Data Breach Class Actions – Class Action Defense

June 3, 2024June 3, 2024 by Class Action Defense

Four Best Practices For Deterring Cybersecurity And Data Privacy Class Actions And Mass Arbitrations

Duane Morris Takeaway: Class action lawsuits and mass arbitrations alleging cybersecurity incidents and data privacy violations are rising exponentially. Corporate counsel seeking to deter such litigation and arbitration demands from being filed against their companies should keep in mind the following four best practices: (1) add or update arbitration clauses to mitigate the risks of mass arbitration; (2) use cybersecurity best practices, including continuously improving and prioritizing compliance activities; (3) audit and adjust uses of website advertising technologies; and (4) update website terms of use, data privacy policies, and vendor agreements.

Best Practices

Add or update arbitration agreements to mitigate the risks of mass arbitration

Many organizations have long been familiar with the strategy of deterring class and collective actions by presenting arbitration clauses containing class and collective action waivers prominently for web users, consumers, and employees to accept via click wrap, browse wrap, login wrap, shrink wrap, and signatures. Such agreements would require all allegedly injured parties to file individual arbitrations in lieu of any class or collective action. Moreover, the strategy goes, filing hundreds, thousands, or more individual arbitrations would be cost-prohibitive for so many putative plaintiffs and thus deter them from taking any action against the organization in most cases.

Over the last decade, this strategy of deterrence was effective.^[1] Times have changed. Now enterprising plaintiffs’ attorneys with burgeoning war chests, litigation funders, and high-dollar novel claims for statutory damages are increasingly using mass arbitration to pressure organizations into agreeing to multimillion dollar settlements, just to avoid the arbitration costs. In mass arbitrations filed with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS), for example, fees can total millions of dollars just to defend only 500 individual arbitrations.^[2] One study found upfront fees ranging into the tens of millions of dollars for some large mass arbitrations.^[3] Companies with old arbitration clauses have been caught off guard with mass arbitrations, have sought relief from courts to avoid having to defend these mass arbitrations, and this relief was rejected in several recent decisions where the court ordered the defendant to arbitrate and pay the required hefty mass arbitration fees.^[4]

If your organization has an arbitration clause, then one of the first challenges for counsel defending many newly served class action lawsuits these days is determining whether to move to compel arbitration. Although it could defeat the class action, is it worth the risk of mass arbitration and the potential projected costs of mass arbitration involved? Sometimes not.

Increasingly organizations are mitigating this risk by including mechanisms in their arbitration clauses such as pre-dispute resolution clauses, mass arbitration waivers, bellwether procedures, arbitration case filing requirements, and more. This area of the law is developing quickly. One case to watch will be one of the first appellate cases to address the latest trend of mass arbitrations — Wallrich v. Samsung Electronics America, Inc., No. 23-2842 (7th Cir.) (argued February 15, 2024, at issue is whether the district court erred in ordering the BIPA defendant to pay over $4 million in mass arbitration fees).

Use cybersecurity best practices, including continuously improving and prioritizing

IT organizations have long been familiar with the maxim that they should continuously improve their cybersecurity measures and other IT services. Continuous improvement is part of many IT industry guidelines, such as ISO 27000, COBIT, ITIL, the NIST Cybersecurity Framework (CSF) and Special Publication 800, and the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). Continuous improvement is becoming increasingly necessary in cybersecurity, as organizations’ IT systems and cybercriminals’ tools multiply at an increased rate. The volume of data breach class actions doubled three times from 2019-2023:

Continuous improvement of cybersecurity measures needs to accelerate accordingly. As always, IT organizations need to prioritize. Priorities typically include:

improving IT governance;
complying with industry guidelines such as ISO, COBIT, ITIL, NIST, and C2M2;
deploying multifactor authentication, network segmentation, and other multilayered security controls;
staying current with identifying, prioritizing, and patching security holes as new ones continuously arise;
designing and continuously improving a cybersecurity incident response plan;
routinely practicing handling ransomware incidents with tabletop exercises (may be covered by cyber-insurers); and
implementing and continuously improving security information and event management (SIEM) systems and processes.

Measures like these to continuously improve and prioritize: (a) will help prevent a cybersecurity incident from occurring in the first place; and (b) if one occurs, will help the victim organization of cybertheft defend against plaintiffs’ arguments that the organization failed to use reasonable cybersecurity measures.

Audit and adjust uses of website advertising technologies

In 2023, plaintiffs filed over 250 class actions alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies, respectively. This software, often called website advertising technologies or “adtech” (and often referred to by plaintiffs as “tracking technologies”) is a common feature on many websites in operation today — millions of companies and governmental organizations have it.^[5] These lawsuits generally allege that the organization’s use of adtech violated federal and state wiretap statutes, consumer fraud statutes, and other laws, and often seek hundreds of millions of dollars in statutory damages. The businesses targeted in these cases so far mostly have been healthcare providers but also span nearly every industry including retailers, consumer products, and universities.

Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided. The legal landscape in this area has only begun to develop under many plaintiffs’ theories of liability, statutes, and common laws. The adtech alleged has included not only Meta Pixel and Google Analytics but also dozens of the hundreds or thousands of other types of adtech. All this legal uncertainty multiplied by requested statutory damages equals serious business risk to any organization with adtech on its public-facing website(s).

An organization may not know that adtech is present on its public-facing websites. It could have been installed on a website by a vendor without proper authorization, for example, or as a default without any human intent by using some web publishing tools.

Organizations should consider whether to have an audit performed before any litigation arises as to which adtech is or has been installed on which web pages when and which data types were transmitted as a result. Multiple experts specialize in such adtech audits and serve as expert witnesses should any litigation arise. An adtech audit is relatively quick and inexpensive and it might be cost-beneficial for an organization to perform an adtech audit before litigation arises because: (a) it might convince an organization to turn off some of its unneeded adtech now, thereby cutting off any potential damages relating to that adtech in a future lawsuit; (b) in the event of a future lawsuit, such an audit would not be wasted — it is one of the first things adtech defendants typically perform upon being served with an adtech lawsuit; and (c) an adtech audit could assist in presently updating and modernizing website terms of use, data privacy policies, and vendor agreements (next topic).

Update and modernize website terms of use, data privacy policies, and vendor agreements

Organizations should consider whether to modify their website terms of use and data privacy policies to describe the organization’s use of adtech in additional detail. Doing so could deter or help defend a future adtech class action lawsuit similar to the many that are being filed today, alleging omission of such additional details, raising claims brought under various states’ consumer fraud acts, and seeking multimillion-dollar statutory damages.

Organizations should consider adding to contracts with website vendors and marketing vendors clauses that prohibit the vendor from incorporating any unwanted adtech into the organization’s public-facing websites. That could help disprove the element of intent at issue in many claims brought under the recent explosion of adtech lawsuits.

Implications For Corporations: Implementation of these best practices is critical to mitigating risk and saving litigation dollars. Click to learn more about the services Duane Morris provides in the practice areas of Class Action Litigation; Arbitration, Mediation, and Alternative Dispute Resolution; Cybersecurity; Privacy and Data Protection; Healthcare Information Technology; and Privacy and Security for Healthcare Providers.

[1] In 2015, for example, a large study found that of 33 banks that had engaged in practices relating to debit card overdrafts, 18 endured class actions and ended up paying out $1 billion to 29 million customers, whereas 15 had arbitration clauses and did not endure any class actions. See Consumer Protection Financial Bureau (CPFB), Arbitration Study: Report to Congress, Pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act § 1028(a) at Section 8, available at https://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf. These 15 with arbitration clauses paid almost nothing—less than 30 debit card customers per year in the entire nation filed any sort of arbitration dispute regarding their cards during the relevant timeframe. See id. at Section 5, Table 1. Another study of AT&T from 2003-2014 found similarly, concluding, “Although hundreds of millions of consumers and employees are obliged to use arbitration as their remedy, almost none do.” Judith Resnik, Diffusing Disputes: The Public in the Private of Arbitration, the Private in Courts, and the Erasure of Rights, 124 Yale L.J. 2804 (2015).

[2] AAA, Consumer Mass Arbitration and Mediation Fee Schedule (amended and effective Jan. 15, 2024), available at https://www.adr.org/sites/default/files/Consumer_Mass_Arbitration_and_Mediation_Fee_Schedule.pdf; JAMS, Arbitration Schedule of Fees and Costs, available at https://www.jamsadr.com/arbitration-fees.

[3] J. Maria Glover, Mass Arbitration, 74 Stan. L. Rev. 1283, 1387 & Table 2 (2022).

[4] See, e.g., BuzzFeed Media Enters., Inc. v. Anderson, 2024 WL 2187054, at *1 (Del. Ch. May 15, 2024) (dismissing action to enjoin mass arbitration of claims brought by employees); Hoeg v. Samsung Elecs. Am., Inc., No. 23-CV-1951 (N.D. Ill. Feb. 2024) (ordering defendant of BIPA claims brought by consumers to pay over $300,000 in AAA filing fees); Wallrich v. Samsung Elecs. Am., Inc., 2023 WL 5935024 (N.D. Ill. Sept. 12, 2023) (ordering defendant of BIPA claims brought by consumers to pay over $4 million in AAA fees); Uber Tech., Inc. v. AAA, 204 A.D.3d 506, 510 (N.Y. App. Div. 2022) (ordering defendant of reverse discrimination claims brought by customers to pay over $10 million in AAA case management fees).

[5] See, e.g., Customer Data Platform Institute, “Trackers and pixels feeding data broker stores,” reporting “47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare” (available at https://www.cdpinstitute.org/news/trackers-and-pixels-feeding-data-broker-data-stores/); builtwith, “Facebook Pixel Usage Statistics,” offering access to data on over 14 million websites using the Meta Pixel, stating, “We know of 5,861,028 live websites using Facebook Pixel and an additional 8,181,093 sites that used Facebook Pixel historically and 2,543,263 websites in the United States” (available at https://trends.builtwith.com/analytics/Facebook-Pixel).

May 31, 2024 by Class Action Defense

Webinar Replay: Privacy Class Action Litigation Trends

Duane Morris Takeaways: The significant stakes and evolving legal landscape in privacy class action rulings and legislation make the defense of privacy class actions a challenge for corporations. As a new wave of wiretapping violation lawsuits target companies that use technologies to track user activity on their websites, there is significant state legislative activity regarding data privacy across the country. In the latest edition of the Data Privacy and Security Landscape webinar series, Duane Morris partners Jerry Maatman, Jennifer Riley, and Colin Knisely provide an in-depth look at the most active area of the plaintiffs’ class action bar over the past year.

The Duane Morris Class Action Defense Group recently published its desk references on privacy and data breach class action litigation, which can be viewed on any device and are fully searchable with selectable text. Bookmark or download the e-books here: Data Breach Class Action Review – 2024 and Privacy Class Action Review – 2024.

May 19, 2024May 19, 2024 by Class Action Defense

South Carolina Federal Court Denies Class Certification In Massive Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In a data breach lawsuit entitled In Re Blackbaud, Inc., Customer Data Breach Litigation, MDL No.2972, Case No. 3:20-MN-02972, 2024 WL 2155221 (D.S.C. May 14, 2024), Judge Joseph F. Anderson, Jr. of the U.S. District Court for the District of South Carolina denied Plaintiff’s motion for class certification. The Court found that the Plaintiffs failed to meet their burden of proof as to ascertainability since they could not demonstrate an administratively reasonable method by which to ascertain the estimated 1.5 billion putative class members. This case serves as an important reminder that a plaintiff’s failure to provide a court with an administratively reasonable way to ascertain a class can be an effective tool when combatting class certification motions.

Case Background

Defendant Blackbaud, Inc. provides data collection and storage services to a wide variety of organizations (“customers”). Id. at 2. Defendant collects and stores personally identifiable information and protected health information of individuals on behalf of its clients. Id.

Between February and May 2020, a cybercriminal breached Defendant’s systems, capturing 90,000 backup files containing data belonging to 13,000 of Defendant’s customers, and data belonging to approximately 1.5 billion individuals worldwide. Id. at 3-4.

Various plaintiffs filed suits nationwide, and on December 15, 2020, all of the lawsuits were combined into a multidistrict litigation in the District of South Carolina. Id. at 5. Thereafter, the Plaintiffs moved to certify one main nationwide class, and four other sub-classes, including two in California, one in New York, and one in Florida. Id. at 5-6.

The Court’s Decision

The Court denied Plaintiffs’ motion for class certification. It held that Plaintiffs failed to meet their burden of proof as to Rule 23’s ascertainability requirement. Id. at 1. As a threshold requirement to any class certification, a plaintiff must demonstrate that a class is “ascertainable”, i.e., “that there will be an administratively feasible way for the court to determine whether a particular individual is a class member.” Id. at 16.

Plaintiffs argued four primary points in support of ascertainability, including: (i) the method proposed by their expert; (ii) Defendant’s ability to create a fact sheet about the named Plaintiffs; (iii) Defendant’s ability to give notice to its customers; and (iv) Defendant’s use of a program called Wirewheel. Id. at 17.

As to Plaintiffs’ first point, the Court granted Defendant’s motion to exclude the Plaintiffs’ expert’s testimony on the grounds that the expert failed to sufficiently test his method, was unable to replicate his method, failed to sufficiently document his method, and could not provide the Court with an error rate consistent with generally accepted statistical practices. Id. at 18.

As to Plaintiffs’ second point, the Court found that the Defendant’s ability to create a fact sheet containing information about 34 named Plaintiffs did not weigh in favor of ascertainability, as the Defendant’s process was “not proof that Plaintiffs [could] undertake the larger task of ascertaining the proposed classes and sub-classes” for 1.5 billion individuals. Id. at 45-46. In its decision, the Court placed particular emphasis on the fact that Plaintiffs had not “tested, briefed, or otherwise demonstrated how they would collect information from putative plaintiffs to conduct a process similar to the process Defendant undertook” in creating its fact sheet. Id. at 40-41.

As to Plaintiff’s third point, the Court similarly found that the Defendant’s ability to give notice of the breach did not weigh in favor of ascertainability, because “[t]he steps Defendant took to give notice to its customers [is] not comparable to the steps Plaintiffs would need to take to ascertain a class.” Id. at 48-49. The Court emphasized the distinction between Defendant’s task to provide notice to its 13,000 customers versus Plaintiffs’ task to identify all of the 1.5 billion individual constituents of Defendant’s customers. Id. at 46, 49.

As to Plaintiff’s fourth and final point, the Court again held that it did not weigh in favor of ascertainability, as “the Defendant’s ability to utilize a singular, live database that it maintains for the sole purpose of responding to [certain] requests does not in any way indicate that Defendant is necessarily able to restore and query 90,000 backup files of databases that were customized, maintained, and controlled by 13,000 separate customers.” Id. at 49-50.

In sum, the Court found that the Plaintiffs failed to demonstrate that their “proposed classes and sub-classes” were able to be ascertained “without significant individualized inquiry at a scale that [was] not administratively feasible for Plaintiffs, th[e] Court, Defendant, or any individuals or entities acting at their direction to undertake.” Id.

Implications For Companies

The Court’s ruling in In Re Blackbaud, Inc., Customer Data Breach Litigation underscores the importance of ascertainability in large-scale data breach class actions. The reality is that companies across the world face threats of large scale cyber-attacks to capture their data daily, whether it be through their own servers or through the technologies and tools they utilize. Since a majority of these cyber threats focus on personally identifiable information or personal health information, each data breach could now potentially affect millions (or billions) of individuals.

It is natural for a company to experience trepidation in light of these threats and the likelihood of a class action that could follow. However, it is important to remember that in any class action, Rule 23 requires a plaintiff to demonstrate that putative class members are identifiable without extensive and individualized fact-finding. The broader the swath Plaintiff wants to brush, the harder it will be for that Plaintiff to demonstrate and plausibly claim to the Court that their class is ascertainable.

May 9, 2024 by Class Action Defense

The Class Action Weekly Wire – Episode 54: Challenges Posed By Data Breach Class Actions

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associates Emilee Crowther and Ryan Garippo with their discussion of three recent data breach class action filings in the Northern District of Georgia and common challenges and trends they’ve identified in data breach class action litigation over the past 18 months.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jerry Maatman: Thanks so much loyal blog readers and listeners, this is our next episode the Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today are Emily Crowther of our Austin office and Ryan Garippo of our Chicago office. Thanks so much to both of you for being on our podcast.

Emilee Crowther: Thank you, Jerry. I’m very happy to be here.

Ryan Garippo: Great to be here, Jerry. Thanks for having me.

Jerry: So today, our subject is the area of data breach class actions in general, and three new class actions recently filed in federal court in the Northern District of Georgia by employees, in essence, alleging that their personally identifying information was compromised during data breaches. Emilee, I know that you practice quite a bit in this space. Could you give us some information on these filings, and why they’re important to corporate counsel?

Emilee: Absolutely, Jerry. These actions were all filed by employees, as you stated: one against Arby’s fast food restaurant owner DRM, Inc., one against healthcare company Aveanna Healthcare, LLC, and then one other against automotive company Asbury Automotive Group, Inc. Each of these actions alleged that after companies were subjected to data breaches the employees’ personally identifying information was threatened by hackers, and the companies failed to take precautions to protect that information.

Jerry: We recently reported in the Duane Morris Class Action Review that among all areas of class action litigation, right now the hottest area is data breach class actions. Frankly, these lawsuits are exploding in popularity and certainly constitute a major area of focus for the plaintiffs’ bar. What is it about these cases that are attractive to the plaintiffs’ bar, and what is alleged in these new cases brought in federal court in Georgia?

Ryan: Well, Jerry, while these actions were filed separately, and the defendants businesses differ significantly, the proposed class actions all have similar allegations, including negligence, breach of warranty, and unjust enrichment. The plaintiffs in these class actions allege that they were employed at the companies, and that during their employment, their personal information, including their social security, numbers, birth dates, and driver’s license numbers, were collected by their employers. The plaintiffs asserted that the defendants failed to adhere to industry standards to protect their data which led to the data being obtained by hackers. So this information is interesting for the plaintiff’s bar, particularly because they can bring these allegations en masse and use these class actions to exert leverage against employers.

Jerry: You know, I’ve always thought the business model of plaintiffs’ class action lawyers is to file the case, certify the case, and monetize the case by getting a settlement. Yet our statistics in our Duane Morris Class Action Review showed that of all subset of areas, in the data breach space only 14% of motions for class certification were granted. Many motions to dismiss were granted, because plaintiffs weren’t able to articulate a sufficient injury-in-fact. Emilee, in these particular cases, how are the plaintiffs trying to get around those problems and what are they focusing on to establish standing through allegations of injury-in-fact?

Emilee: The plaintiffs allege that their personal information was captured in the spring, and that their personal identification information was therefore exposed to the cybercriminals at that time. The plaintiffs contend that, due to these cyber-attacks they have an increased vulnerability to identity theft. They also claim that they have spent time and money to mitigate risks, and that the actual value of their information has diminished as a result.

Ryan: Some plaintiffs have also asserted that they’ve been required to monitor their credit reports and are worried about future personal financial security. The plaintiffs also claim emotional distress from the dissemination of their personal information, because they will forever face an amplified risk of further misuse, fraud, and identity theft as a result of the defendants’ alleged conduct.

Jerry: Reminds me of the last class certification motion I argued in a data breach case, and that was the simple-notion judge – it was like a tree that fell in the forest, and nobody heard it. I still think that the plaintiffs’ bar is still finding ways to get around. Of course, the injury-in-fact requirement that comes from the famous Trans Union case decided by the U.S. Supreme Court. But thanks, Emilee and Ryan, for your analysis and your thought leadership in this particular area. Blog readers and listeners, hope you enjoyed this installment of the Class Action Weekly Wire, and thanks so much for tuning in.

Emilee: Thanks for having me, Jerry, and thank you, listeners.

Ryan: Thank you, everyone. Great to have an opportunity to be on the podcast.

April 9, 2024 by Gerald L. Maatman, Jr.

Texas Federal Court Throws Out Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Austin v. Fleming, Nolen & Jez, LLP, No. 4:23-CV-00901, 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024), Judge Andrew S. Hanen of the U.S. District Court for the Southern District of Texas granted Defendant’s motion for summary judgment in a data breach class action. The Court found that the time Plaintiff’s allegations about the time spent – (i) researching the data breach, (ii) exploring credit monitoring and identity theft options, (iii) self-monitoring her accounts, and (iv) seeking legal counsel – were not compensable damages and could not support her claims. This case serves as an important reminder that named Plaintiffs in data breach class actions must have suffered an actual, viable, concrete injury to sustain their claims.

Case Background

On February 6, 2023, a cybercriminal breached Defendant’s servers and obtained some of its confidential client data. Id. at *1. The cybercriminal then demanded Defendant pay money to avoid the publication of Defendant’s confidential client data on the dark web. Id. After Defendant sent out data breach notice letters to their potentially affected clientele, the named Plaintiff, a former client of Defendant, filed a class action complaint against Defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing. Id.

Defendant moved for summary judgment on the basis that Plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach. Id. In response, Plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft. Id.

The Court’s Decision

The Court ruled that Plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.” Id. at 4. As a result, the Court only considered Defendant’s motion for summary judgment as it pertained to Plaintiff’s individual claim against the Defendant. Id.

The Court held that none of the following allegations of harm were sufficient for Plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.” Id. at *5-6.

Accordingly, the Court found that because Plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper. Id. at *6.

Implications For Companies

The Court’s ruling in Austin v. Fleming underscores the importance of damages and a viable injury-in-fact in data breach class actions. The first line of defense in any data breach class action challenging whether the named Plaintiff suffered an actual, concrete injury. Used effectively, companies can parlay a Plaintiff’s claimed damages in data breach class actions as quick off-ramp out of litigation.

February 28, 2024 by Class Action Defense

The Class Action Weekly Wire – Episode 45: 2024 Preview: Data Breach Class Action Litigation

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jennifer Riley and Alex Karasik and associate Emilee Crowther with their discussion of 2023 developments and trends in data breach action litigation as detailed in the recently published Duane Morris Data Breach Class Action Review – 2024.

Episode Transcript

Jennifer Riley: Welcome to our listeners. Thank you for being here for our weekly podcast the Class Action Weekly Wire. I’m Jennifer Riley, partner at Duane Morris, and joining me today is my partner, Alex Karasik, and our colleague, Emilee Crowther. Thank you guys for being on the podcast.

Alex Karasik: Thank you, Jen. Happy to be part of the podcast.

Emilee Crowther: Thanks, Jen. I’m glad to be here

Jennifer: Today on the podcast we are discussing the recent publication of this year’s edition of the Duane Morris Data Breach Class Action Review. Listeners can find the eBook publication on our blog, the Duane Morris Class Action Defense Blog. Alex, can you tell our listeners a little bit about our new publication?

Alex: Absolutely, Jen. We’re very excited about this new publication. The purpose of the Duane Morris Data Breach Class Action Review is really multi-faceted. The volume of data breach class actions exploded in 2023. And these types of cases come with unique challenges, including those involving issues of standing and uninjured class members. And these issues continue to vex the courts leading to inconsistent outcomes. Data breach has emerged as one of the fastest growing areas in class action litigation. After every major (and even some of the not-so-major) report of data breach – companies can now expect resulting negative publicity, which in turn often leads to class action litigation. This saddles companies with significant costs to both respond to the data breach as well as deal with these mega lawsuits. In this respect, we hope this book will provide our clients and corporate counsel with an analysis of trends and significant rulings in the data breach space which will enable them to make informed decisions when dealing with litigation risks in this area. And hopefully, this can be a key desktop reference for all those whoever might encounter a data breach class action.

Jennifer: Defense of data breach class actions is continuing to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar and data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. The Review has dozens of contributors, thus manifesting the collective experience and expertise of our Class Action Defense Group. Emilee, what benefits can this offer our clients?

Emilee: Well, there are a lot of different benefits that could be offered. But while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The Review provides examination of the recent developments and settlements in the law and the area of data breach class action litigation. This publication assist our clients by identifying developing trends in the case law and offering practical approaches in dealing with data breach class action litigation.

Jennifer: What were some of the key takeaways from the publication with regard to litigation in this area in 2023?

Emilee: It remains somewhat difficult to obtain class certification for plaintiffs in data breach class actions this year, with only 14% of motions for class certification being granted. However, while data breach class actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims.

Alex: We also discuss in the Review the impact that the MOVEit Customer Data Security Breach Litigation will have on the data breach class action landscape in general. Although this class action is in its infant stages, the Judicial Panel on Multidistrict Litigation has consolidated more than 100 class action lawsuits resulting from an alleged cyber gang in Russia’s exploitation of a vulnerability in the file transfer software MOVEit. The group threatens to publish files to its website, which leaks private data. The impacts of this data breach are still unfolding, but it certainly has significant stakes. The long-term fallout might include personally identifiable information (“PII”) being leaked potentially of up to 55 million people. Some of the affected entities include Shell, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. So there’s lots of folks impacted in this one.

Jennifer: Thanks, Alex. This data breach litigation is at the top of the watch list as we move into 2024, we will be sure to keep our listeners updated with all of the important developments. The Review also talks about the top data breach settlements in 2023. How do plaintiffs do in securing settlement funds this past year?

Emilee: Well, Jen, plaintiffs did very well in securing high dollar settlements in 2023. The top 10 settlements totaled $515.75 million dollars. The top settlement alone in 2023 was $350 million dollars in a case called In Re T-Mobile Customer Data Security Breach Litigation, which resolved claims that cybercriminals exploited T-Mobile’s data security protocols and gained access to internal servers containing the personally identifiable information of millions of customers.

Jennifer: We will continue to track those settlement numbers in 2024, as record-breaking settlement amounts have been a huge trend that we have followed for the past two years. Thanks Alex and Emilee for being here today, and thank you to our loyal listeners for tuning in. Listeners, please stop by the blog for a free copy of the Data Breach Class Action Review eBook.

Emilee: Thank you for having me, Jen, and thank you listeners.

Alex: Thank you, listeners, we appreciate you!

February 22, 2024 by Class Action Defense

Hot Off The Presses! The Duane Morris Data Breach Class Action Review – 2024

By Gerald L. Maatman, Jr. and Jennifer A. Riley

Duane Morris Takeaways: Data breaches are becoming increasingly common and detrimental to companies. The scale of data breach class actions “exploded” in 2023, as companies faced copycat and follow-on lawsuits across multiple jurisdictions. The combined value of the top 10 settlements across all areas of class-action litigation hit near-record highs. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Data Breach Class Action Review – 2024. This new publication analyzes the key data breach related rulings and developments in 2023 and the significant legal decisions and trends impacting data breach litigation for 2024. We hope that companies and employers will benefit from this resource and assist them with their compliance with these evolving laws and standards.

Click here to download a copy of the Duane Morris Data Breach Class Action Review – 2024 eBook.

Stay tuned for more data breach action analysis coming soon on our weekly podcast, the Class Action Weekly Wire.

January 23, 2024January 23, 2024 by Gerald L. Maatman, Jr.

Illinois Federal Court Dismisses Five Of Six Causes of Action In Data Breach Class Action Against Chicagoland Nonprofit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Wittmeyer v. Heartland Alliance for Human Needs & Rights, No. 23-CV-1108, 2024 WL 182211 (N.D. Ill. Jan. 17, 2024), U.S. District Judge Jeremy C. Daniel granted in part and denied in part Defendant Heartland’s motion to dismiss under Rule 12(b)(6). The Court found that the Plaintiffs only pled facts sufficient to support their negligence claim, and dismissed their negligence per se, breach of express and implied contract, breach of the Illinois Consumer Fraud Act and Deceptive Business Practices Act claims, and declaratory judgment and injunction claims. The ruling is exceedingly favorable for companies. Data breach class action defendants should utilize this decision as a roadmap when preparing motions to dismiss.

Case Background

Heartland Alliance for Human Needs & Rights (“Heartland”) is a non-profit, anti-poverty organization that provides healthcare and other services to individuals. Id. at *1. To receive services, individuals provide Heartland with personally identifiable information (“PII”) such as names and social security numbers. Id. For those individuals who receive medical services, Heartland also collects and stores personal health information (“PHI”) including medical diagnoses and medication records. Id.

In January 2022, unauthorized individuals obtained access to the PII and PHI of Heartland’s clients, employees, and independent contractors. Id. In December 2022, Plaintiffs Tracy Wittmeyer and Audrey Appiakorang received notice that their PII and PHI were compromised in the data breach. Id. Plaintiffs alleged that they experienced various damages such as increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the data breach, and, in particular as to Plaintiff Appiakorang, that someone fraudulently obtained car insurance in her name. Id.

Plaintiffs filed a class action against Heartland for various claims, including: (i) negligence, (ii) negligence per se, (iii) breach of express contract, (iv) breach of implied contract, (v) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and (vi) a declaratory judgment and injunction. Id. Subsequently, Heartland moved to dismiss the lawsuit under Rule 12(b)(6). Id.

The Court’s Decision

U.S. District Judge Jeremy C. Daniel granted Heartland’s motion to dismiss as to Plaintiffs’ negligence per se, express and implied breach of contract, violation of the ICFA, and declaratory judgment and injunction claims. Id. at * 7.

The Court, however, denied Heartland’s motion to dismiss Plaintiffs’ negligence claim. Id. at *3. Heartland asserted that it did not owe Plaintiffs a duty to safeguard their personal information. Id. The Court disagreed. It “decline[d] to find, as a matter of law, that Heartland owed no duty to the plaintiff to safeguard their personal information.” Id. (citing an amendment to the Illinois Personal Information Protection Act and the Illinois Appellate Court’s holding in Flores v. Aon Corp., 2023 IL App (1st) 230140, at ¶ 23.).

The Court granted Heartland’s motion to dismiss Plaintiffs’ negligence per se claim. Id. Plaintiffs alleged that because Heartland failed to comply “with the FTCA and its corresponding obligations under HIPAA,” Plaintiffs were injured. Id. at *4. However, the Court reasoned that a violation of a statute only constitutes negligence per se “when it is clear that the legislature intended for the act to impose strict liability.” Id. at *3. Since Plaintiffs did not allege that either the FTCA or HIPAA imposed strict liability, the Court granted Heartland’s motion to dismiss. Id. at *4.

The Court also granted Heartland’s motion to dismiss Plaintiffs’ breach of express and implied contract claims. Id. at *4-6. The Court dismissed Plaintiffs’ breach of express contract claim because they failed to allege facts in the complaint to demonstrate that the parties entered into an express contract regarding security measures for Plaintiffs’ PII and PHI. Id. at *4. While the Court observed that an implied contract could exist between the parties, because Plaintiffs’ complaint did not contain any allegations that the Plaintiffs suffered monetary damages as a result of the data breach, the Court dismissed its breach of implied contract claim. Id. at *5-6.

Finally, the Court dismissed Plaintiffs’ ICFA and declaratory judgment and injunction claims. Id. at *6-7. Under the ICFA, the Court opined that Plaintiffs were required to plead facts sufficient to demonstrate the existence of a “real and measurable” loss. Id. at *6. The Court dismissed Plaintiffs’ ICFA claim because it found that Plaintiffs failed to plausibly plead that they suffered an economic loss. Id. In addition, the Court dismissed Plaintiffs’ declaratory judgment and injunction causes of action, noting that while they are forms of relief, they are not cognizable, independent causes of action. Id. at *7.

Implications For Data Breach Defendants

The decision in Wittmeyer v. Heartland Alliance for Human Needs & Rights serves as a roadmap for data breach class action defendants to utilize when preparing motions to dismiss.

Early in the litigation, data breach class action defendants typically move to dismiss a plaintiff’s complaint under Rule 12(b)(1) for lack of subject matter jurisdiction and/or, as Heartland did here, under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. Importantly, various jurisdictions across the United States have different approaches to the issue of whether various claimed damages (i.e., increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with a data breach, loss of value in PII and PHI, and emotional harms like anxiety and stress) can confer standing upon a plaintiff. Class action defendants should conduct a thorough review of their relevant jurisdiction’s holdings concerning the plaintiff’s claimed damages in support of any motion to dismiss.

September 5, 2023September 5, 2023 by Gerald L. Maatman, Jr.

Arizona Federal Court Grants Pest Control Company’s Motion To Dismiss Data Breach Class Claims

By Gerald L. Maatman, Jr., Jennifer A. Riley, and George J. Schaller

Duane Morris Takeaways: In Gannon v. Truly Nolen of America Inc., No. 22-CV-428 (D. Ariz. Aug. 31, 2023), Judge James Soto of the U.S. District Court for the District of Arizona granted Defendant’s motion to dismiss with prejudice on negligence, breach of contract, and consumer fraud claims related to a data breach class action. For companies facing data breach claims in class actions, this decision is instructive in terms of how courts consider cognizable damages, especially when damages allegations are inadequately plead.

Case Background

Defendant Truly Nolen of America Inc. (“Defendant” or the “Company”), is an Arizona corporation that provides pest control services across the United States and in 30 countries around the world. Id. at 2. The Company experienced a data breach between April 29, 2022 and May 11, 2022. On May 11, 2022, the Company learned the breach occurred and identified personally identifiable information (“PII”) and personal health information (“PHI”) that was compromised. Id. In August of 2022, Defendant sent notice letters to individuals whose data may have been compromised. Id.

The Named Plaintiff, Crystal Gannon (“Plaintiff”), alleged that she received her notice letter regarding the data breach in August of 2022. Id. at 3. In her First Amended Complaint (“FAC”), Plaintiff sought to represent two proposed classes of plaintiffs, including one for a Nationwide Class and one for an Arizona Sub-class, related to the data breach. Id.

Plaintiff alleged numerous claims such as negligence, invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violation of the Arizona Consumer Fraud Act (“Fraud Act”). Id. In response, Defendant filed a motion to dismiss on the grounds that Plaintiff’s case was without basis and the entire case was subject to dismissal. Id.

The Court’s Decision

The Court held that there was no valid basis for Plaintiff’s negligence claim. Id. at 4. Plaintiff argued that the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act (“FTCA”) created a duty in Arizona from which relief could be sought. Id. The Court disagreed. It found that neither the HIPAA nor the FTCA provided a private right of action. Id. The Court reasoned that “[p]ermitting HIPAA to define the ‘duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.’” Id. The Court applied the same logic to the FTCA. Id.

On negligence damages, the Court held that Plaintiff’s FAC failed “to show identity theft or loss in continuity of healthcare of any class members – only the possibility of each.” Id. Under Arizona law, negligence damages require more than merely a threat of future harm, and on their own, threats of future harm are not cognizable negligence injuries. Id. 4-5. Similarly, as to out-of-pocket expenses, the Court opined that Plaintiff failed to demonstrate that her expenses were necessary because she did not properly show that Defendant’s identity monitoring services were inadequate. Id. at 5. Finally, the Court recognized that merely alleging a diminution in value to somebody’s PII or PHI was insufficient. Id. Therefore, the Court dismissed Plaintiff’s negligence claims.

Turning to Plaintiff’s breach of contract claims, the Court determined that Plaintiff did not show cognizable damages, a reasonable construction for the terms of the contract, or consideration for the existence of an implied contract. Id. at 6. The Court held that Plaintiff’s FAC allegations only reflected speculative damages and did not allege proof of real damages. Id. at 5. The Court opined that Plaintiff’s “vaguely pleaded” contract terms failed to show any language that would inform the terms of the agreement and Plaintiff did not point to any conduct or circumstances from which the terms could be determined. Id. at 5-6. Finally, the Court determined that even if Defendant had an obligation to protect the data at issue, such pre-existing obligations did not serve as consideration for a contract. Id. Therefore, the Court dismissed all breach of implied contract claims. Id.

On the claim for breach of the implied covenant of good faith and fair dealing, Plaintiff argued that Defendant breached by failing to maintain adequate computer systems and data security practices, failed to timely and adequately disclose the data breach, and inadequately stored PII and PHI. Because Plaintiff failed to show an enforceable promise, the Court held there could be no breach, and all claims for breach of the implied covenant of good faith and fair dealing were dismissed. Id. at 6.

The Court also dismissed Plaintiff’s Fraud Act claims because Plaintiff failed to show cognizable damages. Id. at 7. The Court reasoned “[p]laintiff cannot simply argue that the system is inadequate because a negative result occurred.” Id. The Court also reasoned that Plaintiff failed to demonstrate that Defendant’s security was inadequate when compared to other companies or any set of industry standards. Id. As to Plaintiff’s privacy claims, the Court held that there were no cognizable claims for invasion of privacy or breach of privacy, and Plaintiff did not dispute these claims in her response. Id.

Accordingly, the Court granted Defendant’s motion to dismiss as to all claims, denied Plaintiff leave to amend her complaint, and dismissed the case with prejudice. Id.

Implications For Companies

Companies confronted with data breach lawsuits should take note that the Arizona federal court in Gannon relied heavily on inadequately pleaded allegations in considering cognizable damages for purposes of granting Defendant’s motion to dismiss. Further, from a practical standpoint, companies should carefully evaluate pleadings for insufficient or speculative assertions on damages.

July 14, 2023 by Class Action Defense

Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action

By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller

Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court’s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase “who had their data accessed by cybercriminals” and to analyze the viability of the California class.

For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.

Case Background

Defendant Brinker International, Inc, owner of Chili’s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised. Id. at 2. Hackers targeted Chili’s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at 2-3. Plaintiffs alleged that 4.5 million cards were accessed by hackers. Id. at 3.

The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili’s restaurants between March and April in their respective states. Id. at 3-4. After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges. Id. at 3-4.

Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief. Id. at 4. The district court certified the nationwide class for negligence claims and a separate California class under the state’s unfair competition laws. Id. at 5. Brinker appealed the district court’s class certification orders. Id.

The Eleventh Circuit’s Decision

The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing. Id. at 10. Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card. Id. at 9-10.

The Eleventh Circuit, however, vacated the district court’s order and found Franklin and Steinmetz could not meet the traceability requirement for standing. Id. at 11. Franklin alleged two visits outside the “at-risk timeframe” when Chili’s was compromised in the data breach and therefore his injury was not fairly traceable. Id. Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili’s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker’s action. Id. at 12-13. For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes. Id. at 13.

As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court’s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at 15. The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case. Id. at 15-16. The Eleventh Circuit also remanded the case in light of Franklin’s lack of standing to determine the viability of the California-based class. Id. at 16.

Implications For Employers

Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase “data accessed by cybercriminals” in remanding the district court’s order.

Further, from a practical standpoint, employers should carefully evaluate district court’s class definitions for overbroad terms or phrases when preparing an appeal.