Data incident lawsuits, especially class actions, have the potential to create significant business disruption, loss of marketplace credibility, civil liability or regulatory exposure. Consequently, companies that experience a data incident often want the issues resolved quickly and at minimal cost. In terms of litigation, an early settlement of civil lawsuits in a class action resolution to sweep up all potential claims may be a good strategy. Class action settlements can be structured in a variety of ways, with any number of different terms, to effectuate the desired result.
In the past year, a number of developments occurred with respect to the resolution and settlement of data breach class actions. While some have created peril, opportunities also exist. This article will discuss some of these developments that may impact the future of class action cases and settlements.
First, an increasing number of data breach lawsuits are being filed in state court rather than in federal court. Several possible reasons exist for this development. For one, federal courts have limited subject matter jurisdiction and have generally taken a narrower view with respect to the issue of constitutional standing, particularly where plaintiffs have not pleaded actual existing harm. On the other hand, state courts ordinarily do not have the same strict subject matter jurisdiction requirements. If plaintiffs wish to avoid significant motion practice over standing issues, then state court perhaps provides a more litigant-friendly and less expensive forum. Two, limiting the class definition to mostly in-state residents with a claim against a domiciled defendant can impact whether a case is removable to federal court. And three, the laws, rules and cases in state courts may be less exacting in terms of certifying or settling class action lawsuits.
Second, two federal courts have recently certified classes in data breach cases. The U.S. District Court for the Southern District of Florida certified a nationwide negligence class (and a California statutory claim class) of consumers who alleged their personal and payment card information was stolen, finding the Rule 23 class certification requirements were met even though significant causation and damages questions existed. In re Brinker Data Incident Litig., No. 18-CV-686, 2021 WL 140558 (S.D. Fla. Apr. 14, 2021). In its class certification ruling, the court limited the class to those persons whose information had been accessed by cybercriminals and had incurred time or expense to mitigate consequences of the breach, thus attempting to avoid the risk of class members without standing or injury. Brinker is currently on a Rule 23(f) appeal to the U.S. Court of Appeals for the Eleventh Circuit. In the consolidated Marriott Hotels data breach litigation in the District of Maryland, where plaintiffs alleged hackers stole the personal information of hundreds of millions of hotel guests, the court certified eight Rule 23(b)(3) damages classes based on an “overpayment” benefit-of-the-bargain damage theory on contract and consumer protection claims as well as Rule 23(c)(4) issue classes on negligence claims. In re Marriott Intern. Inc. Customer Data Breach Litigation, Case No. 8:19-md-0278, 341 F.R.D. 128 (D. Md. May 3, 2022). Marriott is currently on a Rule 23(f) appeal to the Fourth Circuit. The outcome in both appeals is uncertain but, to the extent settlement negotiations include debate about the viability of class certification in data breach cases, these two decisions may have a future impact.
Third, a recent jury verdict of nearly $230 million in the Northern District of Illinois made headlines. Rogers v. BNSF Rwy. Co., Case No. 1:19-cv-3083 (N.D. Ill. Oct. 12, 2022).
While different from typical data breach actions where information is alleged to have been stolen or accessed by a third party, Rogers involved claims under the Illinois Biometric Information Privacy Act. Under BIPA, a violation can be found merely by capturing biometric data (e.g., fingerprints) without consent and does not require access to or disclosure of the data. The violation can lead to substantial statutory damages in a class setting as the Rogers verdict reflects. It remains to be seen whether the verdict will affect settlements higher in the data breach space.
Fourth, we have seen more courts deny motions to dismiss substantive claims and causes of action. Some courts have allowed variations of the contention that plaintiffs and class members could suffer future harm as a result of a breach. Plaintiffs have increased their attention to pleading the possibility of future harm (e.g., possible dark web exposure allegations) even where actual damage does not exist and often adding more specific allegations tying causation to the data incident. As a result, where parties are trying to resolve cases before or during the motion to dismiss stage, with defendants arguing that the likelihood of dismissal exists, we anticipate plaintiffs will begin to oppose the arguments with more strength given some of these recent decisions.
Last, jurisdictional decisions — whether cases are filed in federal or state courts — can affect the terms included in settling data breach class actions. For example, a number of federal courts have questioned attorney’s fees awards and class representative service awards. Some courts have more closely scrutinized attorney’s fees requests where class member compensation may be disproportional to the amount of fees sought. That is, where attorneys are requesting substantial fees but cannot demonstrate that the class members are being compensated, courts are considering limits on the amount of fees awarded. For this reason, plaintiffs are aggressively pushing for settlement terms that include nonmonetary classwide relief, such as credit monitoring or certain forms of injunctive relief, to demonstrate the value of the class settlement. The decisions could also lead plaintiffs to negotiate more strenuously for common fund (as opposed to claims-made) settlements to reduce the risk that settlements are not approved because they do not sufficiently compensate class members.
As to class representative service awards, in light of the decision in Johnson v. NPAS Solutions, LLC, 975 F.3d 1244 (11th Cir. 2020) (finding service awards impermissible under Rule 23), district courts within the Eleventh Circuit will likely disallow such requests. On the other hand, the Ninth, Sixth and Second circuits have disagreed with the Eleventh Circuit, concluding that class representative service awards are proper. This split of authority will likely lead to a Supreme Court opinion to resolve the differences.
Each of these developments may well impact the future of data breach class action lawsuits and settlements. While some may create new litigation hurdles, there are also opportunities for defendants to search for novel ways to resolve these claims earlier, perhaps in a state court forum that may be more amenable to approving data breach and privacy class action settlements and negotiating settlement terms.
