Texas Federal Court Throws Out Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Austin v. Fleming, Nolen & Jez, LLP, No. 4:23-CV-00901, 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024), Judge Andrew S. Hanen of the U.S. District Court for the Southern District of Texas granted Defendant’s motion for summary judgment in a data breach class action. The Court found that the time Plaintiff’s allegations about the time spent – (i) researching the data breach, (ii) exploring credit monitoring and identity theft options, (iii) self-monitoring her accounts, and (iv) seeking legal counsel – were not compensable damages and could not support her claims.  This case serves as an important reminder that named Plaintiffs in data breach class actions must have suffered an actual, viable, concrete injury to sustain their claims.

Case Background

On February 6, 2023, a cybercriminal breached Defendant’s servers and obtained some of its confidential client data.  Id. at *1.  The cybercriminal then demanded Defendant pay money to avoid the publication of Defendant’s confidential client data on the dark web.  Id.  After Defendant sent out data breach notice letters to their potentially affected clientele, the named Plaintiff, a former client of Defendant, filed a class action complaint against Defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing.  Id.

Defendant moved for summary judgment on the basis that Plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach.  Id.  In response, Plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft.  Id.

The Court’s Decision

The Court ruled that Plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.”  Id. at 4.  As a result, the Court only considered Defendant’s motion for summary judgment as it pertained to Plaintiff’s individual claim against the Defendant. Id.

The Court held that none of the following allegations of harm were sufficient for Plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.”  Id. at *5-6.

Accordingly, the Court found that because Plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper.  Id. at *6.

Implications For Companies

The Court’s ruling in Austin v. Fleming underscores the importance of damages and a viable injury-in-fact in data breach class actions.  The first line of defense in any data breach class action challenging whether the named Plaintiff suffered an actual, concrete injury.  Used effectively, companies can parlay a Plaintiff’s claimed damages in data breach class actions as quick off-ramp out of litigation.

The Class Action Weekly Wire – Episode 45: 2024 Preview: Data Breach Class Action Litigation

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jennifer Riley and Alex Karasik and associate Emilee Crowther with their discussion of 2023 developments and trends in data breach action litigation as detailed in the recently published Duane Morris Data Breach Class Action Review – 2024.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jennifer Riley: Welcome to our listeners. Thank you for being here for our weekly podcast the Class Action Weekly Wire. I’m Jennifer Riley, partner at Duane Morris, and joining me today is my partner, Alex Karasik, and our colleague, Emilee Crowther. Thank you guys for being on the podcast.

Alex Karasik: Thank you, Jen. Happy to be part of the podcast.

Emilee Crowther: Thanks, Jen. I’m glad to be here

Jennifer: Today on the podcast we are discussing the recent publication of this year’s edition of the Duane Morris Data Breach Class Action Review. Listeners can find the eBook publication on our blog, the Duane Morris Class Action Defense Blog. Alex, can you tell our listeners a little bit about our new publication?

Alex: Absolutely, Jen. We’re very excited about this new publication. The purpose of the Duane Morris Data Breach Class Action Review is really multi-faceted. The volume of data breach class actions exploded in 2023. And these types of cases come with unique challenges, including those involving issues of standing and uninjured class members. And these issues continue to vex the courts leading to inconsistent outcomes. Data breach has emerged as one of the fastest growing areas in class action litigation. After every major (and even some of the not-so-major) report of data breach – companies can now expect resulting negative publicity, which in turn often leads to class action litigation. This saddles companies with significant costs to both respond to the data breach as well as deal with these mega lawsuits. In this respect, we hope this book will provide our clients and corporate counsel with an analysis of trends and significant rulings in the data breach space which will enable them to make informed decisions when dealing with litigation risks in this area. And hopefully, this can be a key desktop reference for all those whoever might encounter a data breach class action.

Jennifer: Defense of data breach class actions is continuing to grow into a high-stakes arena. The playbook of the plaintiffs’ class action bar and data breach cases continues to press the legal envelope on how courts are willing to interpret injuries stemming from data breaches and methods for calculating damages. The Review has dozens of contributors, thus manifesting the collective experience and expertise of our Class Action Defense Group. Emilee, what benefits can this offer our clients?

Emilee: Well, there are a lot of different benefits that could be offered. But while a data breach can be perpetrated in any number of ways, the legal issues that arise from the theft or loss of data largely fall within the same set of legal paradigms. The Review provides examination of the recent developments and settlements in the law and the area of data breach class action litigation. This publication assist our clients by identifying developing trends in the case law and offering practical approaches in dealing with data breach class action litigation.

Jennifer: What were some of the key takeaways from the publication with regard to litigation in this area in 2023?

Emilee: It remains somewhat difficult to obtain class certification for plaintiffs in data breach class actions this year, with only 14% of motions for class certification being granted. However, while data breach class actions pursued a decade ago faced little prospect of success, recent developments in the law and subsequent jurisprudence are providing momentum for the plaintiffs’ class action bar. Plaintiffs can more readily show standing and successfully plead duty, causation, and damages. A fundamental question in most data breach class actions is whether the plaintiff can show that he or she has standing to assert claims.

Alex: We also discuss in the Review the impact that the MOVEit Customer Data Security Breach Litigation will have on the data breach class action landscape in general. Although this class action is in its infant stages, the Judicial Panel on Multidistrict Litigation has consolidated more than 100 class action lawsuits resulting from an alleged cyber gang in Russia’s exploitation of a vulnerability in the file transfer software MOVEit. The group threatens to publish files to its website, which leaks private data. The impacts of this data breach are still unfolding, but it certainly has significant stakes. The long-term fallout might include personally identifiable information (“PII”) being leaked potentially of up to 55 million people. Some of the affected entities include Shell, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. So there’s lots of folks impacted in this one.

Jennifer: Thanks, Alex. This data breach litigation is at the top of the watch list as we move into 2024, we will be sure to keep our listeners updated with all of the important developments. The Review also talks about the top data breach settlements in 2023. How do plaintiffs do in securing settlement funds this past year?

Emilee: Well, Jen, plaintiffs did very well in securing high dollar settlements in 2023. The top 10 settlements totaled $515.75 million dollars. The top settlement alone in 2023 was $350 million dollars in a case called In Re T-Mobile Customer Data Security Breach Litigation, which resolved claims that cybercriminals exploited T-Mobile’s data security protocols and gained access to internal servers containing the personally identifiable information of millions of customers.

Jennifer: We will continue to track those settlement numbers in 2024, as record-breaking settlement amounts have been a huge trend that we have followed for the past two years. Thanks Alex and Emilee for being here today, and thank you to our loyal listeners for tuning in. Listeners, please stop by the blog for a free copy of the Data Breach Class Action Review eBook.

Emilee: Thank you for having me, Jen, and thank you listeners.

Alex: Thank you, listeners, we appreciate you!

Hot Off The Presses! The Duane Morris Data Breach Class Action Review – 2024

By Gerald L. Maatman, Jr. and Jennifer A. Riley

Duane Morris Takeaways: Data breaches are becoming increasingly common and detrimental to companies. The scale of data breach class actions “exploded” in 2023, as companies faced copycat and follow-on lawsuits across multiple jurisdictions. The combined value of the top 10 settlements across all areas of class-action litigation hit near-record highs. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Data Breach Class Action Review – 2024. This new publication analyzes the key data breach related rulings and developments in 2023 and the significant legal decisions and trends impacting data breach litigation for 2024. We hope that companies and employers will benefit from this resource and assist them with their compliance with these evolving laws and standards.

Click here to download a copy of the Duane Morris Data Breach Class Action Review – 2024 eBook.

Stay tuned for more data breach action analysis coming soon on our weekly podcast, the Class Action Weekly Wire.

Illinois Federal Court Dismisses Five Of Six Causes of Action In Data Breach Class Action Against Chicagoland Nonprofit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Wittmeyer v. Heartland Alliance for Human Needs & Rights, No. 23-CV-1108, 2024 WL 182211 (N.D. Ill. Jan. 17, 2024), U.S. District Judge Jeremy C. Daniel granted in part and denied in part Defendant Heartland’s motion to dismiss under Rule 12(b)(6). The Court found that the Plaintiffs only pled facts sufficient to support their negligence claim, and dismissed their negligence per se, breach of express and implied contract, breach of the Illinois Consumer Fraud Act and Deceptive Business Practices Act claims, and declaratory judgment and injunction claims.  The ruling is exceedingly favorable for companies. Data breach class action defendants should utilize this decision as a roadmap when preparing motions to dismiss.

Case Background

Heartland Alliance for Human Needs & Rights (“Heartland”) is a non-profit, anti-poverty organization that provides healthcare and other services to individuals.  Id. at *1.  To receive services, individuals provide Heartland with personally identifiable information (“PII”) such as names and social security numbers.  Id.  For those individuals who receive medical services, Heartland also collects and stores personal health information (“PHI”) including medical diagnoses and medication records.  Id.

In January 2022, unauthorized individuals obtained access to the PII and PHI of Heartland’s clients, employees, and independent contractors.  Id.  In December 2022, Plaintiffs Tracy Wittmeyer and Audrey Appiakorang received notice that their PII and PHI were compromised in the data breach.  Id.  Plaintiffs alleged that they experienced various damages such as increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the data breach, and, in particular as to Plaintiff Appiakorang, that someone fraudulently obtained car insurance in her name.  Id.

Plaintiffs filed a class action against Heartland for various claims, including: (i) negligence, (ii) negligence per se, (iii) breach of express contract, (iv) breach of implied contract, (v) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and (vi) a declaratory judgment and injunction.  Id.  Subsequently, Heartland moved to dismiss the lawsuit under Rule 12(b)(6).  Id.

The Court’s Decision

U.S. District Judge Jeremy C. Daniel granted Heartland’s motion to dismiss as to Plaintiffs’ negligence per se, express and implied breach of contract, violation of the ICFA, and declaratory judgment and injunction claims.  Id.  at * 7.

The Court, however, denied Heartland’s motion to dismiss Plaintiffs’ negligence claim.  Id. at *3.  Heartland asserted that it did not owe Plaintiffs a duty to safeguard their personal information.  Id.  The Court disagreed. It “decline[d] to find, as a matter of law, that Heartland owed no duty to the plaintiff to safeguard their personal information.”  Id.  (citing an amendment to the Illinois Personal Information Protection Act and the Illinois Appellate Court’s holding in Flores v. Aon Corp., 2023 IL App (1st) 230140,  at ¶ 23.).

The Court granted Heartland’s motion to dismiss Plaintiffs’ negligence per se claim.  Id.  Plaintiffs alleged that because Heartland failed to comply “with the FTCA and its corresponding obligations under HIPAA,” Plaintiffs were injured.  Id. at *4.  However, the Court reasoned that a violation of a statute only constitutes negligence per se “when it is clear that the legislature intended for the act to impose strict liability.”  Id. at *3.  Since Plaintiffs did not allege that either the FTCA or HIPAA imposed strict liability, the Court granted Heartland’s motion to dismiss.  Id. at *4.

The Court also granted Heartland’s motion to dismiss Plaintiffs’ breach of express and implied contract claims.  Id. at *4-6.  The Court dismissed Plaintiffs’ breach of express contract claim because they failed to allege facts in the complaint to demonstrate that the parties entered into an express contract regarding security measures for Plaintiffs’ PII and PHI.  Id. at *4.  While the Court observed that an implied contract could exist between the parties, because Plaintiffs’ complaint did not contain any allegations that the Plaintiffs suffered monetary damages as a result of the data breach, the Court dismissed its breach of implied contract claim.  Id. at *5-6.

Finally, the Court dismissed Plaintiffs’ ICFA and declaratory judgment and injunction claims. Id. at *6-7.  Under the ICFA, the Court opined that Plaintiffs were required to plead facts sufficient to demonstrate the existence of a “real and measurable” loss.  Id. at *6.  The Court dismissed Plaintiffs’ ICFA claim because it found that Plaintiffs failed to plausibly plead that they suffered an economic loss.  Id.  In addition, the Court dismissed Plaintiffs’ declaratory judgment and injunction causes of action, noting that while they are forms of relief, they are not cognizable, independent causes of action.  Id. at *7.

Implications For Data Breach Defendants

The decision in Wittmeyer v. Heartland Alliance for Human Needs & Rights serves as a roadmap for data breach class action defendants to utilize when preparing motions to dismiss.

Early in the litigation, data breach class action defendants typically move to dismiss a plaintiff’s complaint under Rule 12(b)(1) for lack of subject matter jurisdiction and/or, as Heartland did here, under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. Importantly, various jurisdictions across the United States have different approaches to the issue of whether various claimed damages (i.e., increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with a data breach, loss of value in PII and PHI, and emotional harms like anxiety and stress) can confer standing upon a plaintiff. Class action defendants should conduct a thorough review of their relevant jurisdiction’s holdings concerning the plaintiff’s claimed damages in support of any motion to dismiss.


Arizona Federal Court Grants Pest Control Company’s Motion To Dismiss Data Breach Class Claims

By Gerald L. Maatman, Jr., Jennifer A. Riley, and George J. Schaller

Duane Morris Takeaways: In Gannon v. Truly Nolen of America Inc., No. 22-CV-428 (D. Ariz. Aug. 31, 2023), Judge James Soto of the U.S. District Court for the District of Arizona granted Defendant’s motion to dismiss with prejudice on negligence, breach of contract, and consumer fraud claims related to a data breach class action. For companies facing data breach claims in class actions, this decision is instructive in terms of how courts consider cognizable damages, especially when damages allegations are inadequately plead.

Case Background

Defendant Truly Nolen of America Inc. (“Defendant” or the “Company”), is an Arizona corporation that provides pest control services across the United States and in 30 countries around the world.  Id. at 2.  The Company experienced a data breach between April 29, 2022 and May 11, 2022.  On May 11, 2022, the Company learned the breach occurred and identified personally identifiable information (“PII”) and personal health information (“PHI”) that was compromised.  Id.  In August of 2022, Defendant sent notice letters to individuals whose data may have been compromised.  Id.  

The Named Plaintiff, Crystal Gannon (“Plaintiff”), alleged that she received her notice letter regarding the data breach in August of 2022.  Id. at 3.  In her First Amended Complaint (“FAC”), Plaintiff sought to represent two proposed classes of plaintiffs, including one for a Nationwide Class and one for an Arizona Sub-class, related to the data breach.  Id.

Plaintiff alleged numerous claims such as negligence, invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violation of the Arizona Consumer Fraud Act (“Fraud Act”).  Id.  In response, Defendant filed a motion to dismiss on the grounds that Plaintiff’s case was without basis and the entire case was subject to dismissal.  Id.

The Court’s Decision

The Court held that there was no valid basis for Plaintiff’s negligence claim.  Id. at 4.  Plaintiff argued that the Health Insurance Portability and Accountability Act (“HIPAA”) and the Federal Trade Commission Act (“FTCA”) created a duty in Arizona from which relief could be sought.  Id.  The Court disagreed. It found that neither the HIPAA nor the FTCA provided a private right of action.  Id.  The Court reasoned that “[p]ermitting HIPAA to define the ‘duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.’”  Id.  The Court applied the same logic to the FTCA.  Id.

On negligence damages, the Court held that Plaintiff’s FAC failed “to show identity theft or loss in continuity of healthcare of any class members – only the possibility of each.”  Id.  Under Arizona law, negligence damages require more than merely a threat of future harm, and on their own, threats of future harm are not cognizable negligence injuries.  Id. 4-5.  Similarly, as to out-of-pocket expenses, the Court opined that Plaintiff failed to demonstrate that her expenses were necessary because she did not properly show that Defendant’s identity monitoring services were inadequate.  Id. at 5.  Finally, the Court recognized that merely alleging a diminution in value to somebody’s PII or PHI was insufficient.  Id.  Therefore, the Court dismissed Plaintiff’s negligence claims.

Turning to Plaintiff’s breach of contract claims, the Court determined that Plaintiff did not show cognizable damages, a reasonable construction for the terms of the contract, or consideration for the existence of an implied contract.  Id. at 6. The Court held that Plaintiff’s FAC allegations only reflected speculative damages and did not allege proof of real damages.  Id. at 5.  The Court opined that Plaintiff’s “vaguely pleaded” contract terms failed to show any language that would inform the terms of the agreement and Plaintiff did not point to any conduct or circumstances from which the terms could be determined.  Id. at 5-6.  Finally, the Court determined that even if Defendant had an obligation to protect the data at issue, such pre-existing obligations did not serve as consideration for a contract.  Id.  Therefore, the Court dismissed all breach of implied contract claims.  Id.

On the claim for breach of the implied covenant of good faith and fair dealing, Plaintiff argued that Defendant breached by failing to maintain adequate computer systems and data security practices, failed to timely and adequately disclose the data breach, and inadequately stored PII and PHI.  Because Plaintiff failed to show an enforceable promise, the Court held there could be no breach, and all claims for breach of the implied covenant of good faith and fair dealing were dismissed.  Id. at 6.

The Court also dismissed Plaintiff’s Fraud Act claims because Plaintiff failed to show cognizable damages.  Id. at 7.  The Court reasoned “[p]laintiff cannot simply argue that the system is inadequate because a negative result occurred.”  Id.  The Court also reasoned that Plaintiff failed to demonstrate that Defendant’s security was inadequate when compared to other companies or any set of industry standards. Id.  As to Plaintiff’s privacy claims, the Court held that there were no cognizable claims for invasion of privacy or breach of privacy, and Plaintiff did not dispute these claims in her response.  Id.

Accordingly, the Court granted Defendant’s motion to dismiss as to all claims, denied Plaintiff leave to amend her complaint, and dismissed the case with prejudice. Id.

Implications For Companies

Companies confronted with data breach lawsuits should take note that the Arizona federal court in Gannon relied heavily on inadequately pleaded allegations in considering cognizable damages for purposes of granting Defendant’s motion to dismiss. Further, from a practical standpoint, companies should carefully evaluate pleadings for insufficient or speculative assertions on damages.

Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action

By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller

Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court’s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase “who had their data accessed by cybercriminals” and to analyze the viability of the California class.

For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.

Case Background

Defendant Brinker International, Inc, owner of Chili’s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised.  Id. at 2.  Hackers targeted Chili’s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data.  Id. at 2-3.  Plaintiffs alleged that 4.5 million cards were accessed by hackers.  Id. at 3.

The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili’s restaurants between March and April in their respective states.  Id. at 3-4.  After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges.  Id. at 3-4.

Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief.  Id. at 4The district court certified the nationwide class for negligence claims and a separate California class under the state’s unfair competition laws.  Id. at 5.  Brinker appealed the district court’s class certification orders.  Id.

The Eleventh Circuit’s Decision

The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing.  Id. at 10.  Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card.  Id. at 9-10.

The Eleventh Circuit, however, vacated the district court’s order and found Franklin and Steinmetz could not meet the traceability requirement for standing.  Id. at 11.  Franklin alleged two visits outside the “at-risk timeframe” when Chili’s was compromised in the data breach and therefore his injury was not fairly traceable.  Id.  Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili’s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker’s action.  Id. at 12-13.  For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes.  Id. at 13.

As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court’s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.”  Id. at 15.  The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case.  Id. at 15-16.  The Eleventh Circuit also remanded the case in light of Franklin’s lack of standing to determine the viability of the California-based class.  Id. at 16.

Implications For Employers

Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase “data accessed by cybercriminals” in remanding the district court’s order.

Further, from a practical standpoint, employers should carefully evaluate district court’s class definitions for overbroad terms or phrases when preparing an appeal.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress