Data Breach Class Actions Skyrocketed in 2023

Data breach class action lawsuits “exploded” in 2023, according to Duane Morris LLP’s Class Action Review 2024, becoming one of the fastest growing areas of litigation and all but assuring any data breach victim should expect a lawsuit (or several) after a cyber event.

Plaintiffs filed 1,320 data breach class actions in 2023, eclipsing the 604 filed in 2022, the law firm reported. In fact, more data breach litigation was filed in 2023 than in the years 2016 to 2021 combined, according to the report.

The Duane Morris team attributed the spike in suits last year to a few factors, including the Cl0p ransomware gang’s exploit of a vulnerability in the file transfer tool MOVEit. More than 100 class actions relating to the MOVEit fallout were consolidated in 2023.

“Companies unfortunate enough to fall victim to data breaches in 2023 faced class actions at an increasing rate, including copy-cat and follow-on class actions across multiple jurisdictions,” said Jennifer A. Riley, partner with Duane Morris. “This saddled companies with the significant costs of responding to data breaches as well as the costs of dealing with high-stakes class action lawsuits.”

Filing a data breach class action holds no guarantee of success for plaintiffs. According to the report, just 16% of class certification decisions in data breach cases in 2023 favored plaintiffs.

“Issues of standing and uninjured class members continue to vex the courts, leading to inconsistent outcomes,” said Riley in a video commentary on the study.

A few recent cases offer some guidance for data breach class action litigants around what constitutes “concrete harm” for the purposes of Article III standing. The 2021 U.S. Supreme Court decision in TransUnion LLC v. Ramirez continues to produce varied decisions, with lower courts disagreeing on its application to data breach cases and whether plaintiffs have proved concrete harm. In a case decided in 2023, Ruskiewicz, et al. v. Oklahoma City University, an Oklahoma federal court ruled the proposed class members had not proved their personal data had been misused as the result of a breach. The court dismissed arguments that the exposure of data or risk of potential future harm created Article III standing to sue.

However, in Bohnak, et al. v. Marsh & McLennan Co., the U.S. Court of Appeals for the Second Circuit reversed a lower court ruling in allowing a plaintiff to sue her former employer over expenses, lost time, and other costs relating to identity theft prevention after a data breach. The Court interpreted TransUnion as paving the way for cases where “disclosure of private information” constitutes concrete harm.

One of the key issues in data breach class actions has been around demonstrating injury. While plaintiffs who can prove fraudulent charges or actual misuse of their data are acknowledged to have standing, not every member of a putative class will have the same experience. Courts have struggled with how to approach class certification on a broad scale – TransUnion notably did not decide whether every class member must meet the standing requirements.

“Given the potency of the standing defense, we anticipate that it will continue to occupy a center-stage role in data breach litigation,” said the Duane Morris team.

The data breach class action trends are “akin to a game of whack-a-mole,” Riley observed, commenting, “Just as players face an unpredictable and rapidly changing challenge, the legal landscape of data breach class actions is similarly erratic and fast-evolving.”

© 2024 Zywave, Inc. All rights reserved.