breach (such as incurring fraudulent charges) have legal standing, as do those who can plausibly allege that their data was improperly accessed, the standing of group members who do not have a firm indication that their data was accessed or misused by an unauthorized party is highly contested. Plaintiffs’ attorneys typically allege several “harms” to try to establish a cognizable injury for this subset of claims. Such “injuries” may include the lost economic value of their personal information, overpayment for the defendant ’ s services, lost “benefit of the bargain,” and an increased risk of future identity theft. Additionally, individual data breach plaintiffs now utilize a wide array of state law causes of action to circumvent any limitations of federal law. It is not uncommon to see negligence claims survive motions to dismiss, as industry guidelines for data security may serve as the standard of care. In addition, plaintiffs often can plausibly allege that a company has a duty to take “reasonable precautions” to forestall the theft of sensitive personal information within its possession. In recent years, the financial implications of class action settlements related to data breaches also have been escalating. This trend was particularly noticeable in 2023, with several high-profile cases resulting in substantial settlement amounts. These increasing costs can be attributed to a few key factors. First, the sheer volume of individuals affected by data breaches has grown significantly, leading to larger classes and subsequently higher settlement amounts. Second, the nature of the data being compromised is becoming more sensitive - including financial and health information - which increases the potential damages awarded in these cases. Moreover, courts are becoming more sympathetic to plaintiffs’ positions and arguments in data breach cases. They are recognizing the potential harm caused by such breaches, even when the harm is not immediately apparent. This apparent shift in judicial attitudes is likewise contributing to larger settlements. Legal fees associated with these cases are also on the rise. As data breach litigation becomes more complex and requires specialized knowledge, legal teams are investing more resources into these cases, which serve to drive up costs. In sum, data breach class action litigation continues to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar in data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. And while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The focus of this chapter is to survey the recent developments and settlements of the law in the area of data breach class action litigation. Certification were issued in several cases in 2023, with mixed results. In 2023, class certification was granted 14% of the time, with 1 of 7 total motions being granted by the courts. 2. The MOVEit Data Breach Class Action Although this class action is in its infant stages, the Judicial Panel on Multidistrict Litigation has consolidated more than 100 class-action lawsuits resulting from a Russian cybergang ’ s exploitation of a vulnerability in the file transfer software MOVEit. That litigation is entitled In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023). On October 4, 2023, a five-member panel led by Judge Karen K. Caldwell determined that that 101 lawsuits filed in more than 20 districts should be consolidated and assigned to U.S. District Judge Allison D. Burroughs of the U.S. District Court for the District of Massachusetts. The suits allege that a vulnerability in Massachusetts-based Progress Software Corp. ’ s MOVEit file transfer services was exploited in May 2023. According to news sources, Russian cybergang CL0P claimed responsibility. MOVEit Transfer web apps were infiltrated by malware that was used to steal sensitive information from databases. CL0P has sent ransom notes to upper-level executives at companies that have been hacked. The group threatens to publish files to its website, which leaks private data to the public, if organizations decline to pay up. The long-term fallout of the MOVEit data breach is still unfolding. The MOVEit data breach is considered to be the largest hack of 2023. According to the Judicial Panel on Multidistrict Litigation ’ s transfer order, this breach exposed the personally identifiable information of more
5
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online