Add a 270% increase in data breaches to the long list of unprecedented challenges in 2020. Cybersecurity is on the short list of major risks facing companies. And when a security incident happens, class actions often follow. Although data breach class actions are not new, we continue to see increases in the number of cases filed, evolving theories from plaintiffs’ counsel, and the development of settlement templates in these cases.
Class Action Filing Trends
We count 25 major data breach class actions filed this past year, treating multiple cases filed against a single defendant as one major class action.[1] Here’s what we are seeing in these cases:
Plaintiffs’ counsel jockey for position. More than one case was filed in response to over half of the data breaches that led to class actions in 2020. Three of these sets of cases were the subject of MDL proceedings; ten of them were consolidated. The remaining two cases are in the very early stages, so we expect consolidation in 2021.
There continues to be a race to the courthouse in these cases. One of the cases was filed the day after the defendant announced the breach. Many were filed within two to three weeks of disclosure.
Jockeying takes time. Defendants have either responded or filed an initial motion in only a third of the data breach cases filed this year. The rest are still in the very early stages. On average, it was about five months between case filing and the filing of defendant’s response to the complaint.
What was stolen. In a majority of the class actions, the allegedly compromised data was limited to payment card information. Courts have recognized that payment card information is less sensitive than other types of personal data, given that consumers are not liable for fraudulent use of the cards and that consumers can replace their credit cards. About a third of the cases involved alleged exfiltration of social security numbers. Sensitive medical information allegedly was at issue in only two of the major breach cases filed this year.
Who was impacted. Plaintiffs in about 15% of the major data breach cases were employees. In the rest of the cases, plaintiffs were customers, patients, users, account-holders, or individuals who accessed defendants’ payment platforms.
Possible arbitration defense. Defendants in several of the major data breach class actions filed this year have moved to compel arbitration. These motions have yet to be fully briefed or decided, but we can see that defendants are turning to alternative dispute resolution in response to these lawsuits.
The Privilege Wars Continue
We continue to see fierce litigation over whether companies can protect reports prepared by incident response consultants hired by counsel. The decisions in In re: Capital One Customer Data Security Breach Litig., E.D. Va., No. 1:19-md-02915, are illustrative.[2]
The Capital One court issued different rulings with respect to two different reports. First, the district court required Capital One to disclose an incident report prepared by its cybersecurity firm in the wake of a 2019 data breach, finding the report was not protected by the work product doctrine.[3] A few months later, the court ruled that Capital One did not have to disclose a root cause analysis of the same breach incident prepared by its consulting firm, finding the report was protected as attorney work product.[4]
A few high-level takeaways from these rulings:
Pre-existing relationships with forensic firms require additional focus. In denying work product protection for the cybersecurity firm’s report, the court pointed to Capital One’s pre-existing relationship with the firm. Although Capital One entered into a new letter agreement among itself, counsel, and the cybersecurity firm for the incident-response work, the fact that Capital One engaged the firm to perform what Capital One saw as the same essential work before the incident convinced the court that Capital One failed to satisfy its burden of proving that the cybersecurity firm’s work was commissioned for the litigation. In contrast, Capital One hired the consulting firm several weeks after the incident was disclosed and after dozens of lawsuits had been filed. The court agreed that the “driving force” of the consulting firm’s report, which outlined the root causes of the security incident, was to inform the Board and executives about the incident so they could manage the litigation.
Companies should be prepared to prove purpose. The court put the burden on Capital One to prove the relationship between the report and the anticipated litigation. The court found the consulting firm’s report was protected based on declarations from those involved in the hiring of the consulting firm, establishing that the hiring decision was directly tied to the ongoing litigation.
Companies should limit dissemination. In evaluating each report’s purpose and whether any privilege had been waived, the court looked to how widely the report had been disseminated. Providing the data security firm’s report to third parties precluded Capital One from arguing the report was privileged and led the court to find it was not work product. In contrast, Capital One’s strong evidence proving the purpose behind the consulting firm’s report shifted the analysis to whether Capital One waived privilege by disseminating the report. The court found that privilege had not been waived because Capital One limited dissemination of the consulting firm’s report to the Board, which had fiduciary obligations to provide the report to select employees and third parties.
Settlement Trends
A few takeaways from the 13 settlements in data breach class actions in federal court this year:
Settlement structure is fairly well settled. We continue to see data breach settlements follow one of two well-developed templates: injunctive relief and offer of credit monitoring services combined with either a claims made settlement with a cap (four settlements) or a settlement fund (nine settlements).
Time spent litigating doesn’t seem to impact settlement value. Conventional wisdom says aggressive litigation leads to more favorable settlements. Not so much in the data breach space. The average per-person all-in settlement amount was fairly constant across major breaches regardless of time spent litigating. So cases that resolved before briefing any major motions or engaging in discovery settled for about the same per-settlement class member cost as settlements reached after two or three years of battle (and related litigation costs).
Nature of exfiltrated data doesn’t seem to impact settlement value either. Sensitivity of exfiltrated data doesn’t seem to impact settlement value. Whether the data was credit card data, social security numbers, health data, or some combination of those types of data, the per-person settlement cost was about the same.
Few objectors or appeals. In most of the cases, no class members filed objections. In the few cases in which objections were filed, the number of objectors was very small, less than 0.05% of all class members, on average. Objectors filed appeals in two of the 13 settled cases.[5]
What to Watch for in 2021
We’d expect the enormous increase in security incidents this year to lead to even more data breach litigation in 2021. Watch for plaintiffs’ counsel to continue to try to get around the challenges in bringing these cases and certifying a class, including by continuing to attempt to prove intrinsic value of personal information. We also will be watching the Supreme Court’s ruling in TransUnion LLC v. Ramirez, in which the justices will again consider whether plaintiffs may pursue a damages class action where the vast majority of the class did not suffer any injury or did not suffer an injury like that suffered by the class representative. We’ve been down this path before with Spokeo, so we’ll see if we get any more clarity from the Supreme Court that shapes the data breach class action landscape. No matter how the ruling comes out, though, we can look forward to another busy year for data breach class actions in 2021.