Duane Morris Data Breach Class Action Review — 2024

allegations were not sufficiently specific and that the plaintiffs failed to allege the existence of a contract. The plaintiffs moved for an order vacating the dismissal and allowing them leave to file a second amended complaint to add more specific allegations about the foreseeability of a data breach. The district court found that the plaintiffs needed to meet the stringent standards of Rules 59 and 60, not the more lenient standard of Rule 15, and the plaintiffs failed to meet that standard. On appeal, the plaintiffs argued that the district court erred by using the stringent Rule 59(e) standard, rather than the more lenient Rule 15 standard. The Eleventh Circuit ruled that the district court, in denying leave to amend, did not find that the proposed amendment would be futile, that there was undue delay, or that the defendant would be prejudiced by the amendment. Id. at *6. Thus, the Eleventh Circuit concluded that the district court erred in denying leave to amend, and vacated the ruling. Finally, in Griggs, et al. v. NHS Management LLC, 2023 U.S. Dist. LEXIS 109607 (N.D. Ala. June 26, 2023), the plaintiffs filed a class action bringing claims for negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of confidence, and breach of fiduciary duty in connection with a data breach at defendant ’ s health care company. The plaintiff asserted that the breach included personal identifying information (PII) including the plaintiff ’ s name, date of birth, Social Security number, medical information, and health insurance information. The plaintiff contended that the defendant was responsible for the data breach because of its failure to follow industry standard practices for securing sensitive information and inadequately training its employees in data security policies and procedures. The court entered an order requiring the parties to provide supplemental briefing on the existence of subject- matter jurisdiction under the Class Action Fairness Act (CAFA). After supplemental briefing, the court found that the plaintiff failed to establish the threshold requirements for CAFA jurisdiction. The court reasoned that the plaintiff failed to plausibly allege minimal diversity because she did not allege that any other putative class member was a citizen of Alabama or Delaware, where the plaintiff and defendant were located. The court found that the plaintiff ’ s factual allegations did not provide sufficient information for the court to determine the citizenship of any putative class members. Therefore, based on the allegations in the complaint, the court determined that it could not find that it had jurisdiction over the plaintiff ’ s claims. 2. Dispositive Motion Decisions In certain instances, defendants also derailed class actions at the pleading stage in 2023 by raising subject-matter jurisdictional attacks on standing for individual and class claims. As a strategy that asserts a jurisdictional bar to class certification, it requires the defendant to show that the individuals bringing the class action failed to allege a concrete and particularized harm that was caused by the defendant. Courts have not provided litigants much leeway in how they plead injury and causation in the data breach context, which is why challenges to a plaintiff ’ s standing has become the leading issue in data breach cases, especially at the motion to dismiss stage. The pay-off for a successful motion dismissing class claims due to lack of standing is often a significant victory for a defendant. It has the potential to eliminate the class claims, which also avoids the costs of class-wide discovery if the case proceeds forward as a single plaintiff claim, which severely limits the bottom line total exposure. The First Circuit in Webb, et al. v. Injured Workers Pharmacy, LLC, 2023 U.S. App. LEXIS 16650 (1st Cir. June 30, 2023), ruled on the plaintiffs’ standing to bring their claims. The plaintiffs brought a putative class action against the defendant asserting various state law claims related to a data breach that allegedly exposed their personally identifiable information (“PII”) and the PII of over 75,000 other patients. Id. at *2. Plaintiff Webb asserted that as a result of the breach, she feared for the safety of her information, spent time monitoring and accounting her PII, and experienced trauma from the event. Id. at *4-5. In 2021, Webb ’ s PII was used to file a fraudulent 2021 tax return. Id. at *5. Plaintiff Charley alleged similar fears and concerns as to Plaintiff Webb. Id. The defendant moved to dismiss the complaint for lack of Article III standing under Rule 12(b)(1), and for failure to state a claim as to each of the complaint ’ s asserted claims pursuant to Rule 12(b)(6). Id. The district court granted the defendant ’ s motion and dismissed the case under Rule 12(b)(1), finding that the plaintiffs lacked Article III standing because their complaint did not plausibly allege an injury-in-fact. Id. The district court reasoned that the complaint ’ s allegations that the

8

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online