substance abuse services, was subject to a data breach in which an unauthorized third-party accessed its computer storage systems, which contained confidential and medical information of patients. The plaintiffs alleged the defendant failed to protect their information, thereby causing financial injuries and risking identity theft. The plaintiffs filed a motion for class certification pursuant to Rule 23, and the court denied the motion. The court determined that the plaintiffs failed to demonstrate that joinder of all class members was impracticable because they did not provide evidence that a sufficient number of patients actually had their personal data compromised. The court also ruled that the proposed class failed to meet the ascertainability requirement because determining which patients had their data compromised would be administratively unfeasible. For these reasons, the court denied the plaintiffs’ motion for class certification. Similarly, in Savidge, et al. v. Pharm-Save, Inc., 2023 U.S. Dist. LEXIS 56382 (W.D. Ky. Mar. 31, 2023), the plaintiffs, two employees of the defendant, asserted that after their employment had ended, the defendant was subjected to a data breach in which personal and sensitive information contained in their tax statements and W-2 forms were compromised. The defendant informed all of its the employees that their information was compromised when a current employee fell victim to a phishing scheme. The plaintiffs filed a motion for class certification pursuant to Rule 23, and the court denied the motion. In response to the data breach, the defendant offered employees a two-year membership of Experian data monitoring in order to detect the possible misuse of personal information and provide identity protection support. Id . at *4. The defendant argued that the plaintiffs’ motion should be denied because they failed to assert any viable theory of damages. The court agreed with the defense position. It reasoned that the motion for class certification should be denied without prejudice in order to allow the plaintiffs to establish evidentiary support of any damages. Accordingly, the court denied the plaintiffs’ motion for class certification. In Asylum Seekers Trying To Assure Their Safety, et al. v. LeChleitner , 2023 U.S. Dist. LEXIS 221501 (D.D.C. Dec. 13, 2023), the plaintiffs, 49 non-U.S. citizens who came to the United States seeking asylum and were subsequently detained by U.S. Immigration and Customs Enforcement (ICE), filed a class action alleging that they were subjected to a data breach in which an ICE employee posted their sensitive information, including names and other personally identifiable information, on the agency's public-facing website. The plaintiffs asserted four claims against ICE officials, including violation of the Privacy Act, Administrative Procedure Act (APA), and violation of equal protection principles. The plaintiffs sought monetary damages and injunctive relief against ICE and the U.S. Department of Justice. The defendant moved to dismiss the action, and the court granted the motion. The plaintiffs fled their native countries to escape various threats such as gang violence, government retaliation, and persecution based on protected grounds. Subsequently, an ICE employee allegedly posted the information on the agency's website, making it accessible to the public for about five hours. Two days later, ICE acknowledged the breach and initiated corrective actions, including an investigation into the incident, notifying affected individuals, delaying removals, sending "clawback" letters to entities that accessed the document, and allowing affected parties to raise the data breach issue in removal proceedings. Id . at *4. The court concluded that plaintiffs lacked Article III standing to seek injunctive or declaratory relief because they did not allege ongoing or future violations of their rights by the defendants. The court also determined that the plaintiffs’ claims for damages under the APA and the due process clause were barred by sovereign immunity. As to the Privacy Act claim, the plaintiffs claimed that they were at an enhanced risk of future harm by third parties due to the dissemination of their personal information. The court rejected the plaintiffs’ allegations, finding that they were entirely too speculative to establish Article III standing, but the court found this too speculative for purposes of meeting the requirements for Article III standing. The court explained that even if the plaintiffs could establish standing, the Privacy Act claim failed because plaintiffs did not plausibly allege a violation of the statute because they did not allege that the agency operated willfully or that they suffered any economic harm. For these reasons, the court granted the defendants' motion to dismiss. In Steinmetz, et al. v. Brinker International, Inc., 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the defendant, the owner of Chili ’ s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised. Id. at *2. Hackers targeted Chili ’ s restaurant systems
17
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online