Class action lawsuits in response to data breaches have skyrocketed as plaintiffs look to take advantage of courts’ perceived leniency regarding standing. 

Transcript

INTRO

Class action lawsuits in response to data breaches have skyrocketed as plaintiffs look to take advantage of courts’ perceived leniency regarding standing.      

On this episode of We get privacy for work, we discuss what employers can do to shore up their legal defenses in the event of a data breach.

Today's hosts are Damon Silver, co-leader of the firm’s Privacy, Data and Cybersecurity Group and Jonathan Harris, principals, respectively, in the firm's New York City and Nashville offices.  

Damon and John, the question on everyone’s mind today is: What accounts for the recent rise in data breach class action litigation, what can employers do to minimize risk, and how will that impact my organization?     

CONTENT

Damon Silver 
Principal, New York City

Welcome to the We get privacy podcast. I'm Damon Silver, co-leader of the Privacy Data and Cybersecurity Group at Jackson Lewis. In that role, I receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely? In other words, how do we leverage all the great things data can do for our organizations without running headfirst into a wall of legal risks, and how can we manage that risk without unnecessarily hindering our business operations?

On each episode of the podcast, we talk through a common question that we're getting from our clients. We talk through it in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks, and what should we be mindful of from an execution perspective? 

My usual co-host, Joe Lazzarotti, is out today, but we've brought on a special guest, John Harris from our Nashville office. John's a key member of our practice group and the driving force behind a lot of the great results we've been getting in data breach class actions. 

John, our question for today is what's going on with all these data breach class actions? Just to set the stage, I'm going to share some year-over-year statistics. In 2021, about 300 data breach class actions were filed. In 2022, that jumped to 600. That number more than doubled to 1,300 in 2023. Last year, we were up to 1,500. John, what is your take on why so many of these cases are being filed?

Jonathan Harris 
Principal, Nashville 

First of all, Damon, pleasure to be here. To answer your question, I have two answers. First, my friends on the plaintiff's bar have realized there are “gold in them” hills. More and more plaintiff's firms are racing to get into this space because they see it as lucrative, and the number of players is starting to grow and grow and grow. Secondly, breaches are not slowing down; they're picking up with anything, and there's more and more opportunity for plaintiffs to file lawsuits over this. 

Another trend I'm seeing too is that usually, you'd see lawsuits attacking the large breaches, like $100,000, $1,000,000, et cetera. We're seeing more and more folks try to get into the game, and they are taking a stab at the smaller breaches, 1,000, 5,000, et cetera. We're seeing more and more of those pretty modestly sized class actions as well.

Silver

John, just for some of our listeners who may not have had the pleasure of being on the defense side of one of these claims, what do they typically look like? What are the plaintiffs alleging?

Harris

The usual smorgasbord of claims you'll get, first and foremost, there'll be a negligence-type theory. You’re a hospital employer maintaining the server; you didn't keep it safe, you had a duty to keep it safe, and you're negligent. They'll also typically add on implied contract claims, unjust enrichment, and common law claims like that. If you are fortunate or unfortunate enough to be in California, as the case may be. California also has some statutory provisions that they will always sue under as well.

Silver

John, how does this typically come about? Obviously, it's a data breach class action, and the party being sued had a data breach. Is it after the notices go out that we're typically seeing these filed? Can you take us through where the client typically is from the standpoint of managing the data breach? Then, what do the initial stages look like from a litigation perspective?

Harris

What typically will happen is the client will have a breach. They learn of the breach, and immediately call their data privacy experts and will engage in incident response where forensics folks come in and immediately try to figure out what happened and how to stop it. Another side of our incident response team will start working on the required reports we have to make to the OCR and various state attorney generals.

Eventually, under the law, the client has to give notice to all people they know to be potentially impacted by the breach. Usually, within a week or two of those notices going out, you'll get a lawsuit. Then, if it's a large breach, you'll usually have three lawsuits, five lawsuits, 10 lawsuits. It'll be like clowns coming out of a car after notice goes out, where all the usual suspects plaintiff’s firms are racing to be first in line at the courthouse. You think of that scene from Godfather II where they're down in Cuba and they cut up the cake. If you get to the courthouse first, your slice of the cake is bigger, and so you're racing to get there as soon as possible.

Silver

Are you typically seeing these cases broadly in state court, federal court, or a mixture?

Harris

It's a mixture, more state than federal, honestly. Sometimes the plaintiffs will file in federal court if the case is big. They just know that under the Class Action Fairness Act, it's big enough, so I'm going to remove it there. Often, they will file in state court; however, to try to keep us in a form they view as more friendly.

Silver

Are you seeing these concentrated in particular jurisdictions, or are they being filed all over the place?

Harris

They're all over the place, coast to coast. We've got matters right now that we're handling in all four time zones. They're everywhere.

Silver

Say we're dealing with one of the larger incidents, and there are 7 or 10 lawsuits filed. Are we generally able to consolidate those? Is that something we're getting pushback on?

Harris

95% of the time, those will all get consolidated into one matter. Sometimes, 5 to 10% of the time, that clown comes out of the car that was 10th rather than first. They will try to file in a different forum so that they can circumvent the first nine clowns who got to the courthouse in time. That can actually present some opportunities to the defendant because you can try to play those two camps off each other when you're trying to settle the case.

Silver

We had a matter like that somewhat recently, I believe it was in Alabama and Tennessee. Obviously, we won't go into client identifying information, but how did that one end up playing out?

Harris

Well, the one I'm thinking of actually was up in Pennsylvania, a client had a big breach, and got sued for six or seven lawsuits, all in federal court. The eighth person in line, rather than sue in federal court, sued in a small county in Pennsylvania. Rather than serve in a client via CT Corp or their registered agent, they just dropped by the hospital, dropped off the packet, and that was that. Whoever at the hospital got it didn't think it was anything. Lo and behold, 30 days come and go, the client doesn't know about it, and they can't remove that case. They're stuck in state court there. We actually settled with that last person online rather than the first seven because that law firm was willing to cut my client a deal to box out the others.

Silver

What about arbitration? Are we seeing these being brought as arbitrations as well? Or is it almost all in court?

Harris 

Almost all are in court. The point about arbitration that is important is that, say you're a hotel chain, and when you click on the hotel link that you're getting a room, you've probably signed an arbitration agreement without knowing it. That can actually be really helpful in defeating class certification. There's some good case law out there that says, if some folks have arbitration agreements, and some don't, then that's such an individualized issue that we really can't have a class.

Silver

Let’s say one of these cases comes in, and we're going to handle the case. We're reading through the complaint, maybe we've had some initial discussions with the client, and we're doing our initial case assessment. We're trying to get a handle on what type of exposure the client has to formulate our defense strategy. What are some of the factors that you focus on?

Harris

Great question, Damon. There are some basics you talk about. How many folks are impacted? Is it 1,000 or 1,000,000? This is a numbers game at some level, and so the size of the class is really important. What types of data were exposed, and how many of the class had that data exposed? It's really often that in a class of 100,000 or 1,000,000, you might have some, but not all, who have social security numbers impacted. At mediation, if 20% of the class had socials impacted, that's something you can point towards as far as a lower evaluation of the case. 

To defend any negligence-type claim, we'll also look at what the client was doing before all this happened. Did they talk to my friends on our data privacy team about what policies and practices they need to have in place? Were they doing periodic reviews of their systems for security risk analysis to see how vulnerable or not vulnerable they were? From time to time, do they engage an expert to pretend to be a threat actor and see if they could poke holes in the system? Do they discipline people who violate their data privacy policies? Do they train their employees on that? Often, these breaches will come because an employee clicked on a phishing scam. There's only so much training one can do to prevent an employee from doing that, but you have to show that you are trying to do that every so often.

I'm looking for what steps the client took proactively ahead of time to protect themselves with their data?

Silver

That's a hugely important point. What was the state of the client's program at the time of the breach? That can have multiple impacts. One of which is, let's say, for example, the client was pretty disciplined about having all of their data stored within an EMR or another application that had encryption at rest. That might give us an argument that even though this data was exfiltrated, it would have been completely useless to the bad actor, which obviously is going to have an impact on the potential for harm to the class. 

Also, if we assume that this is a situation where the client had a pretty solid program, they've been doing risk assessments, they had a written information security program, they're going to have a lot less to fear from discovery, which will allow them to, if they otherwise feel okay about the case, take more aggressive positions. If you're terrified about what depositions are going to turn up and having your executive team deposed because they're going to have to fess up to the fact that you cut corners and didn't want to put industry-standard safeguards in place, that's going to influence how you can handle the case. You're really going to have to know that, somehow, you're going to have to resolve it before discovery, because otherwise that could blow the lid off of things.

I do think that that's an important point in having discussions with clients around compliance is it's not just a matter of checking the box. It really is going to have a downstream impact if you are unfortunate enough to end up in one of these litigations. 

Harris

No doubt about that. The key to the defensibility of these things is what you did in the weeks, months, and years prior to the breach.

Silver

100%. To talk a little bit about what the early stages of the case look like, are we typically moving to dismiss?

Harris 

More often than not, we will file a motion to dismiss, usually on standing, because people are racing to get to the courthouse so quickly. They often have little to no concrete harm that they have pled. If there's no injury in fact, then you don't have standing to sue. Most defendants, not just us, but most firms out there will usually file a motion to dismiss. 

The trend lately has been for more and more of those motions to get denied, even when there's nothing there in what the plaintiffs are alleging harm-wise. It's become an increasingly uphill battle to win a motion dismissed based upon standing.

Silver

Just to flesh out the standing point a little further, John, so is it not sufficient to establish standing that I received a notice that my data was impacted?

Harris 

One would think that if Article III standing actually meant something, you would also have to plead, not only was my data impacted, but the threat actor has taken out a credit card in my name, fraudulently charged something to my credit card, took out a loan in my name, or they did something that caused me actual concrete harm that I can articulate. Courts aren't really requiring that anymore. If your data was stolen or viewed, if you got a few spam phone calls or had a threat actor claim to put some stuff on the dark web, then courts are more often than not letting the case go forward.

Silver

That's an interesting and, from our standpoint, unfortunate development. It does, or it should, in any event, impact how companies are thinking about the incident response piece and, in particular, about what their notification strategy should be. There are instances where it's hard or expensive through the investigation to identify every person who is actually impacted. There can sometimes be this question from clients, why don't we just send notices to everyone, so we don't have to do extensive forensics or data mining. The downside to that approach, which does have some merit, is exactly what we're talking about here. Maybe, if you had done all that analysis, 100,000 people were actually impacted, but you are sending a blanket notice out to 500,000 people. If getting that notice is going to be enough to get you past a motion to dismiss, you're now looking at a pretty expensive lawsuit, even if it turns out that only 20% of those 500,000 people actually were impacted by your incident.

Harris

No doubt about that. In your 100,000 versus 500,000 example to the plaintiff's bar, this is just a numbers game. They see how many notices went out, and they can usually see that on a number of attorney general websites that we have to report to you. They see 100,000 and say, that's 100,000 x 10. Or they see 500,000, that's 500,000 x 10. That's what they're thinking. If you send out five times as many notices as you have to you, on the litigation side, then the price of poker has gone up by five times.

Silver

It's definitely something that, in the early stages when you're making those decisions around notice, you have to be mindful of because it does have that downstream impact. What about classification? Is challenging classification something that is common? Is it something that you look to do?

Harris

Great question. Because so many of these cases settled relatively early, the number of decisions where a court, after discovery has happened and gotten to class certification and made a ruling on it, is pretty few and far between. There has been a very recent case out of the Middle District of Florida in late June, and a long-running saga with a restaurant chain you would recognize, where a judge denied class fabrication. The court's reasoning, I thought, was pretty reasonable. It was that every single plaintiff and class member is going to have an entirely different story on causation. If you've been impacted by one breach, maybe you can trace this breach to your harm. If you've been impacted by 30 breaches, like Ticketmaster and all these other companies that have been high profile, how are you going to pin your harm on me? That's going to be a person-by-person inquiry that makes class verification wholly unsuitable. 

There are not a lot of decisions out there on class verification in this space. We've had two recently break our way, and that's a pretty helpful talking point for us to have in mediation.

Silver

How are we typically determining whether certain plaintiffs had information impacted in prior breaches? Are there steps we're taking to do that? Are we relying on discovery or pre-mediation information exchange? How does that play out?

Harris

Great question. First, whenever I get a new lawsuit right out of the gate, there's a website where you can actually, if the client has the plaintiff's email, search to see how many times that email address or their phone number has been impacted by a past breach. Often, that will provide you with some goodies that you can use right out of the gate. One of my main goals in discovery, when we send written discovery to the plaintiff, is to know every breach you've been a part of in the last 5 years, 10 years, et cetera. 

Then, since the number of high-profile breaches is easily findable, and there are plenty of websites that track them. I'll often ask them, do you use Ticketmaster, if so, you might've been impacted by that breach. I'll flat out ask about 10 or 20 recent high-profile breaches, see if they're a customer. That gives us an argument on causation, too, that maybe that breach, not this one, caused their damage.

Silver

Sticking with discovery, and maybe this is a good last question for us, what are the plaintiffs typically looking for from us? What do we typically agree to provide?

Harris 

They're usually looking for the kitchen sink, which I don't agree to provide. They often want to drill down pretty in-depth. A lot of the questions we were talking about earlier were about what steps the client had taken earlier to prevent breaches. What training have they done? What's the forensic explanation for how exactly the breach happened? Do we even know how it happened? Was the whole patched? Does the client engage or require multi-factor authentication to get onto the system? They're really delving into the buildup of their story on negligence, where we're redoing everything we could to prevent a breach.

Silver

Again, not to beat a dead horse on this, but this does highlight the importance of having a good data security program, especially if it's just in advance of mediation, we can stonewall and say we're not providing our WISP, risk assessment, or other information about our program. However,  it's not too hard for plaintiff's firms to read between the lines on that.

By contrast, we feel really good, and we want to lead with a position of strength, showing that we had this really solid program in place, and negligence is going to be hard to prove; that is going to give us a lot more leverage in the negotiations. Again, it's going to give us more confidence to litigate the case the way that we ideally would like to, because we don't have to be as fearful about what's going to come out in discovery.

Harris

No doubt about that and discovery responses. I would love to be able to articulate in great depth about all the great security practices we had and how this was a one-off because someone clicked on an email. However, we have to have those arrows in our quiver to be able to play that card.

Silver

John, thank you so much for taking the time to come on the podcast. This is a very fast-evolving area, and it's one that we get tons of questions about. If you're open to it, I think there'll be lots of opportunities to have you back on for everyone listening. Thanks for taking the time to join us.