certifies a class.” Id. at n.4. Such a requirement has significant consequences in the data breach context. In Steinmetz, et al. v. Brinker International, Inc. , 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), for instance, the plaintiffs alleged that hackers targeted Chili’s restaurant systems, stole customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at *2-3. Two named plaintiffs also alleged that, after their visits to Chili’s, they had unauthorized charges on their credit cards. Id. After the district court certified a nationwide class and California state-wide class, the Eleventh Circuit vacated the district court’s ruling. The Eleventh Circuit held that, although the plaintiffs alleged a concrete injury sufficient to demonstrate Article III standing, the phrase “data accessed by cybercriminals” in both class definitions was too broad and the class would have to be limited to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at *15. The Eleventh Circuit determined that the district court needed to refine the class definition to include those two categories only and then conduct a new predominance analysis as to uninjured individuals who simply had their data accessed. Similarly, in Attias, et al. v. Carefirst, Inc., 344 F.R.D. 38 (D.D.C. Mar. 28, 2023), the plaintiffs filed a class action alleging that unauthorized individuals accessed the names, birth dates, email addresses, and subscriber identification numbers for over a million insureds. The district court denied plaintiffs’ motion for class certification. The court found that the plaintiffs met the requirements for Rule 23(a), but it expressed concerns about predominance. The court found potential individualized issues related to demonstrating class-wide injury-in-fact, particularly if the injuries for some class members were only future speculative injuries. For these reasons, the court ruled that the plaintiffs failed to meet the predominance requirement of Rule 23 and denied the motion for class certification. Given the potency of the standing defense, we anticipate that it will continue to occupy a center-stage role in data breach litigation, particularly as plaintiffs attempt to maneuver around negative precedent at the outset to state a claim, only to encounter a similar obstacle at the class certification stage on a broader scale. Class action litigation in the data breach space has continued to become more routine with lawsuits being filed after every major and not-so-major report of a breach and through many high-profile data breach cases that create headlines on a regular basis. In recent years, companies such as Microsoft, Wattpad, Meta/Facebook, Estee Lauder, Whisper and Advanced Info Service, have experienced significant breach events affecting hundreds of millions of their records. Most recently, in In Re Marriott International Inc. Customer Data Security Breach Litigation , 341 F.R.D. 128 (D. Md. May 3, 2022), a federal judge in Maryland granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott and its data security vendor Accenture. This was, to date, the largest data breach case in the country. We expect to see more large-scale data breaches impacting companies across industries as the shift to remote working, cloud-based storage, and the rise in sophisticated cybercriminals

3

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online