Data breaches are everyday occurrences and major high-profile breaches are becoming more common. In the past three years, industry-leading companies such as Microsoft (250 million records, December 2019), Wattpad (268 million records, June 2020), Meta/Facebook (267 million users, April 2020), Estee Lauder (440 million records, January 2020), Whisper (900 million records, March 2020), and Advanced Info Service (8.3 billion records, May 2020) have all experienced significant breach events. Given the prevalence of remote working, the shift to cloud-based storage, and the ever-increasing sophistication of cybercriminals, data security risk is not going away.
Data breaches produce immense financial aftershocks for targeted companies. In 2022, the average cost of a data breach for U.S. companies reached a record high—$9.44 million. See Cost of a Data Breach Report 2022 at 9-10, IBM (July 2022), https://www.ibm.com/reports/data-breach. Given that 83% of organizations have now suffered more than one data breach, the prospect of a business facing reoccurring costs in this area is a virtual certainty. Id. at 4, 6. But companies also face fiscal consequences that go well beyond the technical cost of redressing the breach, possible reputational harm to their brands, and potential declines in share price. Sixty percent of businesses have been compelled to increase the price of their services or products because of a data breach. Id. at 5. Costly regulatory action is also likely to follow. For instance, following its 2017 data breach (which affected almost 150 million Americans), Equifax faced litigation brought by 48 states, as well as the District of Columbia and Puerto Rico, which it settled for $175 million, and an enforcement action pursued by the Consumer Financial Protection Bureau, which it resolved for $100 million in civil penalties. See Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, FTC Press Release (July 22, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach.
Companies face yet another major risk after a data breach—one which is increasing exponentially—data breach litigation brought by private plaintiffs, often in the form of class actions brought by sophisticated plaintiffs’ counsel who specialize in such cases. Private civil litigation is now a probability, not a possibility, after a major data breach. 36 major data breach class actions were filed in 2021, a 44% increase from 2020. Private plaintiffs typically race to the courthouse to jockey for position, with complaints now brought on average within four weeks of a breach announcement.
These private actions, had they been pursued a decade earlier, would have faced little prospect of success. Private plaintiffs during the initial wave of data breach litigation struggled to establish standing or successfully plead duty, causation, and damages See, e.g., In re: Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1212 (N.D. Cal. 2014) (noting that “courts in data breach cases regularly” dismiss claims because “increased risk of future harm is insufficient to confer Article III standing”); In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 963-65 (S.D. Cal. 2014) (dismissing negligence claims because “Plaintiffs’ allegations of causation and harm are wholly conclusory” and Plaintiffs “failed to allege a single cognizable injury proximately caused by Sony’s resulting breach”). Their task was complicated by facts that, by their nature, often involve incremental risk and latent harm. In the intervening years, however, the plaintiffs’ bar has developed a series of creative theories that have frequently succeeded in moving data breach actions beyond the pleadings stage. The result is that large settlements of consumer data breach cases are now quite common, with notable recent resolutions involving T-Mobile ($350 million to consumers), Equifax ($380.5 million), Capital One ($190 million), Zoom ($85 million), Hy-Vee ($20 million), and Home Depot ($12.88 million).
This article explores the latest developments in private data breach litigation. We focus first on the challenges that plaintiffs face in establishing standing and damages. The assessment of whether these plaintiffs have suffered a cognizable injury-in-fact (as required for Article III standing) is necessarily intertwined with the type and viability of the harms they allege. Accordingly, we first consider both standing and damages. We then analyze the state-of-the-art claims currently being asserted by plaintiffs and the defenses being deployed by companies in response. Finally, we conclude with a discussion of expected future trends.
II. Standing and Damages – A Key, Unsettled Battleground
Defendants typically contest the standing of data breach plaintiffs at the pleadings stage, and usually do so on two grounds: (1) failure to establish a concrete and particularized injury-in-fact; and (2) failure to adequately allege a causal connection between their alleged injuries and the defendant’s conduct. In recent years, defendants’ causation arguments have met with little success. The resolution of a causation challenge often involves issues of fact inappropriate for resolution on a motion to dismiss. In addition, most plaintiffs can overcome traceability concerns created by the participation of a third party (i.e., the hacker) by alleging a clear series of actions and omissions by the defendant company, such as poor data security practices or deficient oversight, that are sufficient to establish a nonspeculative causal link.
As a result, the real action at the pleadings stage lies in the first category—i.e., injury-in-fact. As the U.S. Supreme Court explained in Spokeo, Inc. v. Robins, “Article III standing requires a concrete injury even in the context of a statutory violation,” and courts must assess whether the plaintiffs’ alleged injury has a “close relationship” to a harm “traditionally” recognized as providing a basis for a lawsuit in American courts. 578 U.S. 330, 341 (2016). With respect to injunctive relief, “a person exposed to the risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2210 (2021) (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)). But “a plaintiff’s standing to seek injunctive relief does not necessarily mean that the plaintiff has standing to seek retrospective damages”—which is one of the most critical issues to the plaintiffs’ bar in bringing data breach class actions. Id. The injunctive relief sought by the data breach plaintiffs’ bar remains an important consideration, both for plaintiffs and defendant-companies. Data breach plaintiffs tend to plead the prescriptive relief they seek with great specificity and often include demands that the defendant routinely test its employees on security measures and engage independent third-party security auditors. See, e.g., Marlowe v. Overby-Seawell Co., No. 1:22-mi-99999, ECF Doc. # 2851, Complaint (Prayer for Relief) ¶ C(i)-(xvi) (N.D. Ga. Sept. 9, 2022).
It is necessary to understand who is impacted by a data breach, and in what ways, to fully comprehend the current injury-in-fact standing battle between plaintiffs and defendant companies as it relates to a damages class. Following a data breach, the consumers, users, employees, or patients of the targeted entity usually fall within three broad categories:
a) Group One – Plaintiffs Who Have Experienced Direct Economic Injuries
First, there is some portion of the group that has suffered direct economic damage resulting from misuse of their Personal Information (PI) or Protected Health Information (PHI) stolen in the data breach (“Group One”). Common injuries of this type include fraudulent charges on credit cards, fraudulent withdrawals from bank accounts, and the cost of any measures taken to resolve these fraudulent transactions—including time invested and money spent on combating and mitigating these manifestations of identity theft. Private data breach plaintiffs routinely seek actual and consequential damages connected to these economic losses, out-of-pocket expenditures, and time spent addressing the aftereffects of these harms.
Courts now routinely find that Group One plaintiffs meet the “injury-in-fact” or “concrete-harm” requirement for Article III standing. See Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2013) (finding concrete injury because party suffered actual harm in the form of identity theft and credit card fraud). It is well settled that a “monetary harm,” such as an out-of-pocket loss, falls within the “traditional tangible harms” required for standing. TransUnion, 141 S. Ct. at 2204. The same is true even where the losses suffered by this group have been reimbursed, “since they have suffered the actionable intangible harm of the wrongful use and dissemination of their private information, like the interests protected by common law privacy torts.” In re: Am. Med. Collection Agency, Inc. Consumer Data Sec. Breach Litig., 2021 WL 5937742, at *8 (D.N.J. Dec. 16, 2021) (citing TransUnion, 141 S. Ct. at 2208). Courts have also consistently recognized plausible economic injuries stemming from any prophylactic or remedial expenses incurred by Group One plaintiffs, reasoning that, because an actual harm has already “materialized,” these “injuries” are no longer speculative or based on an uncorroborated fear of future theft. See Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164-67 (1st Cir. 2011) (“cost of credit monitoring services and identity theft insurance” are cognizable injuries when incurred by plaintiffs who had already suffered fraudulent charges); FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 623-24 (D.N.J. 2014) (similar); Hutton, 892 F.3d at 622 (same).
b) Group Two – Plaintiffs Who Can Show That Their Personal Information Was Accessed
There is another segment of the affected population whose members have not experienced direct economic harm, but who have experienced events suggesting that their PI or PHI may have been wrongly accessed and distributed (“Group Two”). These individuals may have witnessed foiled attempts at identity theft, unsuccessful fraudulent charges, a marked increase in scam phone calls or spam emails, or the appearance for sale of their PI on the dark web. While the experiences of these plaintiffs differ, they have some corroboration that their PI or PHI was accessed.
Although slightly more controversial than Group One, courts now frequently find that such Group Two plaintiffs have pleaded “intangible harms” that are sufficiently “concrete” to establish standing—particularly given the U.S. Supreme Court’s 2021 decision in TransUnion v. Ramirez, which identified “disclosure of private information” and “intrusion upon seclusion” as traditionally actionable “intangible harms.” See In re: Am. Med. Collection Agency, 2021 WL 5937742, at *9; TransUnion, 141 S. Ct. at 2204 (listing traditional intangible harms). While cognizable for the purposes of standing (and thus preserving this group as members of a potential damages class), intangible harms like increased spam emails or foiled fraudulent charges do not usually require extensive monetary compensation. As such, private plaintiffs often seek nominal—or, where available, statutory—damages for these types of injuries.
c) Group Three – Plaintiffs Whose Personal Information Was Stored on the Compromised Systems—New Damages Theories
The remaining consumers, users, employees, or patients had PI or PHI stored on the compromised systems but may not have a firm indication that their data was accessed, downloaded, or misused by an unauthorized party (“Group Three”). This group faces the biggest hurdle in meeting the “concrete-harm” standard required for Article III standing.
The plaintiffs’ bar has focused its efforts on Group Three to try to maximize leverage and preserve these affected individuals as viable plaintiffs. Their pursuit of more exotic theories to support injury-in-fact for this category of plaintiffs also allows them to allege a wider array of damages incurred by Groups One and Two, as the additional “harms” identified will also apply to members of those groups. Below are examples of how private plaintiffs articulate the injuries and damages they are pursuing to achieve these ends:
- To the extent that plaintiffs now face a reduced credit score due to the breach (which increases the cost of borrowing, insurance, and deposits and makes difficult the ability to secure more favorable rates), plaintiffs have been harmed and compensatory damages are owed. Similarly, to the extent that plaintiffs lost the use of or access to their credit, accounts, and/or funds for a period due to the data breach, they should be compensated for that harm in the form of compensatory or nominal damages.
- Plaintiffs have been injured because they face a real and substantial risk of future identity theft. Their PI was present on a system that was compromised by a cybercriminal, and the fact that the PI of others on that same system has been accessed and misused makes real and imminent the increased risk of identity theft faced by those who have yet to experience misuse. At the very least, nominal damages are owed for this heightened danger.
- Considering this imminent, immediate, and continued risk of identity theft and identity fraud, this group should be awarded compensatory damages like Groups One and Two for any time, effort, and expenses incurred in undertaking mitigation efforts to guard against future identity theft and fraud, such as reviewing financial statements, changing passwords, and signing up for credit and identity theft monitoring services. Some plaintiffs have even pushed for compensation for “lost opportunity costs” connected to the time they spent researching how to prevent, detect, contest, and recover from fraud and identity theft.
- PI or PHI has real economic value. Advertisers pay money to access PI so that they may bolster the effectiveness of their outreach, and companies frequently offer incentives so that customers share PI with them. The value of PI and PHI can be quantified by reference to established rates for this information, including by showing what PI and PHI sells for on the black market or dark web. The compromise and unauthorized publication of plaintiffs’ PI and/or PHI reduces its value. This harm should be redressed through the payment of compensatory damages reflecting the resulting diminution in value.
- The defendant’s deficient security, which allowed the breach to occur, means that plaintiffs were robbed of the “benefit of the bargain” in transacting with the defendant. Every year, the defendant spends a certain portion of its budget on data security. The defendant passes on that expenditure to customers such that a certain percentage of the money paid by plaintiffs in return for the defendant’s services is to ensure adequate protection for their PI. The breach indicates that the defendant was not upholding this portion of the bargain. Plaintiffs have been harmed by this lost benefit and are owed compensatory damages tied to the percentage of their payments to the defendant that went to substandard data security. At the very least, nominal damages are owed for this injury.
- Plaintiffs were injured because they overpaid for the defendant’s products or services. The data breach indicates that the defendant had inadequate data security. Had the defendant’s inadequate security been publicly known, it would have decreased demand for its goods or services, which would have resulted in lower prices paid by consumers for its goods or services. Consequently, plaintiffs overpaid for the defendant’s goods or services and are owed compensatory—or, at the very, nominal—damages resulting from this harm. The court in In re: Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 341 F.R.D. 128 (D. Md. 2022), recently certified a data breach class based on this overpayment theory.
- Plaintiffs experienced a trespass, as their PI or PHI was subjected to an unauthorized incursion. As a result of this invasion of privacy, plaintiffs have experienced emotional distress—a harm for which they should be provided compensatory (or nominal) damages.
d) Confusion Remains – Particularly with Respect to the More Creative Harms Alleged
Federal law regarding the type of standing and damages arguments advocated by Group Three plaintiffs and identified above remains highly unsettled. Small differences in the facts pleaded or the individual preferences of the court are often outcome-determinative.
For instance, in McMorris v. Carlos Lopez & Assocs., LLC, decided in April 2021, the Second Circuit appeared to take a significant step towards recognizing standing for this group of plaintiffs. It explicitly held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” 995 F.3d 295, 301 (2d Cir. 2021). It then listed three “non-exhaustive factors” to be considered by courts when weighing whether data breach plaintiffs have adequately alleged an Article III injury-in-fact based on an “increased risk” theory: “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.” Id. at 303. However, acceptance of the view that plaintiffs who have not yet experienced identity theft could have standing still varied between jurisdictions. Generally, “the Sixth, Seventh, and Ninth Circuits ha[d] accepted that ‘an increased risk of identity theft is sufficient to establish injury-in-fact,’ while in contrast, the First and Third Circuits found that an increased risk of identity theft did not constitute injury-in-fact.” In re: Rutter’s Inc. Data Sec. Breach Litig., 511 F. Supp. 3d 514, 524-25 (M.D. Pa. 2021) (quotation marks and internal citations omitted). Compare In re: Zappos.com, Inc., 888 F.3d 1020, 1027-28 & n.7 (9th Cir. 2018) (explaining that, although some plaintiffs in the suit had not yet suffered identity theft, allegations that other customers whose data was compromised had reported fraudulent charges helped establish that plaintiffs were at substantial risk of future harm) with Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343-44 (11th Cir. 2021) (finding standing difficult to meet without “specific evidence of some misuse of class members’ data”).
Rather than clarify the law in this area with its June 2021 decision in the TransUnion case, the U.S. Supreme Court chose to follow Salvador Dali’s maxim: “What is important is to spread confusion, not eliminate it.” Some elements of the Court’s reasoning seem to preclude data breach standing based on an elevated risk of future harm. The Court stated that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” 141 S. Ct. at 2210-11. The Court also appeared to reject the idea that plaintiffs who have not yet experienced identity theft (Group Three) could tie their standing to those group members who had (Groups One and Two). It emphasized: “[S]tanding is not dispensed in gross; plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).” Id. at 2208. Thus, while concluding that the members of the class whose false credit reports had been disseminated could establish standing, the Court determined that those whose false credit reports had not been sent to third parties (and thus faced only possible future harm) could not proceed as plaintiffs. Id. at 2209-13.
However, at least four elements of TransUnion have created space for data breach plaintiffs:
- First, some courts have distinguished standing challenges at the pleadings stage from TransUnion, where there existed the “helpful benefit of a jury verdict.” at 2222 (Thomas, J., dissenting). Believing that “[s]uch an inquiry may be appropriate after a proceeding on the merits” but not on a motion to dismiss, they have allowed Group Three plaintiffs to “have the benefit of discovery” before definitively addressing standing. In re: Blackbaud, Inc. Customer Data Breach Litig., 2021 WL 2718439, at *6 n.15 (D.S.C. July 1, 2021).
- Second, other courts have noted that “TransUnion involved a suit for statutory damages, not compensatory damages,” and have concluded that its holding is inapplicable “to a claim for compensatory damages.” Cotter v. Checkers Drive-In Rest., Inc., 2021 WL 3773414, at *4 (M.D. Fla. Aug. 25, 2021).
- Third, the TransUnion Court specifically noted that “a plaintiff’s knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm,” but took “no position on whether or how such an emotional or psychological harm could suffice for Article III purposes.” 141 S. Ct. at 2211 n.7. Emboldened by this language, at least some courts have since determined that, in the data breach context, “allegations of emotional distress, coupled with the substantial risk of future harm, are sufficiently concrete to establish standing in a claim for damages.” In re: Mednax Servs., Inc. Customer Data Sec. Breach Litig., 2022 WL 1468057, at *8 (S.D. Fla. May 10, 2022); see also Bowen v. Paxton Media Grp., LLC, 2022 WL 4110319, at *5 (W.D. Ky. Sept. 8, 2022) (same).
- Fourth, the Supreme Court in TransUnion identified “intrusion upon seclusion” as an “intangible harm” that has been “traditionally recognized as providing a basis for lawsuits in American courts.” 141 S. Ct. at 2204. Accordingly, data breach plaintiffs often plead “invasion of privacy” as an example of the “actual and concrete injuries” experienced by Group Three plaintiffs, see, e.g., Kitzler v. Nelnet Servicing, LLC, No. 2:22-cv-06550, ECF Doc. # 1, Complaint ¶ 13 (C.D. Cal. Sept. 13, 2022), and some courts have concluded that Article III standing exists for this reason alone given that the injury from a data breach is “analogous to that associated with the common-law tort of public disclosure of private information,” Bohnak v. Marsh & McLennan Cos., 580 F. Supp. 3d 21, 30 (S.D.N.Y. 2022). See also Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 43 (D. Ariz. 2021) (similar).
Other courts have rejected these expansive arguments and read TransUnion narrowly; they have thus concluded at the pleadings stage that plaintiffs within Group Three lack standing. See In re: Am. Med. Collection Agency, 2021 WL 5937742, at *9-11; see also Patterson v. Med. Review Inst., 2022 WL 3702102, at *2-3 (N.D. Cal. Aug. 26, 2022) (rejecting emotional distress, lost time, and mitigation efforts as groups for standing for Group Three plaintiffs); Legg v. Leaders Life Ins. Co., 574 F. Supp. 985, 993 (W.D. Okla. 2021) (“Given the holding in TransUnion, it is far from clear that any case finding a concrete injury based merely on an abstract risk of future identity theft following a data breach is still good law, at least with respect to a claim for damages.”). Whether a court will credit other related Group Three standing arguments—such as mitigation efforts, loss of value of PI, lost benefit of the bargain, or overpayment—often depends on whether it reads TransUnion in a pro-plaintiff or pro-defendant manner. Those courts that read TransUnion in a pro-plaintiff manner tend to find these related standing arguments to be persuasive supplemental grounds for standing, while those courts that view TransUnion as a pro-defendant decision reach the opposite result. Compare In re: Mednax, 2022 WL 1468057, at *7-9 (crediting such arguments) with In re: Am. Med. Collection Agency, 2021 WL 5937742, at *9-11 (rejecting same arguments). Absent further clarification by the U.S. Supreme Court in this area, disparate results based on similar facts are likely to continue. Given the nationwide reach of most data breach litigation, one would expect to see an influx of cases in the coming years in those jurisdictions that have proven thus far to be pro-plaintiff.
III. Plaintiffs’ Approach – A Medley of Creative Claims
a) Federal Law’s Minimal Role Thus Far in Private Data Breach Litigation
There have been occasional efforts to pass a federal breach notice law that would preempt state laws and impose a uniform national standard. Advocates have claimed that federalization would produce regulatory simplification and ease the burden faced by companies, who now must comply with scores of different state and territorial laws. For instance, in June 2022, the American Data Privacy and Protection Act (“ADPPA”) was introduced by a bipartisan group of House members with the goal of creating a uniform standard of care for data security. Such bills have previously floundered due to concerns that they set the consumer protection bar too low and, through preemption, may intrude on states’ longstanding security and consumer protection statutes. Given recent developments, it appears that the ADPPA has met a similar fate.
Absent the enactment of similar legislation, private data breach plaintiffs face a situation where, at least federally, numerous data security laws exist, but none lend themselves particularly well to data breach litigation. To be sure, federal laws such as the Computer Fraud and Abuse Act (CFAA), Driver’s Privacy Protection Act (DPAA), the Electronic Communications Privacy Act (ECPA) and its two titles (the Wiretap Act and the Stored Communications Act (SCA)), the Video Privacy Protection Act (VPPA), the Telephone Consumer Protection Act (TCPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are frequently employed by plaintiffs in other cybersecurity contexts, but none are targeted at the precise kinds of claims that data breach plaintiffs wish to make against companies who, because of a breach, have failed to protect their PI. Some data breach plaintiffs have attempted to weaponize the DPPA, which provides for actual damages or liquidated damages in the amount of $2,500 (whichever is greater), punitive damages, reasonable attorneys’ fees, and a private right of action. However, courts thus far have been largely unreceptive to DPPA claims in the data breach context. Instead, they have distinguished the DPPA in two ways: (1) it “imposes civil liability only on a defendant who obtains personal information from a motor vehicle record, but not on a defendant who merely obtains information that can be linked back to (i.e., derived from) such a record,” Garey v. James S. Farrin, P.C., 35 F.4th 917, 927 (4th Cir. 2022); and (2) the statute is not triggered because the act of storing driver’s license information on unsecured external servers does not constitute “disclosure” within the meaning of DPPA, Allen v. Vertafore, Inc., 28 F.4th 613, 617 (5th Cir. 2022).
Accordingly, due to the limitations of federal law, state statutory and common-law claims have been the primary focus of private data breach litigation to date.
b) The Cornucopia of Options That State Law Provides to Private Litigants
Data breach plaintiffs have pursued scores of disparate state statutory and common-law claims. Such plaintiffs often shoehorn as many as possible into their complaints, thereby adopting a blunderbuss pleading strategy to try to maximize their settlement leverage and preserve as many claims as possible. A court, in addressing these claims, often faces unique problems when undertaking the choice-of-law analysis—especially because the rise of data on the cloud obfuscates the location of the injury (i.e., the breach), which may play an important role in the choice-of-law determination. Further complexity is introduced by the fact that the court may have to juggle separate state contract claims governed by different choice-of-law rules (e.g., the place where the alleged contract was formed, “most significant relationship” test, and “governmental interest” analysis). The court was compelled to address all these issues at the pleadings stage in the In re: Mednax Servs. case. See 2022 WL 1468057, at *3-5. In short, inventive plaintiffs have a cornucopia of options available to them to make life difficult for defendant-entities, who are already reeling from a breach event.
State Statutory Claims. At present, California is the only state that has adopted a comprehensive consumer privacy statute with a private right of action specifically targeted at redressing data breaches. Virginia (Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.), Colorado (Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 through 6-1-1313), Utah (Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.), and Connecticut (CT SB 6) have also enacted comprehensive consumer privacy statutes in recent years. However, none of these statutes—to date—provides for a private right of action. The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Data breach plaintiffs occasionally attempted claims based on the CCPA’s predecessor statute, the California Customer Records Act (CRA). See Cal. Civ. Code §§ 1798.81-82. It provides a private right of action for unauthorized access, theft, or disclosure of unredacted, unencrypted “personal information” as a result of a business’s failure to implement and maintain reasonable security measures and procedures. Cal. Civ. Code § 1798.150(a)(1). The CCPA has since been amended by the California Privacy Rights Act (CPRA). Effective January 1, 2023, the CPRA expands the definition of “personal information” in the CCPA to include biometric data (Cal. Civ. Code § 1798.140(o) (Cal. Civ. Code § 1798.140(v) after Jan. 1, 2023)) and extends the private right of action to consumers whose email addresses, with a password or security question-and-answer that would permit access to that account, are compromised. The CCPA covers all information so long as it relates to a California resident or California household, and applies to all for-profit, private entities that collect PI, do business in California, and meet certain threshold criteria defined in the statute. Cal. Civ. Code § 1798.140(c) (Cal. Civ. Code § 1798.140(d) after Jan. 1, 2023).
The CCPA has driven a significant volume of data privacy litigation since its enactment. Despite the relatively narrow scope of the statute, there were over 125 cases filed within a year of its effective date that asserted CCPA claims, and there have been at least 17 settlements in class actions in which a CCPA claim was asserted. CCPA cases have already survived pleadings-stage challenges. See, e.g., Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2-3 (C.D. Cal. July 16, 2021). The statute’s popularity among data breach plaintiffs can be traced to the damages it provides for private actions, which include: (1) the greater of a statutory amount between $100 and $750 per consumer per incident and actual damages; (2) declaratory or injunctive relief; and (3) any other relief the court deems proper. Cal. Civ. Code § 1798.150(a). While certain aspects of the CCPA have yet to be fully resolved, including the “notice and cure” provision available to defendants, Cal. Civ. Code § 1798.150(b), the presence of CCPA claims has made California subclasses a common occurrence in data breach class actions. Members of these California subclasses are typically offered additional monetary compensation—often $50 to $100 more than the settlement benefits offered to the nationwide class—to account for the availability of statutory penalties under the CCPA.
State Common-Law Claims. Private data breach plaintiffs also have a wide array of state common-law claims at their disposal, many of which have proven effective. Typically asserted claims include: (1) negligence; (2) gross negligence; (3) negligence per se; (4) breach of express contract; (5) breach of implied contract; (6) breach of the implied duty of good faith and fair dealing; (7) breach of fiduciary duty/confidence; (8) unjust enrichment; and (9) invasion of privacy or intrusion upon seclusion See, e.g., Kitzler v. Nelnet Servicing, LLC, No. 2:22-cv-06550, ECF Doc. # 1, compl. ¶¶ 113-94 (C.D. Cal. Sept. 13, 2022); In re: Rutter’s Inc., 511 F. Supp. 3d at 520; Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360, 1365 (N.D. Ga. 2021). While the success of these claims often depends on the specific facts alleged and the precise contours of the law in the applicable jurisdictions, certain obvious trends have emerged.
Negligence claims. Data breach plaintiffs typically allege that, given previous data breach incidents (including in the same industry), the defendant was on notice that a foreseeable risk of a data breach existed. See Kitzler v. Nelnet Servicing, LLC, No. 2:22-cv-06550, ECF Doc. # 1, compl. ¶¶ 45-50 (C.D. Cal. Sept. 13, 2022). They further contend that the defendant failed to maintain many reasonable and necessary industry standards necessary to prevent a data breach, including the FTC’s guidelines and frameworks such as the NIST Cybersecurity Framework, the Federal Risk and Authorization Management Program, and/or the Center for Internet Security’s Critical Security Controls. See id. ¶¶ 65-70; Krefting v. OneTouchPoint, Inc., No. 2:22-cv-01052, ECF Doc. # 1, compl. ¶ 60 (E.D. Wisc. Sept. 12, 2022). Most states recognize a common-law duty to take “reasonable precautions” to prevent injury by a third party (i.e., the hacker) where the defendant created a situation it knew or should have known posed a substantial risk to a plaintiff (i.e., its intentional collection and storage of plaintiffs’ PI). As such, courts frequently conclude that data breach plaintiffs have adequately alleged claims for negligence and gross negligence. See, e.g., In re: Am. Med. Collection Agency, 2021 WL 5937742, at *14-15; In re: Blackbaud, Inc. Customer Data Breach Litig., 567 F. Supp. 3d 667, 679-83 (D.S.C. 2021); Purvis, 563 F. Supp. 3d at 1366-71; In re: Rutter’s Inc., 511 F. Supp. 3d at 526-30.
Contract claims. Many companies that obtain or handle PI provide users or customers with a privacy notice that contains certain representations concerning their compliance with federal law and their protection of PI from unauthorized access and use. In addition, it is common for companies to include statements on their websites and in other materials as to the importance they place on data security, their use of strong encryption to protect PI, and their prohibition of unlawful disclosure of that PI. Data breach plaintiffs often cite these notices, policies, and statements as establishing an express or implied contract that the defendant then breached through its lax security measures. Defendants usually respond by contending that such statements are not enforceable promises (only broad depictions of corporate policy), there was no enforceable agreement due to a lack of mutual assent/meeting-of-the-minds, and plaintiffs failed to allege that they read or were even aware of any terms of the privacy notice. See In re: Capital One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 410 (E.D.Va. 2020) (outlining defenses). While some courts have found these defenses to be persuasive at the pleadings stage, data breach plaintiffs have experienced a surprising amount of success with express and implied breach of contract claims, see, e.g., In re: Rutter’s, 511 F. Supp. 3d at 533-37 (collecting cases); Purvis, 563 F. Supp. 3d at 1379-82; In re: Capital One, 488 F. Supp. 3d at 410-11. Claims for breach of the implied covenant of good faith and fair dealing are more likely to fail, as such claims are often duplicative of or subsumed by contract claims under state law. See In re: Mednax Servs., 2022 WL 1468057, at *13-14 (dismissing implied covenant claim for this reason).
Breach of duty claims. Data breach plaintiffs often have a difficult time pleading plausible claims for breach of fiduciary duty. Courts are generally loath to find that the receipt of PI by a business transforms an arm’s-length transaction into a fiduciary relationship. See id. at *27-28. The same is generally true when companies gather PI in connection with employment, which many courts view as a common practice that does not typically suggest that the employee is trusting their employer in “unique or exceptional ways.” Purvis, 563 F. Supp. 3d at 1384. Breach of fiduciary duty claims tend to be more successful where PHI has been breached and the defendant is a healthcare provider, as some states recognize that the provision of medical care suggests a confidential relationship. Id. at 1383. Claims for breach of confidence are similarly difficult to maintain, as typically there are no facts to suggest that the defendant disclosed the PI or PHI to a third party. Absent this required element, the defendant’s inadequate security may support a claim in negligence but not breach of confidence. Id. at 1378.
Unjust enrichment claims. “[F]ederal courts are not uniform in their analyses of unjust enrichment claims in data breach class actions.” In re: Rutter’s Inc., 511 F. Supp. 3d at 538. The outcome often “depends on the level of deference a court affords a plaintiff’s allegations” at the pleadings stage, what the defendant does with the PI, and the type of business in which the defendant is involved. Id. As a general rule, where the defendant is a business that commoditizes the PI or receives an independent pecuniary benefit from holding the PI (such as using it to better target customers and increase profits), the more likely it is that a court will allow the private data breach plaintiffs’ unjust enrichment claim to proceed. See In re: Am. Med. Collection Agency, 2021 WL 5937742, at *18. The same is true if the very nature of the defendant’s business involves obtaining and protecting PI (such as where the defendant is a credit card company). See In re: Capital One, 488 F. Supp. 3d at 411-13. Unjust enrichment claims have been less successful outside of these contexts and are especially fraught where the defendant does not directly profit from the PI (such as where the defendant is a medical provider). See In re: Blackbaud, 567 F. Supp. 3d at 687-88; In re: Am. Med. Collection Agency, 2021 WL 5937742, at *18
Privacy claims. Stand-alone tort claims for invasion of privacy or intrusion into private affairs/seclusion have generally fared poorly in private data breach litigation. In many jurisdictions, such claims are “intentional” torts for which mere negligence will not suffice. But data breach plaintiffs can rarely allege that defendants intentionally disclosed their PI or PHI to unauthorized persons. Rather, a third party (the hacker) typically carries out the data breach without the active participation of the defendant corporation. Because “negligence does not morph into an intentional act of divulging [plaintiffs’] confidential information,” such claims are often subject to dismissal. Burton v. MAPCO Exp., Inc., 47 F. Supp. 3d 1279, 1288 (N.D. Ala. 2014); see also In re: Mednax Servs., 2022 WL 1468057, at *26-27 (collecting cases); Purvis, 563 F. Supp. 3d at 1377-78.
IV. What’s Next?
Defendants should expect to see novel injury theories with increasing frequency as data breach law continues to mature. Litigation exposure will be difficult to gauge in the near term, especially given the dearth of clear precedent and material differences in both the standing and merits analyses undertaken by different jurisdictions. Litigation risk will also increase as data breaches become more prevalent and affect greater numbers, as even nominal damages—when aggregated—can produce extraordinary recoveries. And, although most data breach cases are brought on behalf of plaintiffs whose PI was actually or potentially accessed, spillover into other areas is likely. For instance, shareholders may increasingly seek to hold executives and board members liable for failing to adopt “reasonable security measures” to prevent cybercrime.
But given this uncertain milieu, it is critical that companies engage with experienced counsel to ensure compliance with prescriptive requirements, design and execute a breach response plan, and develop the optimal data breach litigation strategy.