By Jennifer A. Riley
Duane Morris Takeaway: Data breach litigation remained expansive in 2024 as plaintiffs filed more data breach class actions than in any other year and double the number filed in 2022. As the number of data breaches has accelerated, such events have provided the fuel for a surge of class actions. Despite the significant increase in filings, courts issued few (only four) class certification decisions in 2024, suggesting that many motions are in the pipeline or that, observing the difficulty that plaintiffs have faced in certifying such cases over the past two years, plaintiffs are electing to monetize their data breach claims prior to reaching that crucial juncture. So long as defendants continue to play ball on the settlement front, we are likely to see settlement payouts continue to lure plaintiffs to this space and fuel those filing numbers.
Watch the video below to learn more about this trend from Review co-editor Jennifer Riley:
- Filing Numbers Continue Their Upward Trajectory
The volume of data breach class actions continued to proliferate in 2024. Data breach has emerged as one of the fastest growing areas of class action litigation. After every major (and not-so-major) report of a data breach, companies now can expect the resulting negative publicity to prompt one or more class action lawsuits, saddling companies with the significant costs of responding to the data breach as well as the significant costs of dealing with high-stakes class action lawsuits, often on multiple fronts.
Companies that are unfortunate enough to fall victim to data breaches in 2024 faced class actions at an increasing rate. In 2024, we tallied 1,488 class action filings in the data breach area, compared with 1,320 in 2023, and 604 in 2022.
As the graphic depicts, the growth of filings in the data breach area has been extraordinary, from 108 class action filings in 2018 to 1,488 class action filings in 2024, an increase of more than 1,265% over six years.
Several factors likely contributed to this continued surge in data breach class actions in 2024. First, data breaches have continued to increase at a rate that roughly tracks the shape of the curve depicted above. Second, whereas data breach actions pursued a decade ago faced little prospect of success, recent court decisions have provided a roadmap for plaintiffs to attempt to show standing and successfully plead duty, causation, and damages, thereby providing additional momentum for the plaintiffs’ class action bar. Third, settlement numbers have fueled filings, as plaintiffs are succeeding in monetarizing claims early before facing the investment or risk of class certification, making data breach claims a continued area of popularity for the plaintiffs’ bar.
2. Plaintiffs Continue To Face Hurdles In The Courthouse
The U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021), presents a fundamental threshold challenge for many data breach class action plaintiffs in terms of whether the plaintiff can show that he or she suffered a concrete injury such that he or she has standing to assert a claim. In TransUnion, the Supreme Court ruled that certain putative class members, who did not have their credit reports shared with third parties, did not suffer concrete harm and, therefore, lacked standing to sue. Since the TransUnion decision, standing has emerged as a key defense to data breach litigation because the plaintiffs often have difficulty demonstrating that they suffered concrete harm.
Courts, however, have continued to disagree over the application of TransUnion in the data breach context and have handed down a kaleidoscope of decisions. For instance, in cases where plaintiffs fail to assert plausible allegations of present injury that are fairly traceable to the data breach and rely instead on an asserted risk of future harm, some courts have found that mere public disclosure of private facts is sufficiently “concrete” to establish standing, whereas others have required allegations showing that the risk of future harm is substantial.
In Logan, et al. v. Marker Group, Inc., 2024 WL 3489208 (S.D. Tex. July 18, 2024), for example, plaintiffs alleged that the defendant failed to properly secure their protected health information and personally identifiable information (PII), thus leaving them to “face a lifetime of heightened risk of identity theft and fraud” as a result of the data breach. Id. at *6. The court granted the defendant’s motion to dismiss on the basis of lack of standing, finding that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” Id. (citing TransUnion).
In Jones, et al. v. Sturm, Ruger & Co.,2024 WL 1307148 (D. Conn. Mar. 27, 2024), by contrast, plaintiff alleged that a breach compromised customers’ PII and payment card data (PCD). The court denied the defendant’s motion to dismiss for lack of standing. The court concluded that, under TransUnion, the plaintiff’s alleged injury was sufficiently “concrete” for standing purposes because “exposure of Plaintiffs’ PII to unauthorized third parties ‘bears some relationship’ to the ‘well-established common-law analog: public disclosure of private facts.’” Id. at *3 (quoting Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276, 285 (2d Cir. 2023)).
Plaintiffs who clear the standing hurdle face another key inflection point at the class certification phase. Despite the significant increase in filings, however, courts issued only five rulings on motions for class certification in 2024. This suggests that hundreds of motions are in the pipeline or that, observing the difficulty that plaintiffs have faced in certifying data breach such cases over the past two years, plaintiffs are electing to monetize their data breach claims prior to reaching that crucial juncture.
In Baker, et al. v. Parkmobile, LLC, 21-CV-2182, ECF No. 243 at 23 (N.D. Ga. Apr. 8, 2024), for example, a plaintiff’s expert conceded in detail at his deposition that, to resolve plaintiff’s claims, the court would need to undertake highly individualized inquiries as to whether the plaintiff was subject to a credential stuffing attack and whether such attack caused any injury. The parties reached a settlement while the motion for class certification was fully briefed and a decision was pending.
The certification rate, however, improved somewhat for plaintiffs in 2024. Courts issued five rulings on motions for class certification, and plaintiffs prevailed on two, a success rate of 40%. By comparison, in 2023, courts issued seven rulings on motions for class certification, and plaintiff prevailed in one, for a success rate of 14%.
Despite the increase in success rate, the recipe for successfully certifying a data breach class remains a work in progress, as unsuccessful plaintiffs encountered both new and old issues in 2024. For instance, in In Re Blackbaud, Inc. Customer Data Breach Litigation, 2024 WL 2155221 (D.S.C. May 14, 2024), the court denied class certification because plaintiffs failed to identify any administratively feasible way for the court to ascertain the identities of about 1.5 billion putative class members whose data was stored in 90,000 backup files.
In Vest Monroe, LLC, et al. v. Doe, No. S-23-G-1224, 2024 Ga. LEXIS 187 (Ga. Sept. 4, 2024), the Georgia Supreme Court upheld the denial of class certification because variation in the materials allegedly disclosed prevented plaintiff from showing commonality or typicality. The plaintiff’s claim arose from the conduct of an ex-employee who disclosed digital copies of documents and recordings. In finding a lack of commonality, the trial court noted the differences in the type of documents allegedly disclosed with respect to members of the proposed class, as some contained diagnosis and treatment information, while others did not. Id. at *4. Relatedly, some members of the proposed class had clinical information revealed, while plaintiff did not. The Georgia Supreme Court determined that the trial court did not err in its determination.
Although plaintiffs continue to search for a road map to reliably certify data breach class actions, defendants are continuing to fund settlements, allowing plaintiffs to monetize their claims without clearing the certification hurdle. Such circumstances are apt to continue to draw plaintiffs’ class action lawyers to the data breach space and to continue to generate filings.