Data Breach Class Actions – Class Action Defense

February 24, 2025February 24, 2025 by Gerald L. Maatman, Jr.

Data Privacy Class Action Alleges Insurers Improperly Collected The Data Of 40 Million Users Through Third-Party Applications

By Gerald L. Maatman, Jr., Justin Donoho, George J. Schaller, Ryan T. Garippo

Duane Morris Takeaways: In Mahoney, et al. v. The Allstate Corp, et al., 25-CV-01465 (N.D. Ill. Feb. 11, 2025), Plaintiffs Michael Mahoney and Scott Schultz (collectively, “Plaintiffs”) filed a putative class action lawsuit asserting Allstate, and its subsidiary Arity, illegally obtained personal driving data of 40 million policyholders through third-party mobile application software. The case is pending in the U.S. District Court for the Northern District of Illinois before Judge Steven C. Seeger.This is the third lawsuit in a series of lawsuits alleging class-wide allegations based on Allstate’s alleged data collection practices. See Sims et al. v. The Allstate Corp. et al., 1:25-CV-00407 (N.D. Ill. Jan. 14, 2025) (alleging data collection through third party application Sirius XM); see also Arellano et al. v. The Allstate Corp. et al., 1:25-CV-01256, (N.D. Ill. Feb. 5, 2025) (alleging data collection through third party applications Life360, GasBuddy, and Fuel Rewards).

Mahoney, Sims, and Arellano, represent a triumvirate of data privacy class actions centered on allegations of improper data collection through third-party applications. Companies will be well-served monitor these cases for their novel assertions in trending data privacy litigation.

Complaint Allegations

Michael Mahoney resides in San Francisco, California, and he downloaded the GasBuddy application in 2011 to “find competitive gas prices.” Mahoney, 25-CV-01465, ECF No. 1 § III ¶ 14 (N.D. Ill. Feb. 11, 2025). Scott Schultz resides in Highland Park, Illinois, and he downloaded the GasBuddy application in 2021 and used it “in his own and other people’s vehicles to find competitive gas prices.” Id. § III ¶ 15.

Plaintiffs collectively allege that Allstate and its subsidiary Arity (collectively, “Defendants”) “conspired to collect drivers’ geolocation data and movement data from mobile devices, in-car devices, and vehicles.” Id. § IV ¶ 7. Plaintiffs allege Defendants designed a software development kit that could be integrated into third-party mobile applications such as “Routely, Life360, GasBuddy, and Fuel Rewards.” Id. § IV ¶ 8. Plaintiffs further allege Defendant advertised that they “collect data ‘every 15 seconds or less’ from 40 million ‘active mobile connections’ and ‘derive[] unique insights that help insurers, developers, marketers, and communities understand and predict driving behavior at scale.” Id. § IV ¶ 24.

Plaintiffs contend Defendants’ software development kit was “designed to and does collect data” including “Geolocation data and ‘GPS Points,’” “cellphone accelerometer, magnetometer, and gyroscopic data,” “Trip attributes” data (including start and end locations, trip distances, trip duration), “Derived events” data (including acceleration, speeding, distracted driving, crash detection), and “Metadata.” Id. § IV ¶ 11 (A) – (E). Plaintiffs further assert that when using these third-party applications “Defendants could collect real-time data on their locations and movements and surreptitiously collect highly sensitive and valuable data directly from Plaintiffs’ mobile phones.” Id. § IV ¶ 16.

It is also important to note that Plaintiffs maintain that Defendants used their personal data to “develop, advertise, and sell several products and services to third parties, including insurance companies . . .” and used the purchased consumer data for “[Defendants’] own underwriting purposes.” Id. § IV ¶ 23. Plaintiffs, ultimately, assert that Defendants real purpose in using this data is for their “own financial and commercial benefit” and to obtain “substantial profit.” Id. § V ¶ 49. They ultimately assert via their nine-count Complaint that this technology amounts to a wiretapping of their personal information which entitles them, inter alia, to a sum of “$100 per day per violation or $10,000” per class member whichever is greater. Id. § V ¶ 51.

Implications For Companies

Although such data collection lawsuits are no longer a new phenomenon, their scope has become far more aggressive as the plaintiffs’ bar continues to look for ways to monetize lawsuits against corporations using such technologies.

Take for example the dilemma presented by Mahoney. In that case, it is likely that Defendants will have strong defenses to this action. For example, Plaintiffs admit that Defendants’ purpose in using this technology was to earn “substantial profit.” Id. § V ¶ 49. Based on similar allegations, many courts have found that these purposes are insufficient for a plaintiff to avail itself of such wiretapping statutes. See, e.g., Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing wiretap claim because defendant’s “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money.”).

There are, however, enough court rulings that come out in the opposite direction to give a corporate defendant pause. See, e.g., R.S. v. Prime Healthcare Services, Inc., No. 24-CV-00330, 2025 WL 103488, at *6-7 (C.D. Cal. Jan. 13, 2025) (recognizing the split and siding with the plaintiffs). And, if Plaintiffs are correct that there are 40 million individuals in the class, and that each class member is entitled to $10,000 at a minimum, then this lawsuit alleges at least $400 billion dollars in liability. Even if there is a 1% chance of success on these claims, it would suggest that the completely unrealistic figure of $4 billion dollars is on the table.

Corporations in these types of class actions are faced with the difficult choice of settling the claims for an astronomical figure based on the use of technologies which are ubiquitous in nature (like software development kits for mobile applications) or defend a $400 billion lawsuit based on defenses in an area of the law which is not fully developed. It will be interesting to see how the Mahoney defendants balance these concerns as the case progresses, because many twists and turns lie ahead.

In the meantime, corporate counsel should take the opportunity to evaluate their companies’ data collection and privacy policies to make sure their companies are not easy targets. If the allegations in Mahoney are any example, the mere threat of one of these lawsuits should be enough to keep corporate counsel up at night. And, if their companies are ultimately sued in one of these lawsuits, they should ensure that an experienced defense team has its hands on the steering wheel.

February 17, 2025February 17, 2025 by Gerald L. Maatman, Jr.

Tennessee Federal Court Rejects Certification Of Breach Of Contract Class Action

By Gerald L. Maatman, Jr., Justin R. Donoho, and George Schaller

Duane Morris Takeaways: On February 10, 2025, Judge Aleta A. Trauger of the U.S. District Court for the Middle District of Tennessee denied class certification in a case involving breach of contract and a disputed element of mutual assent a/k/a meeting of the minds, in Hall v. Warner Music Group Corp., No. 22-CV-0047 (M.D. Tenn. Feb. 10, 2025). The ruling is significant as it shows that plaintiffs who file class action complaints alleging breach of contract cannot satisfy Rule 23’s commonality requirement where the issue of whether the parties agreed to a material term of contract requires individualized inquiry into the parties’ minds and whether they met.

Background

This case involving lack of mutual assent is one of the many since the famous case of Raffles v. Wichelhaus, 159 Eng.Rep 375 (1864), in which the defendant agreed to purchase cotton arriving in a ship named “Peerless” arriving while cotton prices were low, whereas the plaintiff seller had in mind a different ship by the same name arriving while cotton prices were high. (And where the English High Court found no binding contract).

In Hall, the plaintiffs, two musical artists, sued for breach of implied contract against a record label. The parties had entered into a written recording agreement providing for the payment of 8% royalties at a time before the invention of digital streaming and not expressly covering distribution through digital streaming. Hall, slip op. at 2. In 2005, when the label started streaming plaintiffs’ music digitally both domestically and internationally, it began to pay the plaintiffs at the higher rate appearing on their royalty statements of 50%. Id. at 3, 14. For foreign digital streaming, the 50% rate was applied after the deduction of a payment to the foreign distributor. Id. at 12-13. It was common in the industry and a consistent course of dealing of the defendant to apply royalty rates to digital streaming revenues received only after payment to the foreign distributor. Id. The plaintiffs accepted these digital streaming royalty payments for years without viewing the royalty statements or “attempting to identify the revenue base against which a royalty rate for foreign streaming was applied . . . until [one of the plaintiff’s] first discussion with one of his attorneys in this case.” Id. at 15.

The plaintiffs moved for class certification under Rule 23. The plaintiffs maintained that they met the commonality requirement because they and other artists with legacy contracts received royalty payments for foreign streaming sales with statements indicating an unqualified 50% royalty. Id. at 10-11. In contrast, the record label maintained that a claim for breach of implied contract requires the plaintiffs to prove that a valid and enforceable contract was formed between the label and “each class member, which will require an individualized inquiry into the knowledge, understanding, and intent of the artists, including whether the artist even looked at the royalty statements, whether the artists construed them to offer an implied amendment, what exactly the artist believed those implied terms to be, whether the artist had a good-faith belief about a possible rescission claim, whether the artist would have rescinded unless paid at the source, whether the artist intended to forbear, and when (if ever) these events occurred.” Id. at 11 (emphasis in original). In other words, according to the record label, the common question, “was an implied contract formed?” could not be answered by a simple yes or no without such an individualized inquiry. Id.

The Court’s Decision

The Court agreed with defendants and held that plaintiffs did not carry their burden of showing commonality.

Central to Court’s holding was the “problematic question of mutual assent.” Id. at 18. As the Court explained, “even if the court presumes that other putative class members’ royalty statements look like the plaintiffs’ and that there are common questions regarding the defendants’ conduct that may yield common answers (i.e., that the royalty statements do not expressly reflect that the royalties are calculated based [after paying the foreign distributor]), it is clear that the threshold question of whether an implied contract between [the label] and each putative class member was formed does not yield a common answer but, instead, will depend entirely on the particularized circumstances of each artist whose contract, like the plaintiffs’, does not expressly provide for royalties on foreign digital streaming.” Id.

In short, the Court reasoned that “the named plaintiffs’ particularized circumstances show that they simply never thought about whether an implied contract had been formed or its terms until approached by lawyers. Other artists may have paid closer attention to their business arrangements.” Id.

In conclusion, the Court noted that, “to the extent there are questions of fact or law common to the plaintiffs and all putative class members, the relative importance of these common questions pales in comparison to the importance of those that do not yield a common answer — primarily the question of whether implied contracts were formed at all.” Id. at 23.

Implications For Companies

The Hall decison is a win for defendants of breach of contract class actions involving the issue of whether the parties had a meeting of the minds on a material term of contract. In such cases, the Hall decision can be cited as useful precedent for showing that the commonality requirement is not met because individualized inquiries predominate when it comes to analyzing evidence regarding a meeting of the minds.

The Court’s reasoning in Hall applies not only in cases involving: (1) commercial form contracts, like in Hall, but also (2) alleged employment contracts, see Cutler v. Wal-Mart Stores, Inc., 927 A.2d 1 (Md. Ct. App. 2007) (affirming denial of motion for class certification, stating, “Any determination concerning a ‘meeting of the minds’ necessarily requires an individual inquiry into what each class member, as well as the [employer’s] employee who allegedly made the offer, said and did”); In re Wal-Mart Wage & Hour Emp. Pracs. Litig., 2008 WL 3179315, at *19 (D. Nev. June 20, 2008) (denying motion for class certification, stating, “Plaintiffs’ breach of contract claims would involve particularized inquiry into contract formation, including such issues as meeting of the minds”); (3) form real estate contracts, see Haines v. Fid. Nat’l Title of Fla., Inc., 2022 WL 1095961, at *17 (M.D. Fla. Feb. 17, 2022) (denying motion for class certification, stating, “If a buyer and seller interpreted [the agreement] the way [seller] interprets the provision, their meeting of the minds would have a significant impact upon any potential liability for [seller]. In that regard, the buyer’s and seller’s state of mind for each transaction are relevant . . . individualized discovery and factfinding regarding each buyer’s and seller’s intent and understanding would be required”); and (4) alleged contracts regarding the use of AI, see Lokken v. UnitedHealth Group, Inc., 2025 WL 491148, at *8 (D. Minn. Feb. 13, 2025) (finding insureds’ claim against health insurer for breach of contract regarding insurer’s use of AI-based automated decision making technologies not preempted by the Medicare Act and therefore allowed to proceed to discovery, raising the question of whether parties’ minds met via the insurer’s explicit descriptions of its “claim decisions as being made by ‘clinical services staff’ and ‘physicians,’ without mention of any artificial intelligence”).

January 31, 2025January 31, 2025 by Gerald L. Maatman, Jr.

Illinois Supreme Court Affirms Dismissal Of Data Breach Class Action For Lack Of Standing

By Gerald L. Maatman, Jr., Justin Donoho, and George J. Schaller

Duane Morris Takeaways: On January 24, 2025, in Petta v. Christie Bus. Holdings Co., P.C., 2025 IL 130337, the Illinois Supreme Court ruled that a plaintiff lacked standing under Illinois law to bring her class action complaint alleging that her social security number and insurance information may have been accessed in connection with a data incident where a medical provider discovered unauthorized access to one of its business email accounts. The ruling is significant because it shows that data breach claims cannot be brought in Illinois court without specifying actual injury that is fairly traceable to the breach.

Case Background

This case is one of the thousands of data breach class actions filed in the last three years. In Petta, Plaintiff brought suit against a medical provider. According to Plaintiff, she received a letter from the provider titled “Notice of Data Incident” explaining that an unknown third party gained unauthorized access to one of its business email accounts for about a month, in an attempt to intercept a business transaction between the provider and a third-party vendor. Id. ¶¶ 1, 6. The letter also stated that “the impacted account MAY have contained certain information related” to Plaintiff’s social security number and medical insurance information but “[t]he unauthorized actor did not have access to [the provider’s] electronic medical record” and there was no “evidence of identity theft or misuse of [Plaintiff’s] personal information.” Id. ¶ 6 (emphasis in letter).The letter concluded by offering Plaintiff 12 months of credit monitoring and identity protection services at no cost if she wished to enroll. Id., ¶ 7.

Plaintiff also alleged her “phone number, city, and state [were] used in connection with a loan application … in someone else’s name” and she received multiple calls regarding “loan applications she did not initiate.” Id., ¶ 9.

Based on these allegations, Plaintiff alleged claims for negligence and violation of Illinois’ Personal Information Protection Act.

The trial court dismissed the complaint for lack of a viable legal theory and a bar by the economic loss doctrine. The Illinois Appellate Court affirmed, but on the basis that the Plaintiff lacked standing to bring the action on behalf of herself and the putative class.

Plaintiff thereafter appealed to the Illinois Supreme Court.

The Illinois Supreme Court’s Opinion

The Illinois Supreme Court affirmed and ruled Plaintiff lacked standing and affirmed the dismissal of her complaint on that basis. Id., ¶ 25.

In Illinois, standing requires an injury in-fact. As a result, the Illinois Supreme Court reasoned that a plaintiff alleging only “a ‘purely speculative’ future injury” and “no ‘immediate danger of sustaining a direct injury’ lacks sufficient interest to have standing.” Id. ¶ 18 (quoting Chi. Teachers Union, Local 1 v. Bd. of Ed. of Chi., 189 Ill. 2d 200, 206-07 (2000)).

The Illinois Supreme Court affirmed Plaintiffs’ lack of standing, reasoning that she, and the putative class, faced “only an increased risk that their private personal data was accessed by an unauthorized third party” and that “an increased risk of harm is insufficient to confer standing” in a complaint seeking money damages. Id., ¶ 21. The Illinois Supreme Court opined nothing “in the letter suggest[ed] that it is likely the third party did, in fact, take the [private personal] data” and the provider’s investigation revealed that the unauthorized third party was “attempting to intercept a financial transaction, not steal patients’ private personal information.” Id, ¶ 20.

The Illinois Supreme Court also noted that Plaintiff’s unauthorized loan application related solely to Plaintiff and her complaint did not present any allegations that putative class members had a similar experience regarding a loan application. Id., ¶ 23. However, the Illinois Supreme Court declined to answer the question of whether standing must be shown at the outset for the entire putative class and instead focused “solely on [Plaintiff] individually,” finding that “Plaintiff’s allegation regarding the loan application is insufficient to confer standing.” Id.

In short, the Illinois Supreme Court concluded that the unsuccessful loan application allegations were not “fairly traceable” to any of the provider’s alleged misconduct and instead were “purely speculative” given there was “no apparent connection between the purported fraudulent loan attempt and the data breach at issue” as the phone number and city information used in the loan application was “readily available” to the public. Id., ¶ 25(citing 2023 IL App (5th) 220742, ¶ 23). Therefore, Plaintiff lacked standing to bring her claims.

Implications For Companies

The Illinois Supreme Court’s decision in Petta is a win for companies that suffered a data breach only possibly affecting customers, informed the customers of the breach, and offered to pay for their credit monitoring. Petta shows that to confer standing under Illinois law, more is required. Specifically, data breach plaintiffs need to identify actual injury fairly traceable to the breach.

August 22, 2024August 22, 2024 by Alex W. Karasik

Data “Down Under” – AI, CyberSecurity, And Data Breach Class Action Takeaways From The ASIAL Security Exhibition + Conference In Sydney, Australia

By Alex W. Karasik

Duane Morris Takeaways: Data breach litigation is a billion-dollar industry worldwide. At the ASIAL Security Exhibition + Conference in Sydney, Australia, on August 22, 2024, Partner Alex W. Karasik of the Duane Morris Class Action Defense Group gave a highly anticipated 40-minute address, “A Deep Dive Into Data Breach Class Action Litigation.” The Conference, which had over 10,000 attendees, produced excellent dialogues on cybersecurity threats, mitigation strategies, data breach litigation, and the implications of artificial intelligence on data security.

The Conference’s robust agenda featured over 35 speakers from a wide array of backgrounds, including Australian government officials, data security industry experts, executives from blue-chip companies such as Amazon and Microsoft, and a lawyer from Chicago. In a masterful way, the agenda provided valuable insight for attendees from a broad range of backgrounds, including business owners, c-suite executives, risk officers, privacy professionals, technology start-ups, vendors, attorneys, journalists, and other individuals with interests in the tech, legal, and security industries.

I had the privilege of speaking about global data breach litigation risk, with a focus on the Unites States’ data breach class action landscape. A few of the highlights from my presentation include the following:

1. Data breach class action lawsuit filings doubled from over 300 in 2021 to over 600 in 2022, and then doubled again to over 1,300 in 2023. I do not expect this trend to slow down any time soon.
2. The last two years procured massive settlement totals, with over $515 million in 2023. Google and T-Mobile each settled data breach class actions for $350 million in the last two years. The financial exposure is enormous in data breach class action litigation.
3. Major U.S. Supreme Court decisions (TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021)); pending class action litigation (In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023); and the next wave of data security class action claims (stemming from the recent CrowdStrike outage) will all continue to collectively and profoundly impact the data breach class action landscape.
4. Low class certification rates, generally trending below 50%, provide some room for optimism for data breach class action defendants. Plus, with the large number of breaches that have now impacted a plurality of major corporations across all sectors, causation of damages is more difficult to prove than ever.
5. Some of the “toolkit takeaways” for businesses include: (i) implement a multi-faceted approach to data security mechanisms; (ii) develop a data security task force within the organization; (iii) provide extensive training to employees, which will need to evolve as the types of threats change; and (iv) utilize arbitration agreements with class action waivers.

Finally, one of the greatest joys of attending an international conference is the opportunity to draw on the wisdom of my fellow presenters from across the globe. Below are a few of the highlights:

1. “Employers cannot contract out risk.” I loved this quote from Australian government official, Justine Jones. This sentiment echoes many of my conversations with and publications prepared by U.S. EEOC Commissioner, Keith Sonderling, who has consistently noted in the artificial intelligence context that employers cannot simply point their fingers at vendors if hiring or recruiting software procures discriminatory outputs. Jones opined that even if businesses use third-parties for data security purposes, they still remain responsible.
2. Brett McGrath, President of the Law Society of New South Wales, provided excellent insight on what I interpreted to be “cautious optimism” from the Australian legal system in terms of embracing artificial intelligence. He discussed the creation of a task force involving judges, lawyers, academics, and technology experts. Jurisdictions in the United States – at the local, state, and federal levels – would be wise to follow suit.
3. Amazon’s Lindsay Maloney, Lead of Security & Loss Prevention, Australia & Singapore, highlighted hiring risks associated with different geographical markets. From my perspective, the rapid emergence of artificial intelligence laws involving employment decisions are often similar but not the same. This means American businesses likewise should take heed of where they are hiring and what technology they are using in each locale.
4. Philip Meyer, a Technology Strategist at Microsoft, delivered an impactful address that examined the history of ChatGPT and the future of artificial intelligence. Philip’s commentary regarding Microsoft’s commitment to providing training meshed well with my message about how companies must embrace the training process, so that artificial intelligence and data security measures are deployed ethically and in the best interests of the organization.
5. Brian de Caires, CEO of the ASIAL, opined on the need for consistent security standards across Australia. For those of you who follow my publications on artificial intelligence, privacy, and data security, a motif of my writings is that there is a patchwork of laws among a myriad of jurisdictions, creating a compliance minefield for employers.

Thank you to ASIAL and its incredible team, my fellow speakers, the engaging attendees, the media personnel, and all others who helped make this week in Sydney, Australia an informative and unforgettable experience “Down Under.”

For more information on the Duane Morris Class Action Group, including its Data Breach Class Action Review e-book, please click the link here.

June 3, 2024June 3, 2024 by Class Action Defense

Four Best Practices For Deterring Cybersecurity And Data Privacy Class Actions And Mass Arbitrations

By Justin Donoho

Duane Morris Takeaway: Class action lawsuits and mass arbitrations alleging cybersecurity incidents and data privacy violations are rising exponentially. Corporate counsel seeking to deter such litigation and arbitration demands from being filed against their companies should keep in mind the following four best practices: (1) add or update arbitration clauses to mitigate the risks of mass arbitration; (2) use cybersecurity best practices, including continuously improving and prioritizing compliance activities; (3) audit and adjust uses of website advertising technologies; and (4) update website terms of use, data privacy policies, and vendor agreements.

Best Practices

Add or update arbitration agreements to mitigate the risks of mass arbitration

Many organizations have long been familiar with the strategy of deterring class and collective actions by presenting arbitration clauses containing class and collective action waivers prominently for web users, consumers, and employees to accept via click wrap, browse wrap, login wrap, shrink wrap, and signatures. Such agreements would require all allegedly injured parties to file individual arbitrations in lieu of any class or collective action. Moreover, the strategy goes, filing hundreds, thousands, or more individual arbitrations would be cost-prohibitive for so many putative plaintiffs and thus deter them from taking any action against the organization in most cases.

Over the last decade, this strategy of deterrence was effective.^[1] Times have changed. Now enterprising plaintiffs’ attorneys with burgeoning war chests, litigation funders, and high-dollar novel claims for statutory damages are increasingly using mass arbitration to pressure organizations into agreeing to multimillion dollar settlements, just to avoid the arbitration costs. In mass arbitrations filed with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS), for example, fees can total millions of dollars just to defend only 500 individual arbitrations.^[2] One study found upfront fees ranging into the tens of millions of dollars for some large mass arbitrations.^[3] Companies with old arbitration clauses have been caught off guard with mass arbitrations, have sought relief from courts to avoid having to defend these mass arbitrations, and this relief was rejected in several recent decisions where the court ordered the defendant to arbitrate and pay the required hefty mass arbitration fees.^[4]

If your organization has an arbitration clause, then one of the first challenges for counsel defending many newly served class action lawsuits these days is determining whether to move to compel arbitration. Although it could defeat the class action, is it worth the risk of mass arbitration and the potential projected costs of mass arbitration involved? Sometimes not.

Increasingly organizations are mitigating this risk by including mechanisms in their arbitration clauses such as pre-dispute resolution clauses, mass arbitration waivers, bellwether procedures, arbitration case filing requirements, and more. This area of the law is developing quickly. One case to watch will be one of the first appellate cases to address the latest trend of mass arbitrations — Wallrich v. Samsung Electronics America, Inc., No. 23-2842 (7th Cir.) (argued February 15, 2024, at issue is whether the district court erred in ordering the BIPA defendant to pay over $4 million in mass arbitration fees).

Use cybersecurity best practices, including continuously improving and prioritizing

IT organizations have long been familiar with the maxim that they should continuously improve their cybersecurity measures and other IT services. Continuous improvement is part of many IT industry guidelines, such as ISO 27000, COBIT, ITIL, the NIST Cybersecurity Framework (CSF) and Special Publication 800, and the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). Continuous improvement is becoming increasingly necessary in cybersecurity, as organizations’ IT systems and cybercriminals’ tools multiply at an increased rate. The volume of data breach class actions doubled three times from 2019-2023:

Continuous improvement of cybersecurity measures needs to accelerate accordingly. As always, IT organizations need to prioritize. Priorities typically include:

improving IT governance;
complying with industry guidelines such as ISO, COBIT, ITIL, NIST, and C2M2;
deploying multifactor authentication, network segmentation, and other multilayered security controls;
staying current with identifying, prioritizing, and patching security holes as new ones continuously arise;
designing and continuously improving a cybersecurity incident response plan;
routinely practicing handling ransomware incidents with tabletop exercises (may be covered by cyber-insurers); and
implementing and continuously improving security information and event management (SIEM) systems and processes.

Measures like these to continuously improve and prioritize: (a) will help prevent a cybersecurity incident from occurring in the first place; and (b) if one occurs, will help the victim organization of cybertheft defend against plaintiffs’ arguments that the organization failed to use reasonable cybersecurity measures.

Audit and adjust uses of website advertising technologies

In 2023, plaintiffs filed over 250 class actions alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies, respectively. This software, often called website advertising technologies or “adtech” (and often referred to by plaintiffs as “tracking technologies”) is a common feature on many websites in operation today — millions of companies and governmental organizations have it.^[5] These lawsuits generally allege that the organization’s use of adtech violated federal and state wiretap statutes, consumer fraud statutes, and other laws, and often seek hundreds of millions of dollars in statutory damages. The businesses targeted in these cases so far mostly have been healthcare providers but also span nearly every industry including retailers, consumer products, and universities.

Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided. The legal landscape in this area has only begun to develop under many plaintiffs’ theories of liability, statutes, and common laws. The adtech alleged has included not only Meta Pixel and Google Analytics but also dozens of the hundreds or thousands of other types of adtech. All this legal uncertainty multiplied by requested statutory damages equals serious business risk to any organization with adtech on its public-facing website(s).

An organization may not know that adtech is present on its public-facing websites. It could have been installed on a website by a vendor without proper authorization, for example, or as a default without any human intent by using some web publishing tools.

Organizations should consider whether to have an audit performed before any litigation arises as to which adtech is or has been installed on which web pages when and which data types were transmitted as a result. Multiple experts specialize in such adtech audits and serve as expert witnesses should any litigation arise. An adtech audit is relatively quick and inexpensive and it might be cost-beneficial for an organization to perform an adtech audit before litigation arises because: (a) it might convince an organization to turn off some of its unneeded adtech now, thereby cutting off any potential damages relating to that adtech in a future lawsuit; (b) in the event of a future lawsuit, such an audit would not be wasted — it is one of the first things adtech defendants typically perform upon being served with an adtech lawsuit; and (c) an adtech audit could assist in presently updating and modernizing website terms of use, data privacy policies, and vendor agreements (next topic).

Update and modernize website terms of use, data privacy policies, and vendor agreements

Organizations should consider whether to modify their website terms of use and data privacy policies to describe the organization’s use of adtech in additional detail. Doing so could deter or help defend a future adtech class action lawsuit similar to the many that are being filed today, alleging omission of such additional details, raising claims brought under various states’ consumer fraud acts, and seeking multimillion-dollar statutory damages.

Organizations should consider adding to contracts with website vendors and marketing vendors clauses that prohibit the vendor from incorporating any unwanted adtech into the organization’s public-facing websites. That could help disprove the element of intent at issue in many claims brought under the recent explosion of adtech lawsuits.

Implications For Corporations: Implementation of these best practices is critical to mitigating risk and saving litigation dollars. Click to learn more about the services Duane Morris provides in the practice areas of Class Action Litigation; Arbitration, Mediation, and Alternative Dispute Resolution; Cybersecurity; Privacy and Data Protection; Healthcare Information Technology; and Privacy and Security for Healthcare Providers.

[1] In 2015, for example, a large study found that of 33 banks that had engaged in practices relating to debit card overdrafts, 18 endured class actions and ended up paying out $1 billion to 29 million customers, whereas 15 had arbitration clauses and did not endure any class actions. See Consumer Protection Financial Bureau (CPFB), Arbitration Study: Report to Congress, Pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act § 1028(a) at Section 8, available at https://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf. These 15 with arbitration clauses paid almost nothing—less than 30 debit card customers per year in the entire nation filed any sort of arbitration dispute regarding their cards during the relevant timeframe. See id. at Section 5, Table 1. Another study of AT&T from 2003-2014 found similarly, concluding, “Although hundreds of millions of consumers and employees are obliged to use arbitration as their remedy, almost none do.” Judith Resnik, Diffusing Disputes: The Public in the Private of Arbitration, the Private in Courts, and the Erasure of Rights, 124 Yale L.J. 2804 (2015).

[2] AAA, Consumer Mass Arbitration and Mediation Fee Schedule (amended and effective Jan. 15, 2024), available at https://www.adr.org/sites/default/files/Consumer_Mass_Arbitration_and_Mediation_Fee_Schedule.pdf; JAMS, Arbitration Schedule of Fees and Costs, available at https://www.jamsadr.com/arbitration-fees.

[3] J. Maria Glover, Mass Arbitration, 74 Stan. L. Rev. 1283, 1387 & Table 2 (2022).

[4] See, e.g., BuzzFeed Media Enters., Inc. v. Anderson, 2024 WL 2187054, at *1 (Del. Ch. May 15, 2024) (dismissing action to enjoin mass arbitration of claims brought by employees); Hoeg v. Samsung Elecs. Am., Inc., No. 23-CV-1951 (N.D. Ill. Feb. 2024) (ordering defendant of BIPA claims brought by consumers to pay over $300,000 in AAA filing fees); Wallrich v. Samsung Elecs. Am., Inc., 2023 WL 5935024 (N.D. Ill. Sept. 12, 2023) (ordering defendant of BIPA claims brought by consumers to pay over $4 million in AAA fees); Uber Tech., Inc. v. AAA, 204 A.D.3d 506, 510 (N.Y. App. Div. 2022) (ordering defendant of reverse discrimination claims brought by customers to pay over $10 million in AAA case management fees).

[5] See, e.g., Customer Data Platform Institute, “Trackers and pixels feeding data broker stores,” reporting “47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare” (available at https://www.cdpinstitute.org/news/trackers-and-pixels-feeding-data-broker-data-stores/); builtwith, “Facebook Pixel Usage Statistics,” offering access to data on over 14 million websites using the Meta Pixel, stating, “We know of 5,861,028 live websites using Facebook Pixel and an additional 8,181,093 sites that used Facebook Pixel historically and 2,543,263 websites in the United States” (available at https://trends.builtwith.com/analytics/Facebook-Pixel).

May 31, 2024 by Class Action Defense

Webinar Replay: Privacy Class Action Litigation Trends

Duane Morris Takeaways: The significant stakes and evolving legal landscape in privacy class action rulings and legislation make the defense of privacy class actions a challenge for corporations. As a new wave of wiretapping violation lawsuits target companies that use technologies to track user activity on their websites, there is significant state legislative activity regarding data privacy across the country. In the latest edition of the Data Privacy and Security Landscape webinar series, Duane Morris partners Jerry Maatman, Jennifer Riley, and Colin Knisely provide an in-depth look at the most active area of the plaintiffs’ class action bar over the past year.

The Duane Morris Class Action Defense Group recently published its desk references on privacy and data breach class action litigation, which can be viewed on any device and are fully searchable with selectable text. Bookmark or download the e-books here: Data Breach Class Action Review – 2024 and Privacy Class Action Review – 2024.

May 19, 2024May 19, 2024 by Class Action Defense

South Carolina Federal Court Denies Class Certification In Massive Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In a data breach lawsuit entitled In Re Blackbaud, Inc., Customer Data Breach Litigation, MDL No.2972, Case No. 3:20-MN-02972, 2024 WL 2155221 (D.S.C. May 14, 2024), Judge Joseph F. Anderson, Jr. of the U.S. District Court for the District of South Carolina denied Plaintiff’s motion for class certification. The Court found that the Plaintiffs failed to meet their burden of proof as to ascertainability since they could not demonstrate an administratively reasonable method by which to ascertain the estimated 1.5 billion putative class members. This case serves as an important reminder that a plaintiff’s failure to provide a court with an administratively reasonable way to ascertain a class can be an effective tool when combatting class certification motions.

Case Background

Defendant Blackbaud, Inc. provides data collection and storage services to a wide variety of organizations (“customers”). Id. at 2. Defendant collects and stores personally identifiable information and protected health information of individuals on behalf of its clients. Id.

Between February and May 2020, a cybercriminal breached Defendant’s systems, capturing 90,000 backup files containing data belonging to 13,000 of Defendant’s customers, and data belonging to approximately 1.5 billion individuals worldwide. Id. at 3-4.

Various plaintiffs filed suits nationwide, and on December 15, 2020, all of the lawsuits were combined into a multidistrict litigation in the District of South Carolina. Id. at 5. Thereafter, the Plaintiffs moved to certify one main nationwide class, and four other sub-classes, including two in California, one in New York, and one in Florida. Id. at 5-6.

The Court’s Decision

The Court denied Plaintiffs’ motion for class certification. It held that Plaintiffs failed to meet their burden of proof as to Rule 23’s ascertainability requirement. Id. at 1. As a threshold requirement to any class certification, a plaintiff must demonstrate that a class is “ascertainable”, i.e., “that there will be an administratively feasible way for the court to determine whether a particular individual is a class member.” Id. at 16.

Plaintiffs argued four primary points in support of ascertainability, including: (i) the method proposed by their expert; (ii) Defendant’s ability to create a fact sheet about the named Plaintiffs; (iii) Defendant’s ability to give notice to its customers; and (iv) Defendant’s use of a program called Wirewheel. Id. at 17.

As to Plaintiffs’ first point, the Court granted Defendant’s motion to exclude the Plaintiffs’ expert’s testimony on the grounds that the expert failed to sufficiently test his method, was unable to replicate his method, failed to sufficiently document his method, and could not provide the Court with an error rate consistent with generally accepted statistical practices. Id. at 18.

As to Plaintiffs’ second point, the Court found that the Defendant’s ability to create a fact sheet containing information about 34 named Plaintiffs did not weigh in favor of ascertainability, as the Defendant’s process was “not proof that Plaintiffs [could] undertake the larger task of ascertaining the proposed classes and sub-classes” for 1.5 billion individuals. Id. at 45-46. In its decision, the Court placed particular emphasis on the fact that Plaintiffs had not “tested, briefed, or otherwise demonstrated how they would collect information from putative plaintiffs to conduct a process similar to the process Defendant undertook” in creating its fact sheet. Id. at 40-41.

As to Plaintiff’s third point, the Court similarly found that the Defendant’s ability to give notice of the breach did not weigh in favor of ascertainability, because “[t]he steps Defendant took to give notice to its customers [is] not comparable to the steps Plaintiffs would need to take to ascertain a class.” Id. at 48-49. The Court emphasized the distinction between Defendant’s task to provide notice to its 13,000 customers versus Plaintiffs’ task to identify all of the 1.5 billion individual constituents of Defendant’s customers. Id. at 46, 49.

As to Plaintiff’s fourth and final point, the Court again held that it did not weigh in favor of ascertainability, as “the Defendant’s ability to utilize a singular, live database that it maintains for the sole purpose of responding to [certain] requests does not in any way indicate that Defendant is necessarily able to restore and query 90,000 backup files of databases that were customized, maintained, and controlled by 13,000 separate customers.” Id. at 49-50.

In sum, the Court found that the Plaintiffs failed to demonstrate that their “proposed classes and sub-classes” were able to be ascertained “without significant individualized inquiry at a scale that [was] not administratively feasible for Plaintiffs, th[e] Court, Defendant, or any individuals or entities acting at their direction to undertake.” Id.

Implications For Companies

The Court’s ruling in In Re Blackbaud, Inc., Customer Data Breach Litigation underscores the importance of ascertainability in large-scale data breach class actions. The reality is that companies across the world face threats of large scale cyber-attacks to capture their data daily, whether it be through their own servers or through the technologies and tools they utilize. Since a majority of these cyber threats focus on personally identifiable information or personal health information, each data breach could now potentially affect millions (or billions) of individuals.

It is natural for a company to experience trepidation in light of these threats and the likelihood of a class action that could follow. However, it is important to remember that in any class action, Rule 23 requires a plaintiff to demonstrate that putative class members are identifiable without extensive and individualized fact-finding. The broader the swath Plaintiff wants to brush, the harder it will be for that Plaintiff to demonstrate and plausibly claim to the Court that their class is ascertainable.

May 9, 2024 by Class Action Defense

The Class Action Weekly Wire – Episode 54: Challenges Posed By Data Breach Class Actions

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associates Emilee Crowther and Ryan Garippo with their discussion of three recent data breach class action filings in the Northern District of Georgia and common challenges and trends they’ve identified in data breach class action litigation over the past 18 months.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jerry Maatman: Thanks so much loyal blog readers and listeners, this is our next episode the Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today are Emily Crowther of our Austin office and Ryan Garippo of our Chicago office. Thanks so much to both of you for being on our podcast.

Emilee Crowther: Thank you, Jerry. I’m very happy to be here.

Ryan Garippo: Great to be here, Jerry. Thanks for having me.

Jerry: So today, our subject is the area of data breach class actions in general, and three new class actions recently filed in federal court in the Northern District of Georgia by employees, in essence, alleging that their personally identifying information was compromised during data breaches. Emilee, I know that you practice quite a bit in this space. Could you give us some information on these filings, and why they’re important to corporate counsel?

Emilee: Absolutely, Jerry. These actions were all filed by employees, as you stated: one against Arby’s fast food restaurant owner DRM, Inc., one against healthcare company Aveanna Healthcare, LLC, and then one other against automotive company Asbury Automotive Group, Inc. Each of these actions alleged that after companies were subjected to data breaches the employees’ personally identifying information was threatened by hackers, and the companies failed to take precautions to protect that information.

Jerry: We recently reported in the Duane Morris Class Action Review that among all areas of class action litigation, right now the hottest area is data breach class actions. Frankly, these lawsuits are exploding in popularity and certainly constitute a major area of focus for the plaintiffs’ bar. What is it about these cases that are attractive to the plaintiffs’ bar, and what is alleged in these new cases brought in federal court in Georgia?

Ryan: Well, Jerry, while these actions were filed separately, and the defendants businesses differ significantly, the proposed class actions all have similar allegations, including negligence, breach of warranty, and unjust enrichment. The plaintiffs in these class actions allege that they were employed at the companies, and that during their employment, their personal information, including their social security, numbers, birth dates, and driver’s license numbers, were collected by their employers. The plaintiffs asserted that the defendants failed to adhere to industry standards to protect their data which led to the data being obtained by hackers. So this information is interesting for the plaintiff’s bar, particularly because they can bring these allegations en masse and use these class actions to exert leverage against employers.

Jerry: You know, I’ve always thought the business model of plaintiffs’ class action lawyers is to file the case, certify the case, and monetize the case by getting a settlement. Yet our statistics in our Duane Morris Class Action Review showed that of all subset of areas, in the data breach space only 14% of motions for class certification were granted. Many motions to dismiss were granted, because plaintiffs weren’t able to articulate a sufficient injury-in-fact. Emilee, in these particular cases, how are the plaintiffs trying to get around those problems and what are they focusing on to establish standing through allegations of injury-in-fact?

Emilee: The plaintiffs allege that their personal information was captured in the spring, and that their personal identification information was therefore exposed to the cybercriminals at that time. The plaintiffs contend that, due to these cyber-attacks they have an increased vulnerability to identity theft. They also claim that they have spent time and money to mitigate risks, and that the actual value of their information has diminished as a result.

Ryan: Some plaintiffs have also asserted that they’ve been required to monitor their credit reports and are worried about future personal financial security. The plaintiffs also claim emotional distress from the dissemination of their personal information, because they will forever face an amplified risk of further misuse, fraud, and identity theft as a result of the defendants’ alleged conduct.

Jerry: Reminds me of the last class certification motion I argued in a data breach case, and that was the simple-notion judge – it was like a tree that fell in the forest, and nobody heard it. I still think that the plaintiffs’ bar is still finding ways to get around. Of course, the injury-in-fact requirement that comes from the famous Trans Union case decided by the U.S. Supreme Court. But thanks, Emilee and Ryan, for your analysis and your thought leadership in this particular area. Blog readers and listeners, hope you enjoyed this installment of the Class Action Weekly Wire, and thanks so much for tuning in.

Emilee: Thanks for having me, Jerry, and thank you, listeners.

Ryan: Thank you, everyone. Great to have an opportunity to be on the podcast.

April 9, 2024 by Gerald L. Maatman, Jr.

Texas Federal Court Throws Out Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Austin v. Fleming, Nolen & Jez, LLP, No. 4:23-CV-00901, 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024), Judge Andrew S. Hanen of the U.S. District Court for the Southern District of Texas granted Defendant’s motion for summary judgment in a data breach class action. The Court found that the time Plaintiff’s allegations about the time spent – (i) researching the data breach, (ii) exploring credit monitoring and identity theft options, (iii) self-monitoring her accounts, and (iv) seeking legal counsel – were not compensable damages and could not support her claims. This case serves as an important reminder that named Plaintiffs in data breach class actions must have suffered an actual, viable, concrete injury to sustain their claims.

Case Background

On February 6, 2023, a cybercriminal breached Defendant’s servers and obtained some of its confidential client data. Id. at *1. The cybercriminal then demanded Defendant pay money to avoid the publication of Defendant’s confidential client data on the dark web. Id. After Defendant sent out data breach notice letters to their potentially affected clientele, the named Plaintiff, a former client of Defendant, filed a class action complaint against Defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing. Id.

Defendant moved for summary judgment on the basis that Plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach. Id. In response, Plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft. Id.

The Court’s Decision

The Court ruled that Plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.” Id. at 4. As a result, the Court only considered Defendant’s motion for summary judgment as it pertained to Plaintiff’s individual claim against the Defendant. Id.

The Court held that none of the following allegations of harm were sufficient for Plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.” Id. at *5-6.

Accordingly, the Court found that because Plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper. Id. at *6.

Implications For Companies

The Court’s ruling in Austin v. Fleming underscores the importance of damages and a viable injury-in-fact in data breach class actions. The first line of defense in any data breach class action challenging whether the named Plaintiff suffered an actual, concrete injury. Used effectively, companies can parlay a Plaintiff’s claimed damages in data breach class actions as quick off-ramp out of litigation.

February 28, 2024 by Class Action Defense

The Class Action Weekly Wire – Episode 45: 2024 Preview: Data Breach Class Action Litigation

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jennifer Riley and Alex Karasik and associate Emilee Crowther with their discussion of 2023 developments and trends in data breach action litigation as detailed in the recently published Duane Morris Data Breach Class Action Review – 2024.

Episode Transcript

Jennifer Riley: Welcome to our listeners. Thank you for being here for our weekly podcast the Class Action Weekly Wire. I’m Jennifer Riley, partner at Duane Morris, and joining me today is my partner, Alex Karasik, and our colleague, Emilee Crowther. Thank you guys for being on the podcast.

Alex Karasik: Thank you, Jen. Happy to be part of the podcast.

Emilee Crowther: Thanks, Jen. I’m glad to be here

Jennifer: Today on the podcast we are discussing the recent publication of this year’s edition of the Duane Morris Data Breach Class Action Review. Listeners can find the eBook publication on our blog, the Duane Morris Class Action Defense Blog. Alex, can you tell our listeners a little bit about our new publication?

Alex: Absolutely, Jen. We’re very excited about this new publication. The purpose of the Duane Morris Data Breach Class Action Review is really multi-faceted. The volume of data breach class actions exploded in 2023. And these types of cases come with unique challenges, including those involving issues of standing and uninjured class members. And these issues continue to vex the courts leading to inconsistent outcomes. Data breach has emerged as one of the fastest growing areas in class action litigation. After every major (and even some of the not-so-major) report of data breach – companies can now expect resulting negative publicity, which in turn often leads to class action litigation. This saddles companies with significant costs to both respond to the data breach as well as deal with these mega lawsuits. In this respect, we hope this book will provide our clients and corporate counsel with an analysis of trends and significant rulings in the data breach space which will enable them to make informed decisions when dealing with litigation risks in this area. And hopefully, this can be a key desktop reference for all those whoever might encounter a data breach class action.

Jennifer: Defense of data breach class actions is continuing to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar and data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. The Review has dozens of contributors, thus manifesting the collective experience and expertise of our Class Action Defense Group. Emilee, what benefits can this offer our clients?

Emilee: Well, there are a lot of different benefits that could be offered. But while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The Review provides examination of the recent developments and settlements in the law and the area of data breach class action litigation. This publication assist our clients by identifying developing trends in the case law and offering practical approaches in dealing with data breach class action litigation.

Jennifer: What were some of the key takeaways from the publication with regard to litigation in this area in 2023?

Emilee: It remains somewhat difficult to obtain class certification for plaintiffs in data breach class actions this year, with only 14% of motions for class certification being granted. However, while data breach class actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims.

Alex: We also discuss in the Review the impact that the MOVEit Customer Data Security Breach Litigation will have on the data breach class action landscape in general. Although this class action is in its infant stages, the Judicial Panel on Multidistrict Litigation has consolidated more than 100 class action lawsuits resulting from an alleged cyber gang in Russia’s exploitation of a vulnerability in the file transfer software MOVEit. The group threatens to publish files to its website, which leaks private data. The impacts of this data breach are still unfolding, but it certainly has significant stakes. The long-term fallout might include personally identifiable information (“PII”) being leaked potentially of up to 55 million people. Some of the affected entities include Shell, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. So there’s lots of folks impacted in this one.

Jennifer: Thanks, Alex. This data breach litigation is at the top of the watch list as we move into 2024, we will be sure to keep our listeners updated with all of the important developments. The Review also talks about the top data breach settlements in 2023. How do plaintiffs do in securing settlement funds this past year?

Emilee: Well, Jen, plaintiffs did very well in securing high dollar settlements in 2023. The top 10 settlements totaled $515.75 million dollars. The top settlement alone in 2023 was $350 million dollars in a case called In Re T-Mobile Customer Data Security Breach Litigation, which resolved claims that cybercriminals exploited T-Mobile’s data security protocols and gained access to internal servers containing the personally identifiable information of millions of customers.

Jennifer: We will continue to track those settlement numbers in 2024, as record-breaking settlement amounts have been a huge trend that we have followed for the past two years. Thanks Alex and Emilee for being here today, and thank you to our loyal listeners for tuning in. Listeners, please stop by the blog for a free copy of the Data Breach Class Action Review eBook.

Emilee: Thank you for having me, Jen, and thank you listeners.

Alex: Thank you, listeners, we appreciate you!