The aftershocks of these data breaches can be intense for the companies targeted. One estimate shows that the average cost for a U.S. company to respond to a data breach reached a new high in 2022 – $9.44 million. There is also a high likelihood of recurring costs as about 83% of companies in this study suffered more than one data breach. The legal exposure that comes with these breaches is also growing as companies face a mounting risk: data breach litigation brought forth by private plaintiffs. This often takes the form of class action suits. There were 36 major data breach class actions that were filed in 2021, a 44% increase from 2020, with such complaints brought on average within four weeks of a breach announcement.

It is my understanding and belief that these private actions would have faced little prospect of success had they been pursued a decade ago. In that time, private data breach plaintiffs struggled to establish standing or successfully plead duty, causation and damages.

They were further hamstrung by the lack of a federal data breach law — a situation that has continued to the present, as bills that would establish a uniform national standard of care for data security have floundered due to concerns from consumers (who fear such bills set the protection bar too low) and states (who worry that, through preemption, a federal law would intrude on their prerogatives). Given this environment, low-value settlements or outright dismissals of data breach class actions were routine.

The situation today has shifted dramatically. High-value settlements of consumer data breach cases now regularly occur, with notable recent resolutions involving T-Mobile ($350 million to consumers), Equifax ($380.5 million), Capital One ($190 million), Zoom ($85 million), Hy-Vee ($20 million), and Home Depot ($17.5 million). These settlements have been driven by the increased leverage brought to bear by the plaintiffs’ bar, which has developed a series of innovative theories that often succeed in moving data breach class actions beyond the pleadings stage.

Private data breach plaintiffs now utilize a wide array of state-law causes of action to circumvent the limitations of federal law. It is not uncommon to see negligence claims survive motions to dismiss, as industry guidelines for data security may serve as the standard of care. In addition, plaintiffs can plausibly allege that a company has a duty to take “reasonable precautions” to forestall the theft of sensitive personal information within its possession.

Many courts have likewise concluded that privacy policies on corporate websites or in clickwrap agreements can support a breach of express or implied contract claims. While breach of fiduciary duty claims is difficult, unjust enrichment claims are gaining a foothold, as well as more esoteric common-law claims such as intrusion upon seclusion. Although successful state statutory claims are relatively rare, California enacted a comprehensive consumer privacy statute that took effect in 2020 — the California Consumer Privacy Act (CCPA) (which is being amended in 2023). Unlike most state privacy laws, the CCPA provides for a private right of action and large statutory damages per consumer per incident. These factors make CCPA claims particularly attractive for plaintiffs to assert on behalf of California subclasses and notably dangerous for defendants.

Who has the standing to assert these creative claims has become the flashpoint of data breach litigation? While it is well settled that those who have experienced direct economic injury from a breach (such as fraudulent charges) have standing, as do those who can plausibly allege that their data was improperly accessed, the standing of group members who do not have a firm indication that their data was accessed or misused by an unauthorized party is highly contested.

Plaintiffs’ attorneys typically allege several “harms” to try to establish a cognizable injury to this subset. Such “injuries” include the lost economic value of their personal information, overpayment for the defendant’s services, lost “benefit of the bargain,” and an increased risk of future identity theft.

The U.S. Supreme Court, through the TransUnion case, had the opportunity to clarify the data breach standing analysis in June 2021. Instead of doing so, the Court’s decision followed Salvador Dali’s maxim: “What is important is to spread confusion, not eliminate it.” While portions of the Court’s reasoning have negative implications for this last group of plaintiffs, the Court left open whether emotional distress or generalized invasion of privacy, coupled with the substantial risk of future harm, could establish standing. There are also open questions regarding whether TransUnion applies to pleadings-stage challenges or claims for compensatory damages.

Accordingly, defendants should expect to see novel injury theories with increasing frequency. But not all innovation will occur on the plaintiffs’ side. It is likely that defendants will take steps often seen in other contexts to blunt plaintiffs’ leverage. For example, companies may require that users or employees consent to a “privacy policy” in which they (1) agree to take administrative steps, such as providing written notice or engaging in an informal dispute resolution, before their breach-related claims are ripe; (2) agree to arbitrate their claims; (3) waive their ability to seek relief on a class-wide or representative basis; and/or (4) agree to waive their non-statutory claims in return for the defendant’s services. Indeed, at least some courts seem receptive to these ideas in the data breach context. Undoubtedly, defendants also will continue to make attacks on the fundamental ability of data breach plaintiffs to certify a viable class where individual issues often predominate.

Given this uncertain milieu, it is critical that companies work with their counsel to ensure compliance with prescriptive requirements, design and execute a breach response plan, and develop the optimal data breach litigation strategy.

The information provided here is not investment, tax or financial advice. You should consult with a licensed professional for advice concerning your specific situation.