By Gerald L. Maatman, Jr. and Jennifer A. Riley
Duane Morris Takeaway: The volume of data breach class actions exploded in 2023, and their unique challenges, including issues of standing and uninjured class members, continued to vex the courts, leading to inconsistent outcomes. Data breach has emerged as one of the fastest growing areas of class action litigation. After every major (and not-so-major report) of a data breach, companies now can expect the resulting negative publicity to prompt one or more class action lawsuits, saddling companies with the significant costs of responding to the data breach as well as the significant costs of dealing with high-stakes class action lawsuits on multiple fronts.
Watch below as Duane Morris partner Jennifer Riley discusses the impact of data breach class actions in 2023, and what companies can expect to see in 2024.
Trend #4 – Data Breach Class Actions Continued Their Growth, But With Inconsistent Outcomes
Companies unfortunate enough to fall victim to data breaches in 2023 faced class actions, including copy-cat and follow-on class actions across multiple jurisdictions, at an increasing rate. In 2023, we saw a notable increase in data breach class actions as compared to 2022. Plaintiffs filed approximately 246 data breach class actions within the first half of 2023, roughly equivalent to the total number of filings for the entirety of 2022. On average, plaintiffs filed 44.5 data breach class actions per month during 2023 through the end of August, marking a significant increase from the average of 20.6 per month that we saw in 2022. From September 2023 to the end of the year, Plaintiffs filed over 450 additional data breach class actions, for an average of over 125 a month.
Several factors likely contributed to this surge in data breach class actions in 2023, including the MOVEit data breach. The shift to remote work, rise of cloud-based storage, and the escalation of sophisticated cybercriminal activity has threatened data security like never before, giving rise to more large-scale data breaches across industries and thereby prompting more lawsuits. In 2023, the Judicial Panel on Multidistrict Litigation consolidated more than 100 class actions arising from an alleged Russian cybergang’s exploitation of a vulnerability in the file transfer software MOVEit. See In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023). Further, whereas data breach actions pursued a decade ago faced little prospect of success, recent court decisions provided a roadmap for plaintiffs to attempt to show standing and successfully plead duty, causation, and damages, thereby providing additional momentum for the plaintiffs’ class action bar.
The U.S. Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021), has presented a fundamental threshold challenge for many data breach class action plaintiffs – i.e., whether the plaintiff suffered a concrete injury such that he or she has standing to assert a claim. In TransUnion, the Supreme Court ruled that certain putative class members, who did not have their credit reports shared with third parties, did not suffer concrete harm and, therefore, lacked standing to sue. Since the TransUnion decision, standing has emerged as a key defense to data breach litigation because the plaintiffs often have difficulty demonstrating that class members suffered concrete harm.
Courts, however, have continued to disagree over the application of TransUnion in the data breach context and have handed down varying decisions. For instance, whereas some courts have found allegations of mere access to personal information insufficient, courts have disagreed as to the amount of harm and level of causation plaintiffs must plead to maintain a claim.
In Ruskiewicz, et al. v. Oklahoma City University, 2023 U.S. Dist. LEXIS 178928 (W.D. Okla. Oct. 4, 2023), for example, the plaintiff alleged that an unauthorized third party accessed and stole her personal information during a data breach, released it into the public domain, and, because of the data breach, she faced a heightened risk of identity theft. The plaintiff claimed that she was required to take mitigation measures, including “placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting [her] financial institutions, closing or modifying financial accounts, and closely reviewing [her] credit reports.” Id. at *5. The court granted the defendant’s motion to dismiss on the basis that a plaintiff suing for damages and injunctive relief from a data breach based on a risk that fraud or identity theft may occur in the future, without any facts to show a misuse of the data had occurred, failed to allege a concrete injury and lacked standing. Id. at *6; see, e.g., Holmes v. Elephant Insurance Co., 2023 U.S. Dist. LEXIS 110161 (E.D. Va. June 26, 2023) (holding that allegations regarding an increased risk of harm from future fraud or identity theft and time spent on preventative and mitigation efforts, such as monitoring credit and financial documents, did not demonstrate Article III standing).
In Bohnak, et al. v. Marsh & McLennan Co., 2023 U.S. App. LEXIS 22390 (2d Cir. Aug. 24, 2023), by contrast, the plaintiff alleged that an unauthorized third party accessed her name and Social Security number through a targeted data breach. The district court granted the defendants’ motion to dismiss for lack of standing, finding that the risk of future misuse of her personal information did not give rise to standing. On appeal, the Second Circuit reversed. It held that, under TransUnion, “disclosure of private information” is sufficiently “concrete” for purposes of Article III, and the fact that plaintiff alleged that she incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft” and “lost time” and other “opportunity costs” associated with attempting to mitigate the consequences of the data breach, was sufficient. Id. at *19; see Florence, et al. v. Order Express, Inc., 2023 U.S. Dist. LEXIS 89410 (N.D. Ill. May 23, 2023) (finding loss of privacy resulting from data breach, including the mitigation costs, constituted a concrete injury).
Courts continue to grapple with the application of TransUnion in the data breach context, where many plaintiffs are unaware or unable to identify any concrete harm traceable to the alleged exposure of their information. Thus, while it is well-settled that individuals who have experienced direct economic injury from a breach (such as fraudulent charges) have legal standing, courts have disagreed as to the standing of persons who have not contended that an unauthorized party misused their data.
Plaintiffs who clear the standing hurdle as to their own claims relative to their ability to demonstrate an injury from the alleged data breach have continued to face a larger and more daunting obstacle at the class certification phase. Indeed, only 16% of the class certification decisions issued in data breach cases in 2023 came out in favor of plaintiffs. Some of this difficulty arises from the problem of uninjured class members.
By definition, individuals who did not suffer injury as the result of the defendant’s conduct cannot maintain claims, and courts do not have the power to award them relief. As the U.S. Supreme Court reiterated in TransUnion, “Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.” TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190, 2208 (quoting Tyson Foods v. Bouaphakeo, 577 U.S. 442, 466 (2016). “[S]tanding is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” Id.
Courts have continued to grapple with the application of these concepts in the class certification context. In particular, they disagree over whether to certify a class, a plaintiff must demonstrate that every putative class member has standing or, stated differently, must demonstrate that the class excludes those individuals who did not suffer harm. In TransUnion, the Supreme Court expressly left open the question of “whether every class member must demonstrate standing before a court certifies a class.” Id. at n.4. Such a requirement has significant consequences in the data breach context.
In Steinmetz, et al. v. Brinker International, Inc., 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), for instance, the plaintiffs alleged that hackers targeted Chili’s restaurant systems, stole customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at *2-3. Two named plaintiffs also alleged that, after their visits to Chili’s, they had unauthorized charges on their credit cards. Id. After the district court certified a nationwide class and California state-wide class, the Eleventh Circuit vacated the district court’s ruling. The Eleventh Circuit held that, although the plaintiffs alleged a concrete injury sufficient to demonstrate Article III standing, the phrase “data accessed by cybercriminals” in both class definitions was too broad and the class would have to be limited to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at *15. The Eleventh Circuit determined that the district court needed to refine the class definition to include those two categories only and then conduct a new predominance analysis as to uninjured individuals who simply had their data accessed.
Similarly, in Attias, et al. v. Carefirst, Inc., 344 F.R.D. 38 (D.D.C. Mar. 28, 2023), the plaintiffs filed a class action alleging that unauthorized individuals accessed the names, birth dates, email addresses, and subscriber identification numbers for over a million insureds. The district court denied plaintiffs’ motion for class certification. The court found that the plaintiffs met the requirements for Rule 23(a), but it expressed concerns about predominance. The court found potential individualized issues related to demonstrating class-wide injury-in-fact, particularly if the injuries for some class members were only future speculative injuries. For these reasons, the court ruled that the plaintiffs failed to meet the predominance requirement of Rule 23 and denied the motion for class certification.
Given the potency of the standing defense, we anticipate that it will continue to occupy a center-stage role in data breach litigation, particularly as plaintiffs attempt to maneuver around negative precedent at the outset to state a claim, only to encounter a similar obstacle at the class certification stage on a broader scale.