Duane Morris Data Breach Class Action Review — 2024

their driver ’ s license numbers (DLNs), were exposed due to a data breach involving GEICO ’ s online insurance sales website. The plaintiffs asserted various claims, including negligence, intrusion upon seclusion, violations of New York General Business Law, and the federal Driver ’ s Privacy Protection Act (DPPA). Additionally, the plaintiffs sought declaratory and injunctive relief. The defendants filed a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6) and lack of standing pursuant to Rule 12(b)(1). The Magistrate Judge recommended granting the motion to dismiss in part and denying it in part. Specifically, the Magistrate Judge recommended dismissing the negligence per se, violations of New York General Business Law, and intrusion upon seclusion claims. However, the Magistrate Judge recommended denying the motion to dismiss the DPPA and negligence claims, as well as the request for declaratory and injunctive relief. On Rule 72 review, the court adopted the recommendations. The court asserted that for the DPPA claims, the plaintiffs needed to show that they suffered an injury-in-fact that was traceable to GEICO ’ s alleged DPPA violations. In this case, the court determined that the exposure of the plaintiffs’ personal information constituted an injury, and that injury was directly linked to GEICO ’ s alleged violation of the DPPA. Therefore, the court ruled that the plaintiffs had standing to bring DPPA claims. As for the negligence claim, the plaintiffs claimed that GEICO was negligent in protecting their personal information, which resulted in the data breach. The court found that the plaintiffs alleged a sufficient connection between GEICO ’ s actions and the harm they suffered due to the data breach. Accordingly, the court granted in part and denied in part the defendants’ motion to dismiss. In Holmes, et al. v. Elephant Insurance Co. , 2023 U.S. Dist. LEXIS 110161 (E.D. Va. June 26, 2023), the court dismissed a data breach class action case because the named plaintiffs could not demonstrate they had suffered any concrete injury sufficient to establish Article III standing, in addition to damages that could be proven on a class-wide basis. The case arose from a data breach affecting Elephant Insurance Co. (Elephant), an automobile insurance provider. Cyber criminals exploited Elephant ’ s auto-populate feature enabled for certain form input fields on the company ’ s website, allowing them to access the personal information of the plaintiffs and putative class members. The breached information included names, driver ’ s license numbers, and dates of birth. Four named plaintiffs brought claims against Elephant on behalf of a putative class under the federal Driver Privacy Protection Act, various state consumer protection and deceptive practices acts, and common law negligence. The plaintiffs alleged that they and the class members had suffered multiple forms of injury, including: (1) an increased risk of harm from future fraud or identity theft, (2) exposure of their driver ’ s license information for sale on the dark web, (3) a loss of privacy, (4) emotional distress, (5) diminution in the value of their information, and (6) time spent on preventative and mitigation efforts, such as monitoring their credit and financial documents. Relying on Fourth Circuit precedent, the court held that, even accepting the allegations of injury as true, the plaintiffs failed to establish Article III standing. The court opined that five out of six of the alleged injuries did not amount to concrete injuries-in-fact at all. Citing the Fourth Circuit ’ s decision in Beck v. McDonald , 848 F.3d 262 (4th Cir. 2017), and the Supreme Court ’ s decision in Clapper v. Amnesty Int’l USA , 568 U.S. 398 (2013), the court held that a heightened risk of future identity theft, “without more, does not constitute an injury-in-fact” where the plaintiffs failed to plead facts supporting their allegations of “certainly impending future identity theft.” Id . at *1. The court also noted the long chain of possibilities required to find a threatened injury, which was longer than the chain of possibilities the Fourth Circuit rejected in its case law. Id. at *4. The court also rejected the alleged emotional distress, diminution in value of personal information, and time spent on mitigation as concrete injuries. Finally, the court held that the plaintiffs lacked standing to pursue declaratory or injunctive relief because their allegations regarding a continued risk of a future breach were conclusory and unsupported. In Flores, et al. v AON Corp. , 2023 IL App (1st) 230140 (Ill. App. Sept. 29, 2023), the Illinois Appellate Court set a new lower bar for proof of injury in a data breach class action. In the initial pleadings, the plaintiffs alleged that they had suffered damages in the form of: (1) damages to and diminution in the value of their personal information; (2) lost time, annoyance, interference, and inconvenience dealing with the consequences of the data breach; and (3) anxiety and increased concerns for the loss of their privacy due to the data breach. Plaintiffs also alleged that they suffered imminent and impending injury arising from the substantially increased risk of fraud and identity theft by unauthorized third parties due to the data breach.

15

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online