Data breach class actions continue to rise, following almost inevitably from nearly every major security incident. Here are seven things in-house counsel can do to prepare for that anticipated litigation.
1. Create a Strong Foundation
Depending on the nature and scope of the breach, companies can expect more than one class action lawsuit in the days and weeks after announcing a breach—perhaps dozens or even hundreds. At this early stage, companies need outside counsel who can manage multiple lawsuits so you can focus on your company’s business.
2. Preserve Documents and Manage Communications
A company’s obligation to preserve documents does not arise only after a lawsuit is filed; reasonably anticipating potential lawsuits will trigger the obligation. Therefore, even before a lawsuit is filed, you should draft and distribute a legal hold notice to individuals likely to have relevant information. You should also ensure that all auto-delete and similar procedures, including those applicable to non-custodial sources like databases, are disabled while the lawsuits are or may be pending.
While a company has an obligation to preserve documents for pending litigation, there is no obligation to create documents or record communications. And while various teams will need to communicate effectively to respond to a data security incident, there are steps you can take to manage their communications so they are communicating candidly but responsibly. After a security incident, employees might be tempted to blame the incident on someone at the company or something the company did or didn’t do, without any factual basis. Consider speaking with the teams working on the incident to ensure they are communicating effectively but not inaccurately, and dispassionately. There is no room for speculation, guesswork, or emotion on the part of the teams working to respond to an incident.
At the same time, you should ensure that the company’s in-house legal team is working with outside counsel to gather information necessary to prepare for litigation in a manner that maximizes the protection of the attorney-client privilege.
3. Impose Order on the Chaos
If more than one case is filed in different courts, the company will want to consolidate the various lawsuits before one court. The company or some number of plaintiffs’ counsel will typically file a petition before the Judicial Panel on Multidistrict Litigation (JPML). But the process takes time, as discussed below.
In the meantime, it will be important for outside counsel to coordinate with local counsel to manage these lawsuits on the ground. Local counsel will be familiar with local courts and local court rules. As a result, they are in the best position to deploy early procedural motions, such as seeking an extension of time to respond to a complaint or a stay in the proceedings while coordination efforts proceed before the JPML.
Experienced outside counsel will have relationships with strong local counsel in most of the jurisdictions where cases are typically filed and can quickly vet and engage local counsel in any other jurisdictions, often with assistance from the company’s insurer.
4. Defend Against Jockeying by Certain Plaintiffs’ Counsel
Many data breach class actions are filed by the usual suspects—a set of plaintiffs’ counsel that have been part of most of the major data breach cases. These lawyers know that the cases will eventually be consolidated, so they do not push to litigate every case. Instead, they file one or more cases as quickly as they can and count on their experience in prior data breach cases to convince the court to appoint them as sole or one of the lead counsel who control the plaintiffs’ side of the litigation.
But some plaintiffs’ attorneys will go against the grain. They will file ex parte motions regarding document preservation or discovery soon after they file their clients’ lawsuits in an attempt to put themselves in a position to seek appointment as lead counsel in the consolidated action because their clients’ cases are further along.
Most judges see through this gamesmanship and deny attempts to push particular cases forward. Outside counsel will have to be prepared to fight these battles even with the plaintiffs’ attorneys’ low likelihood of success.
5. Expect to Wait for the Cases to Be Consolidated
The JPML determines whether cases filed in federal court will be consolidated for pre-trial purposes in a multi-district litigation (MDL). The JPML only sits every other month. As a result, 60 to 120 days can go by before the JPML rules on a request to consolidate lawsuits filed in the wake of a data breach.
When the JPML grants a petition to consolidate lawsuits into an MDL, it assigns the MDL to a particular federal judge. Typically, but not always, the JPML assigns data breach class action MDLs to a judge in the federal judicial district where the company’s principal place of business is located.
After the JPML assigns the MDL, the clerks of the districts where the original cases were filed will send the dockets for the lawsuits. Typically, the assigned judge holds an initial case management conference a month or two after the assignment. At this conference, counsel discuss the timing for appointing lead plaintiffs’ counsel in the MDL (usually 45 to 60 days from the conference), as well as the timeframe for the plaintiffs to file a consolidated complaint (usually 30 to 60 days after the court appoints lead plaintiffs’ counsel).
Thus, it can take six to ten months or more between the filing of the initial complaint to the filing of a consolidated complaint in the MDL proceeding, which kicks off the litigation of plaintiffs’ claims.
6. In the Meantime, Keep Insurers Updated
Unless self-insured, most major companies have cyber insurance that covers data breach litigation. Those policies require that the insured must provide prompt notice and keep the insurer informed of case developments.
The company’s internal risk management team or in-house counsel should notify the insurer about all lawsuits in a timely manner. An open and continuous dialogue, preferably via virtual meetings or phone calls, regarding the lawsuits and litigation strategy will help the insurer understand why the company proposes a particular approach. It will also benefit the company if it wants to consider settlement by providing opportunities for the insurer to understand the strengths and weaknesses of the company’s defenses.
7. Finally, Keep Calm
Litigation is expensive and can be a major distraction to your business. It does not have to derail you. By staying calm, focusing on your company’s response to the incident, and trusting your outside counsel to guide the litigation fallout, you can efficiently and effectively manage the initial steps in data breach class action litigation.
[View source.]
