As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved.
Federal courts in different circuits continue to disagree on the applicable standards to establish Article III standing. Both the Ninth and Seventh Circuits have issued decisions that have created a relatively low bar for Article III injury, at least at the pleading stage. Courts in other circuits, including the Third and Fourth Circuits, have been more rigorous in requiring a more substantial showing of present or future injury. Most courts agree that a person who has plausibly alleged a financial loss following a data breach has standing, but courts do not agree on how imminent a future injury has to be in order to support standing. In 2019, there were a few more decisions of note, most prominently the D.C. Circuit's decision, by a 2-1 vote, allowing for Article III standing, based on an alleged increased risk of identity fraud in the case filed following the Office of Personnel Management data breach. See In re United States Office of Personnel Mang't Data Sec. Breach Litig., 928 F.3d 42, 56-58 (D.C. Cir. 2019), petition for rehearing en banc denied October 21, 2019. All eyes are now on the Supreme Court on this one, as the case presents the Court with the opportunity to finally weigh in on the circuit split over Article III standing in alleged data breach cases. The Solicitor General, however, is still weighing its decision as to whether to file a petition for certiorari in the case, twice moving to extend the time allowed for doing so. The government's cert petition, if it is to be filed, is presently due on March 19, 2020.
There remains a dearth of case law surrounding the appropriateness of class certification in litigation arising out of a data breach. The reasons for the lack of authority on the class certification issue include that most data breach cases are either dismissed on the pleadings or settle before they reach a decision on a contested motion for class certification. In 2019, there were at least two class certification decisions. In Adkins v. Facebook, Inc., No. 3:18-cv-05982 (N.D. Cal., Nov. 26, 2019), the Northern District of California certified an injunctive relief class under Rule 23(b)(2) but declined to certify a damages class.
On the other end of the spectrum, a Georgia state court judge denied class certification based on lack of commonality under Rule 23(a)(2) in Buice v. Piedmont Athens Regional Hospital, which involved alleged widescale misuse of PHI by a former hospital employee. In particular, the trial judge determined that allegations that all putative class members' HIPAA rights were violated did not establish common injuries among the class. Instead, the likelihood of individualized damages inquiries concerning the type of information that was misused and the effect on the individual patient precluded class-wide adjudication. To our knowledge, there still have been no decisions by any court certifying a data breach class for both liability and damages. However, given the sheer number of data breach class actions out there, there is a stronger likelihood that we will see more significant development in the law in this area in the next year or two.
In an effort to improve their chances on class certification, plaintiffs continue to press for the adoption of new legal theories of damages. This is in part because the more obvious damages associated with data breaches, such as financial losses associated with identity theft or other fraud, create highly individualized issues of causation, and also because many individuals whose information may be compromised as part of a data breach do not suffer any actual financial loss at all. This has led plaintiffs' attorneys to pursue a variety of novel remedies, including damages based on what they argue is the "inherent value" of compromised personally identifiable information, damages based on a lost so-called "benefit of the bargain" on the theory that the plaintiff did not get the data security that he or she bargained for, and damages to cover the cost of future credit monitoring and identity theft protection. Although several lower courts have addressed the viability of these theories under varying procedural postures, there have not been any significant, precedential decisions in any of the federal circuits. However, like the law governing class certification generally, this is also an area where we expect to see accelerated development in the law in the near future.
One significant development in 2019 was the passage of the California Consumer Privacy Act (CCPA), which permits California residents to seek statutory damages from companies that have suffered a data breach as a result of failing to implement "reasonable security procedures and practices." By permitting statutory damages, the CCPA not only increases the potential exposure of companies doing business in California, but it also requires companies to utilize innovative and adaptive strategies to defend against CCPA class actions. So far, we have not seen a deluge of new data breach class actions brought under the CCPA as most commentators predicted, but 2020 has only just begun. At least one lawsuit involving the CCPA has been filed, Barnes v. Hanna Andersson, LLC, N.D. Cal., Case No. 20-cv-00812. However, this first lawsuit does not contain an express CCPA claim but rather argues that CCPA violations form a predicate violation for a UCL § 17200 cause of action. This is just one way that we will expect the CCPA to be used by plaintiffs' attorneys. However, the Barnes complaint still may be amended later to attempt to allege a direct CCPA cause of action.
Data breaches and data breach class actions are likely to continue to be with us throughout the '20s. However, the legal landscape will no doubt change over the next decade. BakerHostetler's Digital Assets and Data Management (DADM) Practice Group is at the forefront of this evolving area of the law, and we will continue to follow developments throughout the year and decade to come.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.