Earlier in 2023, we launched our New England and First Circuit Class Action Tracker, as a tool to analyze class action litigation trends in Massachusetts, Maine, New Hampshire, and Rhode Island. In July, we updated our tracker to include data through the second quarter of 2023. A review of new filings submitted during that latest quarter reinforces the trends that we recently observed in our client alert on the enforcement of U.S. Consumer Data Privacy laws through private litigation. Namely, we are seeing record-high levels of data privacy and cybersecurity class action filings, particularly in Massachusetts courts, in the first half of 2023.
Data privacy and cybersecurity class action suits continue to represent the largest share of annual class action filings in New England to date. Although the healthcare sector continues to represent the largest share of defendants, other sectors, such as tech, retail and manufacturing, and financial and professional services industries are also experiencing high rates of cybersecurity and data privacy class actions. In this post, we highlight two major trends that we see based on a review of the actions.
Cyber Attacks Resulted in Copycat Complaints
Second quarter filings provide further evidence that a single cyber-attack can result in a barrage of class action complaints for affected businesses. Of the eighty actions filed in or removed to the District of Massachusetts in the second quarter, twenty-six (or 33% of the total) correspond to five cyber-attacks against five separate entities, three of which operate in the healthcare sector. One cyber-attack in particular, against a large Boston-based health insurer, is the source of eleven separate class action complaints.
There are striking similarities in the structure, content and allegations within these related complaints. Nearly every complaint includes a breach of duty under a negligence theory as the first count; many include negligence per se as a second count. The source of the duty is often grounded in the relationship between the affected individual and the defendant (for example, insured and insurer). In every case, the section relating to breach includes a reference to the Federal Trade Commission’s position, famously litigated in LabMD, Inc. v. Federal Trade Commission, that the failure to adopt reasonable cyber security measures is an unfair trade practice. In many cases, additional references can be found to the HIPAA Security and Breach Notification Rules (where applicable), to state security and data breach notification laws, to state consumer protection acts, and to industry standards such as the NIST Cybersecurity Framework.
Additional claims align to those often seen in other cybersecurity and privacy class action complaints, including breach of contract, breach of implied contract, and violations of state unfair and deceptive trade practice acts, especially where such acts allow for a private right of action. However, some complaints include less common theories for relief such as unjust enrichment, breach of third-party beneficiary contract, bailment, and negligent misrepresentation. Thus, these cases provide helpful guidance to potential defendants about the types of claims they are likely face.
Alleged Harms Likely to Encounter Continued Article III Challenges
Most complaints define the harm to affected individuals as a heightened risk of fraud and identity theft and costs and time incurred to protect against such theft through credit monitoring, reports, freezes and other protective measures.
As we discussed in a November, 2021 post regarding a case in the District Court of Massachusetts, Webb v. Injured Workers Pharmacy, LLC, many courts have been skeptical towards the idea that the costs incurred and time spent to protect oneself against the potential future misuse of compromised personal information are, in themselves, sufficient to establish concrete injury for purposes of Article III standing. However, the First Circuit’s reversal of the District Court’s decision in Webb may be the first sign that such skepticism is waning. In our most recent post, we discussed the First Circuit’s decision in detail. The First Circuit held that actual misuse of personally identifiable information is in itself a concrete injury, even absent monetary or other direct harm. Further, the First Circuit agreed with the plaintiffs that lost professional time expended to monitor accounts to protect against future identity theft constitutes a concrete injury.
By potentially expanding the scope of concrete injury within the context of a cyber-attack to include scenarios short of economic or direct harm and preventative measures such as lost professional time or monitoring costs, the First Circuit may have created a wider opening for plaintiffs to survive an initial motion to dismiss for lack of standing. Nonetheless, the precise scope of non-economic harms and preventative expenditures that satisfy standing has yet to be determined; accordingly, cases in the interim will likely continue to be decided on a fact-specific basis, with defendants mounting challenges based on Article III standing.