The exponentially rapid development of technologies such as computers, the internet, and artificial intelligence have resulted in a data-dominant society. Businesses have embraced the efficiency of storing information on digital platforms, which eases the burden of maintaining voluminous paper copy records. But looming in this digital golden age is a sophisticated underworld of hackers, whose increasingly potent capabilities have led to costly data breach class action risk.
Two of the most compromised area in data breaches involves financial and medical information. Employees and consumers understandably may be upset if such information was compromised and misused. Courts and juries may likewise be sympathetic to plaintiffs’ positions in data breach lawsuits. Even while the actual harm is not always apparent, the potential for harm is often taken into consideration in these high-stakes cases.
With the top 10 data breach class action settlements totaling over $515 million in 2023, preventing data breach class action litigation must be a priority for every business, especially those that collect large amounts of personal or medical information from employees and consumers.
2023 Lawsuit Filings & Settlements
There were approximately 310 data breach class action lawsuits filed in 2021. That number nearly doubled in 2022, as roughly 615 data breach class action lawsuits were filed that year. The trend of “doubling” continued yet again in 2023, as an approximate and whopping total of 1320 data breach class action lawsuits were filed. While there is no crystal ball, it would not be a surprise if this number doubled – or at minimum, substantially increased – in 2024. These eye-popping numbers confirm that the plaintiff-side class action bar smells blood in the water in terms of data breach class action exposure for businesses, meaning companies need to have data protection firmly on their radar.
The top 10 settlements – exceeding $515 million combined – further evidences the financial risks associated with data breaches. Topping the list was the massive $350 million settlement involving T-Mobile. See In Re T-Mobile Customer Data Security Breach Litigation, Case No. 21-MD-3019 (W.D. Mo. June 29, 2023). There, a federal court in Missouri granted final settlement approval in a class action involving claims that cybercriminals exploited T-Mobile’s data security protocols and gained access to internal services containing the personally identifiable information of millions of customers. Rounding out the top three was a $49.5 million settlement in In Re Blackbaud Inc. Customer Data Security Breach Litigation, Case No. 20-MN-2972 (D.S.C. Oct. 4, 2023), to resolve claims following a 2020 ransomware attack, and a $28.5 million settlement in In Re Wawa Inc. Data Security Litigation, Case No. 19-CV-6019 (E.D. Penn. Oct. 12, 2023), involving allegations that hackers infiltrated the point-of-sale systems that Wawa used, installed malware on the company’s payment terminals and fuel dispensers, and later tried to sell customers’ payment information on the dark web.
What To Watch In 2024
In 2024, businesses should pay special attention regarding litigation developments in two areas: (1) the evolving case law jurisprudence following the seminal U.S. Supreme Court decision in TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021); and (2) the enormous In Re MOVEit Customer Data Security Breach Litigation, MDL No. 3083 (J.P.M.L. Oct. 4, 2023), a consolidation of over 100 nationwide data breach class action lawsuits that will undoubtedly have a far-reaching impact.
In TransUnion, a class of 8,185 individuals sued a credit report agency for failing to use reasonable procedures to ensure the accuracy of their credit reports. Id. Part of the class (1,853 members) were tagged as “suspected” matches for a terrorist list, and had their misleading credit report distributed by TransUnion to a third-party business. Transunion, 141 S.Ct. at 2200. For example, the named plaintiff was denied the ability to purchase a car at a dealership because of an inaccurate OFAC alert on his credit report. Id. at 2201. The remaining members of the class had an inaccurate OFAC alerts on their credit reports, but their credit reports were not distributed. Id.
The Supreme Court concluded that only the class members who had their misleading credit report actually distributed suffered a “concrete harm” and thus had Article III standing. The Supreme Court compared the injury to a “person [who] is injured when a defamatory statement ‘that would subject him to hatred, contempt, or ridicule’ is published to a third party.” Id. at 2209. Because such a harm has a “close relationship” to harms traditionally recognized in law, it was sufficient to establish an injury-in-fact for purposes of Article III standing. While the case law jurisprudence following TransUnion is still in its infancy, this landmark decision could profoundly impact data breach class actions in 2024 and beyond, as the defense bar will likely use it in attempts to fracture class actions.
The MOVEit data breach class action similarly has the potential to shake up the data breach litigation world. There, the Judicial Panel on Multidistrict Litigation consolidated more than 100 class-action lawsuits resulting from a Russian cybergang’s exploitation of a vulnerability in the file transfer software MOVEit. This breach potentially exposed the personally identifiable information of more 55 million people. Some of the notable affected entities include Affected entities include the U.S. Departments of Energy and Agriculture, the Louisiana and Oregon Departments of Motor Vehicles, American Airlines, Shell PLC, TIAA, and the government of Nova Scotia. Without question, the MOVEit data breach class action tops the list of cases to watch in 2024 and beyond.
Takeaways
The lawsuit filing and settlement statistics confirm that data breach class action litigation is a rapidly emerging legal trend that is here to stay. It is more imperative than ever that businesses exercises caution to protect data and proactively prevent breaches. With data breach financial exposure skyrocketing towards the $1 billion threshold, now is the time for companies to prioritize data protection.
For more information on data breach class action litigation, please contact Alex W. Karasik, a Partner at Duane Morris LLP based in firm’s Chicago office, at awkarasik@duanemorrris.com or his firm website at https://www.duanemorris.com/attorneys/alexkarasik.html.