Defending Data Breach Class Actions
Wednesday, December 18, 2024
Print Mail Download info_icon_img/>i

Introduction

Class actions arising from data breach represented the fastest growing segment of class action filings. In 2023, more than 2000 class actions were filed, more than triple the amount filed in 2022.1 These cases were filed in federal and state courts across the country, with California receiving the largest number of filings. High-profile cases like the $52 million penalty that Marriott agreed to pay in October 2024 highlight the regulatory scrutiny and legal challenges companies face. A Capitology study of 28 cases showed an average stock price drop of 7.27% following announcement of a data breach. Financial companies saw a 17% decrease within the first 16 trading days following a breach. As board members of a public company, it is crucial to understand the strategies for preventing breaches and defending against the class actions that follow.

I. Understanding Data Breach Class Actions

While each class action is different, there are consistent themes in the cases that have been filed. Plaintiffs generally assert that a corporate entity did one or more of the following things:

  • Failed to implement adequate cybersecurity measures to prevent a breach; 
  • Deceived consumers regarding the adequacy of their cybersecurity defenses; and
  • Failed to provide timely or sufficient information following a data breach.

These factual allegations of misconduct are typically used to support a variety of legal claims, including:

  • Negligence
  • Negligence Per Se, usually based on the FTC Act
  • Breach of Contract (express or implied)
  • Invasion of Privacy
  • Unjust Enrichment
  • State Consumer Protection Statute (some entities such as financial services institutions may be exempt from these claims)
  • Declaratory Judgment

In order to bring a class action, plaintiffs much allege that there is a class that is sufficiently numerous, and that the members have sufficient commonality so that the claim can be brought as a class action. They must prove injury to the class members and prevail on one or more claims to recover.

To date, the primary targets for data breach class actions have been credit rating agencies, financial institutions, and health care providers. Plaintiff’s counsel target these industries both because the data they collect is typically highly confidential and because there are often federal or state regulations which help establish a standard of care.

To date, the primary targets for data breach class actions have been credit rating agencies, financial institutions, and health care providers. Plaintiff’s counsel target these industries both because the data they collect is typically highly confidential and because there are often federal or state regulations which help establish a standard of care.

Some state legislatures have grown concerned about the wave of data breach class actions. One particularly interesting development is a 2024 Tennessee statute, Public Chapter 991, which establishes a heightened liability standard for class actions arising from cybersecurity events. The statute appears to be designed to protect the healthcare industry, a mainstay of the Tennessee economy. The bill requires plaintiffs to establish that the cybersecurity event was “caused by the willful and wanton misconduct or gross negligence on the part of the private entity.” Both Florida and West Virginia have considered similar measures. Other states may follow suit. 

II. Legal Defenses To Data Breach Class Actions

Standing

Standing is perhaps the most important issue for defendants to analyze when facing a data breach class action. It is unusual for an entire class of plaintiffs to suffer direct damages, such as funds taken from accounts using stolen data. Instead, plaintiffs typically allege that the class members have incurred mitigation costs (such as credit monitoring), suffered intangible injuries (such as loss of privacy), expect future injury (losses due to misuse of stolen data), or were damaged by overpaying for services that they expected to be secure from cybertheft. Whether these types of damages create a “case and controversy” sufficient to allow plaintiffs to proceed in federal court has been frequently litigated. Inconsistent holdings across circuit and district courts make it difficult to predict how any particular court will rule on an issue.

Standing is perhaps the most important issue for defendants to analyze when facing a data breach class action.

The United States Supreme Court has not directly addressed standing requirements in the context of data breach class actions. Nonetheless, the court’s 2021 case of Transunion v. Ramirez, 141 S.Ct. 2190 (2021) is the touchstone for most standing arguments. In Transunion, the Supreme Court considered a class action brought by consumers who Transunion had improperly labeled a “terrorist threat.” The Supreme Court found that consumers who had inaccurate information shared with third parties had standing to sue Transunion because their injury bore a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” Specifically, the court held that the reputational harm of having others think you are a terrorist was closely related to long-standing harms such as defamation of character. However, those consumers who had information in their Transunion files that was inaccurate, but that had not been shared with third parties, had their claims dismissed. The court concluded that for these consumers, the alleged injury was too speculative to give them standing to sue. 

Circuit courts have addressed standing in data breach class actions with varying results. An important decision from the Second Circuit applied Transunion and concluded that the exposure of a person’s private information to a third party creates Article III standing because the injury “bears some relationship to a well-established common-law analog: public disclosure of private facts.” Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276, 285-86 (2d Cir. 2023). Additionally, the Sixth, Seventh, Ninth, and D.C. Circuits have all recognized—at the pleading stage—that a plaintiff can establish injury-in-fact based on the increased risk of identity theft. See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340 (11th Cir. 2021). However, the Second, Fourth, Eighth and Eleventh Circuit have generally rejected the “increased risk of future identity theft” theory of standing in the context of a data breach. Id. Indeed, the Eighth Circuit issued an important early opinion, In re SuperValu, Inc., 870 F.3d 763, 770 (8th Cir. 2017), which relied on a GAO study suggesting that credit card numbers alone “generally cannot be used alone to open unauthorized new accounts,” and therefore the threat of fraud was not sufficiently high to create standing. Indeed, review of recent decisions in this area suggest that battle over standing battle may turn on the introduction of expert evidence about the likelihood that the stolen data in question will actually be used to harm consumers in the alleged class.

The Fourth Circuit considered an early data breach incident in Beck v. McDonald, a case which involved the theft of a laptop containing personal health information. The court dismissed the case for lack of standing, finding “neither the VA's finding that a ‘reasonable risk exists’ for the ‘potential misuse of sensitive personal information’ following the data breaches, nor its decision to pay for credit monitoring to guard against it is enough to show that the Defendants subjected the Plaintiffs to a ‘substantial risk’ of harm.” Beck v. McDonald, 848 F.3d 262, 276 (4th Cir. 2017). In contrast, the Fourth Circuit upheld a data breach claim the following year where “Plaintiffs have been concretely injured by the data breach because the fraudsters used—and attempted to use—the Plaintiffs' personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.” Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018).

While Hutton was the last Fourth Circuit decision to directly address the question of standing, several district courts in the Fourth Circuit have dismissed data breach class actions on standing grounds. In Darnell v. Wyndam Capital Mortgage, Inc., 2021 WL 1124792, Judge Whitney of the Western District of North Carolina applied Hutton to find that loss of privacy and risk of breach were insufficient for standing. A few months after Darnell, Judge Whitney issued an order finding that a class action plaintiff did have standing where she “alleges misuse of her card in the form of a fraudulent charge and [the plaintiff] also alleges her personal information was accessed and misused when allegedly published on the Dark Web.” McCreary v. Filters Fast LLC, No. 3:20-CV-595-FDW-DCK, 2021 WL 3044228, at *5 (W.D.N.C. July 19, 2021). But he also found the plaintiffs “do not have standing to sue for alleged injuries arising out of the continued risk to their personal information and PCD, which remains in the possession of Filters Fast and which is subject to further breaches so long as Filters Fast continues to fail to undertake appropriate and adequate measures to protect Plaintiffs' and Class Members' data in its possession,” because “this future injury—that some other hacker or data thief might access their personal data stored by Defendant—requires speculation that Defendant’s data storage is likely to be retargeted simply because it has previously been hacked.” Id. at *7.

Other district courts have reached similar conclusions. In Podroykin v. Am. Armed Forces Mut. Aid Ass'n, 634 F. Supp. 3d 265 (E.D. Va. 2022) found that conclusory statements regarding targeting of Personally Identifiable Information (“PII”) in data breach failed to show the substantial risk of harm required for standing. Similarly, Betz v. St. Joseph's/Candler Health Sys., Inc., 630 F. Supp. 3d 734, 752 (D.S.C. 2022) concluded “absent any allegations that Plaintiff's data has been used in a fraudulent manner, the Court finds no concrete harm alleged with respect to the lost opportunity to monitor for identify theft. As for Plaintiff's alleged costs of mitigating measures to safeguard against future identity theft, the Court also finds this harm too speculative to show sufficient injury-in-fact to satisfy the first element of the standing analysis.”

Arbitration Provisions

Many companies have started using arbitration clauses in their consumer contracts. These clauses often include waivers of class or mass proceedings. While some states are hostile to arbitration provisions, they are preemptively enforceable under the Federal Arbitration Act. AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011). This is true even if the cost of individual arbitration is prohibitive. American Exp. Co. v. Italian Colors Restaurant, 570 U.S. 228 (2013). Accordingly, the presence on an arbitration clause will often prevent claimants from pursuing class action. The Ninth Circuit recently considered a putative class action against an e-commerce website selling sporting goods. After the websites were hacked and PII was stolen, consumers filed a class action. The companies argued that the website’s ”terms of use” hyperlink contained an arbitration clause which required arbitration and barred class actions. The court agreed and dismissed the complaint, noting the arbitration clause was valid and enforceable. Patrick v. Running Warehouse, LLC, 93 F.4th 468, 482 (9th Cir. 2024).

Many companies have started using arbitration clauses in their consumer contracts. These clauses often include waivers of class or mass proceedings. While some states are hostile to arbitration provisions, they are preemptively enforceable under the Federal Arbitration Act.

Substantive Defenses

Since the claims generally depend on allegations that security was inadequate, compliance with industry standards can serve as a defense to the claims. No system is immune from all cyberattacks and it is unreasonable to expect companies to have perfect defensive systems. Experts may be available to testify that the defendant’s security was “reasonable” or even “state of the art.” Unfortunately, substantive defenses typically rely heavily on expert testimony and determination by a fact finder regarding credibility, causing defendants to incur substantial expenses before a decision is rendered.

However, there may be opportunities to attach the legal sufficiency of some claims at the motion to dismiss stage. An example is In re Blackbaud, Inc., Customer Data Breach Litig., 567 F. Supp. 3d 667, 674 (D.S.C. 2021), an MDL proceeding arising from a ransomware attack against Blackbaud. The court determined that the controlling law was South Carolina, where Blackbaud was located and where the hack occurred, not the law of the various states were plaintiffs resided. The court then concluded that while the negligence claim was sufficiently stated, the negligence per se claims should be dismissed as a matter of South Carolina law.

III. Strategies for Defending Data Breach Class Actions

Early Case Assessment

Class actions present significant legal exposure. Even small damages quickly become large when there are hundreds of thousands of class members. Furthermore, class actions are expensive to litigate. Defendants face the prospect of paying substantial funds to defend the case, and the risk that if they lose or settle, they will need to also pay plaintiffs’ counsel as part of the process.

Class actions present significant legal exposure. Even small damages quickly become large when there are hundreds of thousands of class members.

These considerations weigh in favor of a thoughtful early case assessment. This includes not just potential defenses, but a candid assessment of the likelihood that plaintiffs prevail and a range of expected damages. Armed with this assessment, defendants can make educated decisions regarding the retention of defense counsel, the value of early dispositive motions, and the feasibility of an early settlement.

Motions to Dismiss

Every defendant should closely assess the question of standing and evaluation of a motion to dismiss the complaint on this basis. As discussed above, standing can be a factual question that turns on the degree that the alleged class faces future injury. As such, is it important to immediately consult with a qualified cybersecurity expert who can opine that the risk of actual injury is remote. Because such expert evidence will likely need to be submitted when the motion is filed, the expert’s report and conclusions should be prepared on an expedited basis. Quickly retaining the right expert is a top priority.

Quickly retaining the right expert is a top priority.

Furthermore, the defendant should promptly determine whether some or all of the class members have executed or otherwise agreed to (perhaps by clicking on terms and conditions) an arbitration provision. The right to require arbitration can be waived if it is not asserted on a timely basis, so this determination is another high priority. The presence of an arbitration clause can support an early motion to compel arbitration. Even if the entire case is not dismissed, issues regarding arbitration clauses can also be used to highlight differences among class members, that can make class certification impossible.

Finally, there may be some claims that fail as a matter of law, and can be dismissed pursuant to Rule 12(b)(6).

Summary Judgment

Even if plaintiffs survive early motions, discovery can provide a path to dismissal. While plaintiffs’ counsel often artfully allege damages to avoid standing challenges, individual plaintiffs are rarely as sophisticated. Therefore, discovery should focus on the lack of actual damages and the lack of evidence to show any breach of the standard of care. This evidence can form the basis of a motion for summary judgment.

Class Certification

Class certification is a significant hurdle that is not faced by traditional plaintiffs. Defense counsel should focus on how class members suffered different impacts from the data breach, and thus lack “commonality.” They can also attack the adequacy of the named plaintiffs to represent the entire class.

Settlement 

Less than 5% of class actions go to trial. The rest are resolved by dispositive motions or are settled. Most plaintiffs’ counsel are pursing the case to recover fees, so a settlement that pays their fees without the risk of losing the case, is often appealing.

Less than 5% of class actions go to trial. The rest are resolved by dispositive motions or are settled.

Sometimes it is possible to settle early with the named plaintiffs, without pursing class certification. While this does not resolve all claims related to the data breach, it may provide a quick and affordable resolution. Because they are typically private, with only a dismissals being filed with the court, it is difficult to ga Class-wide settlements offer the defendant closure since the settlement is binding on all class members who have not opted out of the settlement. 

Settlements that involve the entire class require class certification and court approval, so we have data about the range of settlements approved by the courts in data breach class actions. An August 21, 2024 article published by the Harvard Law School Forum on Corporate Governance reported that 2024 is proving to be a banner year, with over $560 million in settlements as of publication.

Class size in an important factor in total damages, since per person damages are typically small. Here are seven representative settlements, in descending order based on the settlement amount: 

In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1278 (11th Cir. 2021):

  • Total Settlement: $380,000,000
  • Attorney Fees: $77,500,000
  • Class Size: 147,000,000

In re T-Mobile Customer Data Sec. Breach Litig., 111 F.4th 849, 855 (8th Cir. 2024):

  • Total Settlement: $350,000,000
  • Attorney Fees: 22% rejected on appeal
  • Class Size: 76,600,000

In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2020 WL 4212811, at *10 (N.D. Cal. July 22, 2020), aff'd, No. 20-16633, 2022 WL 2304236 (9th Cir. June 27, 2022):

  • Total Settlement: $117,500,000
  • Attorney Fees: $22,763,000
  • Class Size: 194,000,000

In re Anthem, Inc. Data Breach Litig., 327 F.R.D. 299, 318 (N.D. Cal. 2018):

  • Total Settlement: $115,000,000
  • Attorney Fees: $37,950,000
  • Class Size: 79,150,000

In re the Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-02583-TWT, 2016 WL 6902351, at *1 (N.D. Ga. Aug. 23, 2016):

  • Total Settlement: $27,200,000
  • Class Size: 52,000,000

In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522 (PAM), 2017 WL 2178306, at *5 (D. Minn. May 17, 2017), aff’d, 892 F.3d 968 (8th Cir. 2018).

  • Total Settlement: $10,000,000
  • Attorney Fees: $3,000,000
  • Class Size: 100,0000,000

Lamie v. LendingTree, LLC, No. 322CV00307FDWDCK, 2024 WL 811519, at *1 (W.D.N.C. Feb. 27, 2024) 

  • Total Settlement: $875,000
  • Attorney Fees: $291,667.67
  • Class Size: 69,142

These settlements range from 50 cents to $12.65 per class member. Smaller class sizes will typically have larger per-member settlements. Attorneys’ fees of roughly 30% appear to be norm.

Follow Best Practices for Preventing Data Breaches

As demonstrated by the size of these settlements, data breach presents significant litigation risk in addition to the potential for business interruption and reputational harm. Companies must focus on prevention, which includes:

Best Practices for Preventing and Managing Data Breaches

  • Implement Robust Cybersecurity Measures: Invest in technology and training.
  • Plan Incident Response: Develop and test an incident response plan.
  • Manage Vendors: Ensure third-party vendors comply with cybersecurity standards and contractually allocate risk and liability protections.
  • Audit: Conduct regular security audits and preparedness assessments.
  • Insure. Obtain robust cyber-security insurance and identify carveouts and exclusions in policy coverage.

Conclusion

Data breach class actions are one of the fastest growing areas of litigation exposure facing companies of all sizes. When a company has been sued, it is important to immediately retain experienced counsel that can assess the case, prepare defenses, and evaluate settlement options. This defense will include a careful assessment of whether plaintiffs have standing to sue, the size of the class, and the potential case exposure.

1 Lex Machina Class Action Survey, 2024

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC SALE: Algorithmic Intuition, INC
Published: 17 December, 2024
PUBLIC NOTICE OF ASSIGNEE SALE: AMS Digital, LLC and it’s Subsidiaries
Published: 16 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: NUEVO GATEWAY, LLC and PTA DEVELOPMENT LLC
Published: 9 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: E-Lux Bikes LLC
Published: 9 December, 2024
PUBLIC NOTICE OF UCC SALE: Gaming Society
Published: 6 December, 2024
PUBLIC NOTICE OF UCC SALE: Prime Finance Short Duration Holding Company VII, LLC
Published: 18 September, 2024
NOTIFICATION OF CONTINUED ARTICLE 9 DISPOSITION OF NEWPORT EXCHANGE HOLDINGS, ETC
Published: 17 September, 2024
PUBLIC NOTICE OF ASSIGNEE SALE: Confidential Company operates 24 branded family restaurants
Published: 10 September, 2024
Discover more public notices

Current Legal Analysis

More from Womble Bond Dickinson (US) LLP

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins