Duane Morris Data Breach Class Action Review — 2024

these reasons, the Second Circuit reversed and remanded the district court ’ s ruling granting the defendants’ motion to dismiss. The Eleventh Circuit issued another opinion on standing in the context of a data breach in Ramirez, et al. v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023). The plaintiff, a former employee, filed a class action bringing claims for breach of contract and negligence in connection with a ransomware attack on the defendant ’ s administrative systems in which cybercriminals obtained the Social Security numbers of the plaintiff and other current and former employees. The district court granted the defendant ’ s motion to dismiss. On appeal, the Eleventh Circuit affirmed in part and reversed in part. The plaintiff contended that the defendant required employees to provide personal identifying information (PII) about themselves and their beneficiaries as a condition of employment. The plaintiff discovered that pandemic unemployment assistance claims had been filed in his name. The defendant subsequently informed employees that it was subject to a data breach, and that employees’ PII had been disclosed to hackers. The plaintiff asserted that he spent time dealing with the data breach and suffered annoyance, anxiety, an increased risk of fraud and identity theft, and a diminution in the value of his PII. Id. at 1216. The plaintiff alleged that the defendant could have prevented the data breach by properly securing and encrypting the files containing PII and destroying older data about former employees. The district court ruled that the plaintiff ’ s negligence claim failed because he did not adequately allege that the defendant could have foreseen the harm. The district court also dismissed the plaintiff ’ s breach of implied contract claim because he did not allege how the defendant manifested an intent to provide data security as part of an employment agreement. Id. at 1217. The plaintiff alleged that the district court asked for too much specificity at the pleading stage to state a claim for negligence. The Eleventh Circuit agreed. It held that the plaintiff sufficiently alleged that the defendant maintained his unencrypted PII in an internet-accessible database with tens of thousands of other current and former employees and failed to comply with industry standards to protect the PII from cyberattacks. The Eleventh Circuit opined that it could reasonably infer that a large sophisticated company like the defendant could have foreseen being the target of a cyberattack. However, the Eleventh Circuit reasoned that the plaintiff failed to allege breach of contract because his did not provide any facts from which it could infer that the defendant agreed to be bound by any data retention or protection policy. Accordingly, the Eleventh Circuit affirmed in part and reversed in part the district court ’ s ruling granting the defendant ’ s motion to dismiss. In Florence, et al. v. Order Express, Inc., 2023 U.S. Dist. LEXIS 89410 (N.D. Ill. May 23, 2023), the plaintiffs, a group of customers, filed a class action alleging that the defendant ’ s data breach caused their personal information to be exposed on the dark web. The plaintiffs brought claims for negligence, breach of implied contract, and violation of the California Consumer Protection Act (CCPA). The defendant filed a motion to dismiss pursuant to Rule 12(b)(1), and the court denied the motion. The defendant collected personal information from over 63,000 customers, including social security numbers and driver ’ s license numbers, and stored the information in an unencrypted and internet-accessible network. Following the data breach, customer data was sold on the dark web. The defendant notified customers and state attorneys general about the breach, but did not disclose that the data was for sale on the dark web. The plaintiffs took steps to mitigate the risks, including implementing credit monitoring and procuring identity-theft insurance. The court ruled that the loss of privacy resulting from the data breach constituted a concrete injury-in-fact. The court also held that the mitigation costs incurred by the plaintiffs, based on the threat of future harm, were a concrete harm sufficient to establish standing. The court, however, rejected the plaintiffs’ claim of emotional distress, anxiety, and annoyance as a concrete harm (stating that the Seventh Circuit consistently had rejected such arguments as a basis for standing). The court determined that the plaintiffs sufficiently alleged a claim under the CCPA because they provided notice to the defendant properly, and alleged that the defendant did not encrypt the personal identifying information or delete the information it no longer needed to maintain on its internet-accessible network. For these reasons, the court denied the defendant ’ s motion to dismiss. A significant data breach class action - Customer Data Security Beach Litigation City Of Chicago, et al. v. Marriott International, 2023 U.S. Dist. LEXIS 115863 (D. Md. May 5, 2023) - is a multidistrict Litigation

11

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online