We Get Privacy for Work â Episode 8 The Surge in Data Breach Lawsuits Trends and Tactics Jackson Lewis

pClass action lawsuits in response to data breaches have skyrocketed as plaintiffs look to take advantage of courtsâ perceived leniency regarding standing ppppINTROppClass action lawsuits in response to data breaches have skyrocketed as plaintiffs look to take advantage of courtsâ perceived leniency regarding standing      ppOn this episode of We get privacy for work we discuss what employers can do to shore up their legal defenses in the event of a data breachppTodays hosts are Damon Silver coleader of the firmâs Privacy Data and Cybersecurity Group and Jonathan Harris principals respectively in the firms New York City and Nashville offices  ppDamon and John the question on everyoneâs mind today is What accounts for the recent rise in data breach class action litigation what can employers do to minimize risk and how will that impact my organization     ppCONTENTppDamon SilverPrincipal New York CityppWelcome to the We get privacy podcast Im Damon Silver coleader of the Privacy Data and Cybersecurity Group at Jackson Lewis In that role I receive a variety of questions every day from our clients all of which boil down to the core question of how do we handle our data safely In other words how do we leverage all the great things data can do for our organizations without running headfirst into a wall of legal risks and how can we manage that risk without unnecessarily hindering our business operationsppOn each episode of the podcast we talk through a common question that were getting from our clients We talk through it in the same way that we would with our clients meaning with a focus on the practical What are the legal risks What options are available to manage those risks and what should we be mindful of from an execution perspective ppMy usual cohost Joe Lazzarotti is out today but weve brought on a special guest John Harris from our Nashville office Johns a key member of our practice group and the driving force behind a lot of the great results weve been getting in data breach class actions ppJohn our question for today is whats going on with all these data breach class actions Just to set the stage Im going to share some yearoveryear statistics In 2021 about 300 data breach class actions were filed In 2022 that jumped to 600 That number more than doubled to 1300 in 2023 Last year we were up to 1500 John what is your take on why so many of these cases are being filedppJonathan HarrisPrincipal Nashville ppFirst of all Damon pleasure to be here To answer your question I have two answers First my friends on the plaintiffs bar have realized there are âgold in themâ hills More and more plaintiffs firms are racing to get into this space because they see it as lucrative and the number of players is starting to grow and grow and grow Secondly breaches are not slowing down theyre picking up with anything and theres more and more opportunity for plaintiffs to file lawsuits over this ppAnother trend Im seeing too is that usually youd see lawsuits attacking the large breaches like 100000 1000000 et cetera Were seeing more and more folks try to get into the game and they are taking a stab at the smaller breaches 1000 5000 et cetera Were seeing more and more of those pretty modestly sized class actions as wellppSilverppJohn just for some of our listeners who may not have had the pleasure of being on the defense side of one of these claims what do they typically look like What are the plaintiffs allegingppHarrisppThe usual smorgasbord of claims youll get first and foremost therell be a negligencetype theory Youâre a hospital employer maintaining the server you didnt keep it safe you had a duty to keep it safe and youre negligent Theyll also typically add on implied contract claims unjust enrichment and common law claims like that If you are fortunate or unfortunate enough to be in California as the case may be California also has some statutory provisions that they will always sue under as wellppSilverppJohn how does this typically come about Obviously its a data breach class action and the party being sued had a data breach Is it after the notices go out that were typically seeing these filed Can you take us through where the client typically is from the standpoint of managing the data breach Then what do the initial stages look like from a litigation perspectiveppHarrisppWhat typically will happen is the client will have a breach They learn of the breach and immediately call their data privacy experts and will engage in incident response where forensics folks come in and immediately try to figure out what happened and how to stop it Another side of our incident response team will start working on the required reports we have to make to the OCR and various state attorney generalsppEventually under the law the client has to give notice to all people they know to be potentially impacted by the breach Usually within a week or two of those notices going out youll get a lawsuit Then if its a large breach youll usually have three lawsuits five lawsuits 10 lawsuits Itll be like clowns coming out of a car after notice goes out where all the usual suspects plaintiffâs firms are racing to be first in line at the courthouse You think of that scene from Godfather II where theyre down in Cuba and they cut up the cake If you get to the courthouse first your slice of the cake is bigger and so youre racing to get there as soon as possibleppSilverppAre you typically seeing these cases broadly in state court federal court or a mixtureppHarrisppIts a mixture more state than federal honestly Sometimes the plaintiffs will file in federal court if the case is big They just know that under the Class Action Fairness Act its big enough so Im going to remove it there Often they will file in state court however to try to keep us in a form they view as more friendlyppSilverppAre you seeing these concentrated in particular jurisdictions or are they being filed all over the placeppHarrisppTheyre all over the place coast to coast Weve got matters right now that were handling in all four time zones Theyre everywhereppSilverppSay were dealing with one of the larger incidents and there are 7 or 10 lawsuits filed Are we generally able to consolidate those Is that something were getting pushback onppHarrispp95 of the time those will all get consolidated into one matter Sometimes 5 to 10 of the time that clown comes out of the car that was 10th rather than first They will try to file in a different forum so that they can circumvent the first nine clowns who got to the courthouse in time That can actually present some opportunities to the defendant because you can try to play those two camps off each other when youre trying to settle the caseppSilverppWe had a matter like that somewhat recently I believe it was in Alabama and Tennessee Obviously we wont go into client identifying information but how did that one end up playing outppHarrisppWell the one Im thinking of actually was up in Pennsylvania a client had a big breach and got sued for six or seven lawsuits all in federal court The eighth person in line rather than sue in federal court sued in a small county in Pennsylvania Rather than serve in a client via CT Corp or their registered agent they just dropped by the hospital dropped off the packet and that was that Whoever at the hospital got it didnt think it was anything Lo and behold 30 days come and go the client doesnt know about it and they cant remove that case Theyre stuck in state court there We actually settled with that last person online rather than the first seven because that law firm was willing to cut my client a deal to box out the othersppSilverppWhat about arbitration Are we seeing these being brought as arbitrations as well Or is it almost all in courtppHarris ppAlmost all are in court The point about arbitration that is important is that say youre a hotel chain and when you click on the hotel link that youre getting a room youve probably signed an arbitration agreement without knowing it That can actually be really helpful in defeating class certification Theres some good case law out there that says if some folks have arbitration agreements and some dont then thats such an individualized issue that we really cant have a classppSilverppLetâs say one of these cases comes in and were going to handle the case Were reading through the complaint maybe weve had some initial discussions with the client and were doing our initial case assessment Were trying to get a handle on what type of exposure the client has to formulate our defense strategy What are some of the factors that you focus onppHarrisppGreat question Damon There are some basics you talk about How many folks are impacted Is it 1000 or 1000000 This is a numbers game at some level and so the size of the class is really important What types of data were exposed and how many of the class had that data exposed Its really often that in a class of 100000 or 1000000 you might have some but not all who have social security numbers impacted At mediation if 20 of the class had socials impacted thats something you can point towards as far as a lower evaluation of the case ppTo defend any negligencetype claim well also look at what the client was doing before all this happened Did they talk to my friends on our data privacy team about what policies and practices they need to have in place Were they doing periodic reviews of their systems for security risk analysis to see how vulnerable or not vulnerable they were From time to time do they engage an expert to pretend to be a threat actor and see if they could poke holes in the system Do they discipline people who violate their data privacy policies Do they train their employees on that Often these breaches will come because an employee clicked on a phishing scam Theres only so much training one can do to prevent an employee from doing that but you have to show that you are trying to do that every so oftenppIm looking for what steps the client took proactively ahead of time to protect themselves with their datappSilverppThats a hugely important point What was the state of the clients program at the time of the breach That can have multiple impacts One of which is lets say for example the client was pretty disciplined about having all of their data stored within an EMR or another application that had encryption at rest That might give us an argument that even though this data was exfiltrated it would have been completely useless to the bad actor which obviously is going to have an impact on the potential for harm to the class ppAlso if we assume that this is a situation where the client had a pretty solid program theyve been doing risk assessments they had a written information security program theyre going to have a lot less to fear from discovery which will allow them to if they otherwise feel okay about the case take more aggressive positions If youre terrified about what depositions are going to turn up and having your executive team deposed because theyre going to have to fess up to the fact that you cut corners and didnt want to put industrystandard safeguards in place thats going to influence how you can handle the case Youre really going to have to know that somehow youre going to have to resolve it before discovery because otherwise that could blow the lid off of thingsppI do think that thats an important point in having discussions with clients around compliance is its not just a matter of checking the box It really is going to have a downstream impact if you are unfortunate enough to end up in one of these litigations ppHarrisppNo doubt about that The key to the defensibility of these things is what you did in the weeks months and years prior to the breachppSilverpp100 To talk a little bit about what the early stages of the case look like are we typically moving to dismissppHarris ppMore often than not we will file a motion to dismiss usually on standing because people are racing to get to the courthouse so quickly They often have little to no concrete harm that they have pled If theres no injury in fact then you dont have standing to sue Most defendants not just us but most firms out there will usually file a motion to dismiss ppThe trend lately has been for more and more of those motions to get denied even when theres nothing there in what the plaintiffs are alleging harmwise Its become an increasingly uphill battle to win a motion dismissed based upon standingppSilverppJust to flesh out the standing point a little further John so is it not sufficient to establish standing that I received a notice that my data was impactedppHarris ppOne would think that if Article III standing actually meant something you would also have to plead not only was my data impacted but the threat actor has taken out a credit card in my name fraudulently charged something to my credit card took out a loan in my name or they did something that caused me actual concrete harm that I can articulate Courts arent really requiring that anymore If your data was stolen or viewed if you got a few spam phone calls or had a threat actor claim to put some stuff on the dark web then courts are more often than not letting the case go forwardppSilverppThats an interesting and from our standpoint unfortunate development It does or it should in any event impact how companies are thinking about the incident response piece and in particular about what their notification strategy should be There are instances where its hard or expensive through the investigation to identify every person who is actually impacted There can sometimes be this question from clients why dont we just send notices to everyone so we dont have to do extensive forensics or data mining The downside to that approach which does have some merit is exactly what were talking about here Maybe if you had done all that analysis 100000 people were actually impacted but you are sending a blanket notice out to 500000 people If getting that notice is going to be enough to get you past a motion to dismiss youre now looking at a pretty expensive lawsuit even if it turns out that only 20 of those 500000 people actually were impacted by your incidentppHarrisppNo doubt about that In your 100000 versus 500000 example to the plaintiffs bar this is just a numbers game They see how many notices went out and they can usually see that on a number of attorney general websites that we have to report to you They see 100000 and say thats 100000 x 10 Or they see 500000 thats 500000 x 10 Thats what theyre thinking If you send out five times as many notices as you have to you on the litigation side then the price of poker has gone up by five timesppSilverppIts definitely something that in the early stages when youre making those decisions around notice you have to be mindful of because it does have that downstream impact What about classification Is challenging classification something that is common Is it something that you look to doppHarrisppGreat question Because so many of these cases settled relatively early the number of decisions where a court after discovery has happened and gotten to class certification and made a ruling on it is pretty few and far between There has been a very recent case out of the Middle District of Florida in late June and a longrunning saga with a restaurant chain you would recognize where a judge denied class fabrication The courts reasoning I thought was pretty reasonable It was that every single plaintiff and class member is going to have an entirely different story on causation If youve been impacted by one breach maybe you can trace this breach to your harm If youve been impacted by 30 breaches like Ticketmaster and all these other companies that have been high profile how are you going to pin your harm on me Thats going to be a personbyperson inquiry that makes class verification wholly unsuitable ppThere are not a lot of decisions out there on class verification in this space Weve had two recently break our way and thats a pretty helpful talking point for us to have in mediationppSilverppHow are we typically determining whether certain plaintiffs had information impacted in prior breaches Are there steps were taking to do that Are we relying on discovery or premediation information exchange How does that play outppHarrisppGreat question First whenever I get a new lawsuit right out of the gate theres a website where you can actually if the client has the plaintiffs email search to see how many times that email address or their phone number has been impacted by a past breach Often that will provide you with some goodies that you can use right out of the gate One of my main goals in discovery when we send written discovery to the plaintiff is to know every breach youve been a part of in the last 5 years 10 years et cetera ppThen since the number of highprofile breaches is easily findable and there are plenty of websites that track them Ill often ask them do you use Ticketmaster if so you mightve been impacted by that breach Ill flat out ask about 10 or 20 recent highprofile breaches see if theyre a customer That gives us an argument on causation too that maybe that breach not this one caused their damageppSilverppSticking with discovery and maybe this is a good last question for us what are the plaintiffs typically looking for from us What do we typically agree to provideppHarris ppTheyre usually looking for the kitchen sink which I dont agree to provide They often want to drill down pretty indepth A lot of the questions we were talking about earlier were about what steps the client had taken earlier to prevent breaches What training have they done Whats the forensic explanation for how exactly the breach happened Do we even know how it happened Was the whole patched Does the client engage or require multifactor authentication to get onto the system Theyre really delving into the buildup of their story on negligence where were redoing everything we could to prevent a breachppSilverppAgain not to beat a dead horse on this but this does highlight the importance of having a good data security program especially if its just in advance of mediation we can stonewall and say were not providing our WISP risk assessment or other information about our program However  its not too hard for plaintiffs firms to read between the lines on thatppBy contrast we feel really good and we want to lead with a position of strength showing that we had this really solid program in place and negligence is going to be hard to prove that is going to give us a lot more leverage in the negotiations Again its going to give us more confidence to litigate the case the way that we ideally would like to because we dont have to be as fearful about whats going to come out in discoveryppHarrisppNo doubt about that and discovery responses I would love to be able to articulate in great depth about all the great security practices we had and how this was a oneoff because someone clicked on an email However we have to have those arrows in our quiver to be able to play that cardppSilverppJohn thank you so much for taking the time to come on the podcast This is a very fastevolving area and its one that we get tons of questions about If youre open to it I think therell be lots of opportunities to have you back on for everyone listening Thanks for taking the time to join us ppAs always if you have questions or comments about this episode or suggestions for future episodes you can email us at privacyJacksonLewiscomppOUTROppThank you for joining us on We get work Please tune into our next program where we will continue to tell you not only whatâs legal but what is effective We get work is available to stream and subscribe to on Apple Podcasts and YouTube For more information on todayâs topic our presenters and other Jackson Lewis resources visit jacksonlewiscomppÂ2025 Jackson Lewis PC This material is provided for informational purposes only It is not intended to constitute legal advice nor does it create a clientlawyer relationship between Jackson Lewis and any recipient Recipients should consult with counsel before taking any actions based on the information contained within this material This material may be considered attorney advertising in some jurisdictions Prior results do not guarantee a similar outcome ppFocused on employment and labor law since 1958 Jackson Lewis PCâs 1000 attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business We help employers develop proactive strategies strong policies and businessoriented solutions to cultivate highfunctioning workforces that are engaged and stable and share our clientsâ goals to emphasize belonging and respect for the contributions of every employee For more information visit httpswwwjacksonlewiscomppJackson Lewis PC  2025p