prevent the harm from occurring,” actual harm is required for retrospective, monetary damages. Id. (citing Clapper, et al. v. Amnesty International USA , 568 U.S. 398, 414 (2013)). Similar to the putative class members in TransUnion , many data breach class action plaintiffs will likely be unable to plead any concrete harm. Accordingly, while the developing case law following TransUnion is still in its infancy and its progeny is limited, this decision could be a game-changer for fracturing data breach class actions in 2024 and beyond. I. Key Rulings In Data Breach Class Actions The significant decisions in 2023 can be grouped in several categories, which are discussed below, including: (i) rulings on discovery and procedural decisions involving class action certification; (ii) preemptive motions to strike and dismiss class claims due to defects on the face of the pleadings, such as challenges to a plaintiffs individual and class standing; (iii) rulings denying class certification based predominance and individualized inquiries relative to potential damages; and (iv) rulings granting class certification. 1. Discovery And Procedural Decisions Although not dispositive motions, successful defenses to class certification can begin with utilizing the gamut of discovery and procedural defenses to substantive proof. Sometimes procedural defenses underlying the requirements of Rule 23 and discovery posturing are powerful tools to derail class actions. In In Re T-Mobile 2022 Customer Data Security Breach Litigation, 2023 U.S. Dist. LEXIS 97670 (J.P.M.L. June 2, 2023), the plaintiffs filed several related actions alleging that the defendant was subject to a data breach that resulted in millions of T-Mobile subscribers’ data to be leaked by hackers onto the internet. The plaintiff moved pursuant to 28 U.S.C. § 1407 to centralize the litigation in the U.S. District Court for the Western District of Washington or, alternatively, the Western District of Missouri. The litigation consisted of 11 actions pending in eight districts. All plaintiffs supported centralization, although the plaintiffs in five actions supported centralization in the Western District of Washington, and the plaintiffs in one action supported centralization in the Western District of Missouri, and the plaintiff in one action requested centralization in the District of Kansas or, alternatively, the Western District of Missouri, and represented that plaintiffs in four other actions also supported centralization in the District of Kansas. The plaintiffs in two actions requested centralization in the Southern District of California or another California district. Id. at *1. The defendants supported centralization in the Western District of Missouri or the District of Kansas. The Judicial Panel on Multi-District Litigation (JPML) found that common questions of fact existed in all the actions, and ruled that centralization in the Western District of Missouri would best serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation. The JPML determined that common factual questions would include: (i) T-Mobile ’ s data security practices and whether those practices met industry standards; (ii) how the unauthorized actor obtained access to T- Mobile ’ s system; (iii) the extent of the personal information affected by the breach; and (iv) when T-Mobile knew or should have known of the breach. Id. at *2. Therefore, the JPML opined that centralization would eliminate duplicative discovery, prevent inconsistent pretrial rulings, and conserve the resources of the parties, their counsel, and the judiciary. Id. at *3. Accordingly, the JPML centralized the actions in the Western District of Missouri. The Eleventh Circuit ruled on amendments to complaints in Sheffler, et al. v. Americold Realty Trust, 2023 U.S. App. LEXIS 14458 (11th Cir. June 9, 2023). The plaintiffs, a group of former employees, filed a class action alleging that their sensitive personally identifiable information (PII) was exposed in a data breach incident. The district court granted the defendant ’ s motion to dismiss, and denied the plaintiffs’ motion for leave to amend their complaint. On appeal, the Eleventh Circuit vacated the district court ’ s ruling. The plaintiffs alleged that their PII was improperly accessed during a ransomware attack on the defendant ’ s systems. The district court concluded the plaintiffs’ negligence claim failed because their foreseeability
7
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online