Data breach class actions are again on the rise, with a recent report by Lex Machina confirming what many cybersecurity practitioners have seen first-hand over the last two years. The findings also reaffirm longstanding best practices: preparation mitigates cost and improves defenses when victim-organizations are required to defend a class action or regulatory proceeding.

The report shows that 2,040 data breach class actions were filed in 2023—nearly three times the number filed in 2022. The defendants in these matters spanned a range of industries, with financial services and health care companies among the most frequently targeted. These cases also often involve multi-district litigation (MDL), such as the MDL in federal court in Boston that stems from the 2023 cyberattack involving Progress Software’s MOVEit file-transfer software.

The report goes on to list the federal districts with the highest number of consumer class actions, which include data breach matters. The leading districts were the Central District of California (where one of these authors is based), the Middle District of Florida (where the other two authors are based), and the Northern District of Illinois.

Key Takeaways

1. Invest. Companies are wise to continue to invest in cybersecurity. This includes not only developing a robust cybersecurity program to guard the organization but also a well-designed incident detection and response program, including a playbook, that will help the organization identify, investigate, and respond promptly to a suspected cybersecurity incident. Multiple industry reports, as well as anecdotal evidence, have shown that organizations with an incident response playbook (that has been tested through tabletop exercises) not only mitigate the cost of a data breach but also have better defenses in any litigation or regulatory proceeding.
2. What’s the Harm? Data breach plaintiffs continue to pursue claims in federal court, despite the (often) absence of injury and the possibility that the case will be dismissed for lack of standing. In this way, the plaintiffs’ bar does not appear deterred by the Supreme Court’s TransUnion decision in 2021, a landmark case for standing in these types of matters. Companies facing a data breach class action in federal court are thus wise to consider, as part of an early case assessment, the prospect of a motion to dismiss that includes an argument that the lead plaintiff does not have standing, depending on the district where the action is brought. Early involvement of outside counsel can also help companies assess the relative pros and cons of engaging in early settlement discussions or filing dispositive motions with state law claims.
3. Supply Chain Risk. Large-scale attacks often engender significant class action litigation, as was the case with the Progress Software attack and the 2017 Equifax data breach. These attacks—and the litigation that often ensues—pose interesting issues involving duty to third parties, vendor liability, and proof of causation. Both Progress Software and Equifax, as examples, are major parts of the supply chain across multiple industries. These incidents are proof that all organizations need to thoroughly vet their supply chain, regardless of size or reputation. Organizations can start by prioritizing key vendors and working with counsel to analyze the contracts for those vendors. Organizations should also consider insurance coverage for claims that stem from vendor or other third-party breaches. 

The bottom line is that investment in cybersecurity preparedness are dollars well spent both from a deterrence and litigation perspective. Tabletop exercises, supply chain risk management, and litigation strategy all play key roles in reducing the impact of data breach class action litigation.