By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther
Duane Morris Takeaways: In Austin v. Fleming, Nolen & Jez, LLP, No. 4:23-CV-00901, 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024), Judge Andrew S. Hanen of the U.S. District Court for the Southern District of Texas granted Defendant’s motion for summary judgment in a data breach class action. The Court found that the time Plaintiff’s allegations about the time spent – (i) researching the data breach, (ii) exploring credit monitoring and identity theft options, (iii) self-monitoring her accounts, and (iv) seeking legal counsel – were not compensable damages and could not support her claims. This case serves as an important reminder that named Plaintiffs in data breach class actions must have suffered an actual, viable, concrete injury to sustain their claims.
Case Background
On February 6, 2023, a cybercriminal breached Defendant’s servers and obtained some of its confidential client data. Id. at *1. The cybercriminal then demanded Defendant pay money to avoid the publication of Defendant’s confidential client data on the dark web. Id. After Defendant sent out data breach notice letters to their potentially affected clientele, the named Plaintiff, a former client of Defendant, filed a class action complaint against Defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing. Id.
Defendant moved for summary judgment on the basis that Plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach. Id. In response, Plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft. Id.
The Court’s Decision
The Court ruled that Plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.” Id. at 4. As a result, the Court only considered Defendant’s motion for summary judgment as it pertained to Plaintiff’s individual claim against the Defendant. Id.
The Court held that none of the following allegations of harm were sufficient for Plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.” Id. at *5-6.
Accordingly, the Court found that because Plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper. Id. at *6.
Implications For Companies
The Court’s ruling in Austin v. Fleming underscores the importance of damages and a viable injury-in-fact in data breach class actions. The first line of defense in any data breach class action challenging whether the named Plaintiff suffered an actual, concrete injury. Used effectively, companies can parlay a Plaintiff’s claimed damages in data breach class actions as quick off-ramp out of litigation.