Smaller Data Breach Class Actions Proliferate

A trend we saw in 2019 continued in 2020 – lawsuits being filed over small incidents (where 100,000 or fewer individuals were notified). Most were filed by a handful of plaintiff firms. These cases often have a regional population, so they are often brought in state courts and pled in a way that prevents removal to federal court.

These plaintiff firms are filing more cases and then seeking early settlements. To defendants, the math often makes sense when comparing litigation costs to an early class settlement (especially on a claims-made basis). The litigation costs part of the equation is not always more expensive, as defendants are still winning early motions to dismiss, even in state courts. Often, this is because the lawsuits are hastily brought after the announcement of a breach and the named plaintiffs can point to no actual fraud or other harm. The operational impact of ransomware is being used in healthcare cases to identify a new idea of perceived harm (disruption of patient care), even if the data itself was not stolen or misused. This theory has met with mixed results in the courts.

Standing and Dismissal Challenges Continue to Bring Highs and Lows

Forecasting litigation costs and likely outcomes is challenging because decisions by courts remain inconsistent. In some cases, threshold standing and damages arguments found the same type of success as they have in the past, even in circuits that generally are more plaintiff-friendly. In other cases, claims survived motions to dismiss under (1) traditional data breach injury arguments like time and effort and credit monitoring and (2) novel theories based on the alleged lost value of personal information and claimed loss of the benefit of the bargain due to the defendant’s allegedly inadequate data security. Although case law continues to be sparse on the class certification front, a New York federal court denied certification of any damages class in the case against Excellus Health Plan over the 2013-14 cyberattack on Excellus’s computer network systems, while allowing a class for injunctive relief to go forward. It remains to be seen how the United States Supreme Court will rule in TransUnion LLC v. Ramirez, Case No. 20-297, where the Court could weigh in on the threshold question of whether or not every putative class member must have standing to proceed forward as a class. A decision in the Ramirez case is expected in June 2021.

Without clear guidance, some federal judges have gotten creative when dismissing particularly specious data breach class actions for lack of standing by using unconventional means to prevent their reemergence. Because dismissals for lack of standing normally are not merit-based, plaintiffs can refile their cases in other courts, usually in state courts. Recently, a few federal courts have dismissed data breach class actions for lack of standing but have done so with prejudice to the plaintiff’s rights to refile. On their face, these dismissals may appear to be technically improper. But they pose a dilemma for plaintiffs: refile in state court, which may uphold the federal court’s dismissal with prejudice, or appeal the dismissal in federal court, which may affirm an erroneous dismissal with prejudice if the claims are clearly meritless. It is notable that in these standing-based dismissals with prejudice, the trial courts telegraph their view of the merits of the plaintiff’s claims, while not formally reaching the merits. Whether this represents an emerging trend or simply a few outlier cases, it is an interesting and creative approach to maintaining the standing bar while trying to stem repetitive litigation and forum shopping.

New Substantive Areas Have Emerged

While lawsuits following incidents arising from phishing, network intrusions, and ransomware still dominate class action filings, there has been a rise in the following areas:

  • Supply-chain cases – business-to-business indemnity claims over the impact of a vendor’s data breach. We predict that these lawsuits will not only continue but will also have an impact on how indemnity, limitation of liability, and other contract provisions will be drafted in vendor and other business contracts going forward.
  • Claims under California’s automatic license plate recognition (ALPR) (tracking license plates) statute are also on the rise. Enacted in 2016, California’s ALPR law mandates that an “ALPR end-user,” which it defines as a person that accesses or uses an ALPR system, must maintain “reasonable security procedures and practices” and “implement a usage and privacy policy in order to ensure that the access, use, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties.”
  • Internet tracking cases. New filings against hospitals have decreased, probably while the plaintiffs await the outcome of key motions in cases that were filed in 2019 and 2020. The new filings involve claims being filed in states that have an anti-wiretapping law, most notably in Florida.
  • BIPA cases (perhaps not a new trend but a trend that continues). In addition to cases against employers that use biometric timekeeping technologies, we have seen cases against companies that use facial recognition technologies but do not have direct customer interaction and attempt to bring in affiliated entities or franchisors.

Share this page