Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associates Emilee Crowther and Ryan Garippo with their discussion of three recent data breach class action filings in the Northern District of Georgia and common challenges and trends they’ve identified in data breach class action litigation over the past 18 months.
Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.
Episode Transcript
Jerry Maatman: Thanks so much loyal blog readers and listeners, this is our next episode the Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today are Emily Crowther of our Austin office and Ryan Garippo of our Chicago office. Thanks so much to both of you for being on our podcast.
Emilee Crowther: Thank you, Jerry. I’m very happy to be here.
Ryan Garippo: Great to be here, Jerry. Thanks for having me.
Jerry: So today, our subject is the area of data breach class actions in general, and three new class actions recently filed in federal court in the Northern District of Georgia by employees, in essence, alleging that their personally identifying information was compromised during data breaches. Emilee, I know that you practice quite a bit in this space. Could you give us some information on these filings, and why they’re important to corporate counsel?
Emilee: Absolutely, Jerry. These actions were all filed by employees, as you stated: one against Arby’s fast food restaurant owner DRM, Inc., one against healthcare company Aveanna Healthcare, LLC, and then one other against automotive company Asbury Automotive Group, Inc. Each of these actions alleged that after companies were subjected to data breaches the employees’ personally identifying information was threatened by hackers, and the companies failed to take precautions to protect that information.
Jerry: We recently reported in the Duane Morris Class Action Review that among all areas of class action litigation, right now the hottest area is data breach class actions. Frankly, these lawsuits are exploding in popularity and certainly constitute a major area of focus for the plaintiffs’ bar. What is it about these cases that are attractive to the plaintiffs’ bar, and what is alleged in these new cases brought in federal court in Georgia?
Ryan: Well, Jerry, while these actions were filed separately, and the defendants businesses differ significantly, the proposed class actions all have similar allegations, including negligence, breach of warranty, and unjust enrichment. The plaintiffs in these class actions allege that they were employed at the companies, and that during their employment, their personal information, including their social security, numbers, birth dates, and driver’s license numbers, were collected by their employers. The plaintiffs asserted that the defendants failed to adhere to industry standards to protect their data which led to the data being obtained by hackers. So this information is interesting for the plaintiff’s bar, particularly because they can bring these allegations en masse and use these class actions to exert leverage against employers.
Jerry: You know, I’ve always thought the business model of plaintiffs’ class action lawyers is to file the case, certify the case, and monetize the case by getting a settlement. Yet our statistics in our Duane Morris Class Action Review showed that of all subset of areas, in the data breach space only 14% of motions for class certification were granted. Many motions to dismiss were granted, because plaintiffs weren’t able to articulate a sufficient injury-in-fact. Emilee, in these particular cases, how are the plaintiffs trying to get around those problems and what are they focusing on to establish standing through allegations of injury-in-fact?
Emilee: The plaintiffs allege that their personal information was captured in the spring, and that their personal identification information was therefore exposed to the cybercriminals at that time. The plaintiffs contend that, due to these cyber-attacks they have an increased vulnerability to identity theft. They also claim that they have spent time and money to mitigate risks, and that the actual value of their information has diminished as a result.
Ryan: Some plaintiffs have also asserted that they’ve been required to monitor their credit reports and are worried about future personal financial security. The plaintiffs also claim emotional distress from the dissemination of their personal information, because they will forever face an amplified risk of further misuse, fraud, and identity theft as a result of the defendants’ alleged conduct.
Jerry: Reminds me of the last class certification motion I argued in a data breach case, and that was the simple-notion judge – it was like a tree that fell in the forest, and nobody heard it. I still think that the plaintiffs’ bar is still finding ways to get around. Of course, the injury-in-fact requirement that comes from the famous Trans Union case decided by the U.S. Supreme Court. But thanks, Emilee and Ryan, for your analysis and your thought leadership in this particular area. Blog readers and listeners, hope you enjoyed this installment of the Class Action Weekly Wire, and thanks so much for tuning in.
Emilee: Thanks for having me, Jerry, and thank you, listeners.
Ryan: Thank you, everyone. Great to have an opportunity to be on the podcast.