2024 Year in Review Data Breach Litigation

pOne of the main risks for a company in the event of a data breach is the threat of litigation Data breach litigation continued to proliferate in 2024 as it has in prior yearsppIn the past year plaintiffs continued to seek relief following data breaches under state commonlaw doctrines and the Alabama Supreme Court joined the other state courts of last resort who have addressed databreach litigation in published decisions  Federal data breach plaintiffs contended with standing issues in the wake of the Supreme Courts decision in TransUnion LLC v Ramirez and an apparent circuit split between the Tenth and Eleventh Circuits deepened when the Third Circuit weighed in  The District of New Jersey also provided further guidance to companies on the scope of the attorneyclient privilege when responding to data breaches  ppThis post examines these trends Follow the WilmerHale Privacy and Cybersecurity Law Blog to stay uptodate on the latest privacy newsppCommonLaw Claims For Traditional Data BreachesppMore traditional commonlaw claims eg negligence breach of contract based on data breaches were common in 2024 as in prior years  In many instances such claims survived a motion to dismiss1ppOne notable exception is the Alabama Supreme Courts decision in Griggs v NHS Management2 In Griggs the court rejected claims for negligence negligence per se invasion of privacy unjust enrichment breach of confidence and breach of fiduciary duty related to a data breach suffered by NHS a provider of administrative services for nursing homes and physical rehabilitation facilities in Alabama Arkansas Florida and Missouri3 The court established a high bar for making out invasion of privacy breach of confidence and unjust enrichment claims in the traditional data breach litigation context involving hacking by a thirdpartyppIt is important to note however that aspects of the decision suggest that future data breach claims filed in Alabama may receive more favorable treatment  Justice Shaw wrote separately for example to note that although Griggs waived the issue he would be open to finding a duty for purposes of a negligence action in a future case7 It is quite possible future data breach claims filed in Alabama will receive more favorable treatmentppConcrete Injuries Sufficient to Confer StandingppLike all federal plaintiffs plaintiffs in federal data breach suits must satisfy Article IIIs standing requirement which requires an injury in fact that is both traceable to the defendant and redressable by the relief sought  In 2021 the Supreme Court in TransUnion clarified that a risk of future harm stemming from disclosure of a databreach plaintiffs personal information does not alone support standing to sue for damages8 Instead plaintiffs must identify an actual concrete injury  Throughout 2024 federal courts continued to grapple with what types of concrete harm are sufficient to confer standing for damages claimsppThe leading databreach standing case in 2024 was the Ninth Circuits decision in Greenstein v Noblr The court held that a general notice to a plaintiff that their personal information may have been exposed without confirmation that the specific plaintiffs information had been stolen was not sufficient to establish a risk of future harm  Plaintiffs could not rely on the increased risk such a theft might have posed had it occurred because they had not sufficiently alleged that their personal information was actually stolen in the first place9 The Court did however leave open the possibility that mitigation costs eg money spent on identity theft monitoring services time spent monitoring financial accounts for potential fraud etc could constitute the requisite concrete injury in conjunction with an appropriately pled risk of future harm such as confirmation that a plaintiffs personal information was in fact accessed during a data breach10 In doing so the Ninth Circuit followed recent decisions of the First and Second Circuits that similarly concluded that plaintiffs suffered concrete harms because they spent time and money mitigating the risks that their breached data will be misused11ppAlso in 2024 the Third Circuit weighed in on an existing circuit split regarding the proper methodology for determining the concreteness of intangible injuries  One side of the split represented by the Eleventh Circuit has adopted an elementbased approach wherein a plaintiffs alleged harm must not lack any element of the comparator tort that was essential to liability at common law12 The Tenth Circuit on the other hand has adopted a comparativeharm approach which compares the kind of harm a plaintiff alleges with the kind of harm caused by the comparator tort13ppIn Barclift v Keystone Credit Services LLC the Third Circuit joined the Tenth Circuit in adopting the comparativeharm approach  The court viewed the comparative approach as more faithful to TransUnions instruction to ask whether the asserted harm has a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courtssuch as physical harm monetary harm or various intangible harms including as relevant here reputational harm14 Barclift involved a violation of the Fair Debt Collection Practices Act which the court compared to the tort of public disclosure of private information15 The Third Circuit explained that the harm caused by this tort stems from both the offensive character of the information and its disclosure to the public and determined that communication of personal information between a debt collector and an intermediary tasked with contacting the consumer did not constitute this kind of harm16 As a result the court concluded that the Barclift plaintiffs lacked a concrete injury and had not established Article III standing17ppPrivilege Applicable to PostBreach Forensic AnalysisppAttorneyclient privilege is intended to protect confidential communications between an attorney and their client related to legal advice or services but determining which communications qualify with regards to forensic analysis postdata breach can be difficult  Historically courts have been reticent to expand the scope of attorneyclient privilege in the data breach context  Parties should not assume that communications with forensic experts automatically qualify under the privilegeppIn In re Samsung Customer Data Security Breach Litigation an MDL consolidated in the District of New Jersey Special Master Freda L Wolfson ret surveyed data breach cases nationwide and created a list of factors to be used to evaluate whether attorneyclient privilege should be found in the data breach litigation context18 She acknowledged that attorneyclient privilege must be assessed on a casebycase basis and construed narrowly  The factors she articulated arepp1 Type of services rendered by the thirdparty consulting firm to outside counselpp2 The purpose and scope of the investigation as evidence by the investigative materials or the services contract between outside counsel and thirdparty consulting firmpp3 Existence of a twotrack investigation commissioned by the impacted companypp4 The extent of a preexisting relationship between the impacted company and the thirdparty consulting firmpp5 The extent to which the thirdparty consulting firms investigative materials were shared with members of the impacted company andor any other outside entities including the government andpp6 Whether the thirdparty consulting firms investigative services assisted the law firm in providing legal advice to the impacted company put differently whether the purported privileged materials would not have been created in the ordinary course of business irrespective of litigation19ppIt remains to be seen whether judges seize on this set of factors as a template to govern their attorneyclient privilege analysis in data breach cases moving forward  Regardless corporate data breach victims should be aware of these factors as they engage in their forensic investigations postbreachpp1 See eg In re Sequoia Benefits and Insurance Data Breach Litigation No 22cv08217RFL 2024 WL 1091195 ND Cal Feb 22 2024 motion to dismiss negligence and breach of contract claims denied In re Accellion Inc Data Breach Litigation 713 FSupp3d 623 ND Cal 2024 motion to dismiss negligence claim denied Baton v Ledger SAS No 21cv02470EMC 2024 WL 3447511 ND Cal Jul 16 2024 motion to dismiss negligence claim denied In re Eureka Casino Breach Litigation No 223cv00276CDSBNW 2024 WL 4253198 D Nev Sept 19 2024 motion to dismiss negligence and unjust enrichment claims denied Haney v Charter Foods North LLC No 223cv46 2024 WL 4054361 ED Ten Aug 28 2024 motion to dismiss negligence breach of implied contract and breach of the implied covenant of good faith and fair dealing claims deniedpp2 No SC20230784 2024 WL 4797211 Ala 2024pp3 Id at 1pp4 Id at 6pp5 Id at 7pp6 Id at 6pp7 Id at 14 Shaw J concurring although I am not wholly convinced that in a case like this the law will not impose a duty for purposes of a negligence action the issue has been waivedpp8 TransUnion LLC v Ramirez 594 US 413 436 2021pp9 Greenstein v Noblr Reciprocal Exchange No 2217023 2024 WL 3886977 at 2 9th Cir 2024pp10 Greenstein 2024 WL 3886977 at 3pp11 Webb v Injured Workers Pharmacy LLC 72 F4th 365 37677 1st Cir 2023 holding that lost time spent taking protective measures that would otherwise have been put to some productive use was a sufficient concrete present harm caused by the plaintiffs exposure to the risk of future harm Bohnak v Marsh McLennan Cos 79 F4th 276 286 2d Cir 2023 holding that outofpocket expenses associated with the prevention detection and recovery from identity theft and lost time and other opportunity costs associated with attempting to mitigate the consequences of the data breach were separate and concrete harms that gave rise to a material risk of future harm internal quotation marks omittedpp12 Barclift v Keystone Credit Services LLC 93 F4th 136 144 3d Cir 2024 citing Hunstein v Preferred Collection and Management Services Inc 48 F4th 1236 124445 11th Cir 2022pp13 Barclift 93 F4th at 14445 citing Shields v Professional Bureau of Collections of Maryland Inc 55 F4th 823 829 10th Cir 2022pp14 Barclift 93 F4th at 145 citing TransUnion LLC v Ramirez 594 US 413 417 2021pp15 Id at 146pp16 Idpp17 Id at 148pp18 In re Samsung Customer Data Security Breach Litigation No 233055CPOEAP 2024 WL 3861330 DNJ Aug 19 2024pp19 Id at 1112pp1 202 663 6128pp1 202 663 6947pp1 202 663 6338pp1 202 663 6105ppUnless you are an existing client before communicating with WilmerHale by email or otherwise please read the Disclaimer referenced by this linkThe Disclaimer is also accessible from the opening of this website As noted therein until you have received from us a written statement that we represent you in a particular manner an engagement letter you should not send to us any confidential information about any such matter After we have undertaken representation of you concerning a matter you will be our client and we may thereafter exchange confidential information freelyppThank you for your interest in WilmerHalep