One of the main risks for a company in the event of a data breach is the threat of litigation. Data breach litigation continued to proliferate in 2024, as it has in prior years.
In the past year, plaintiffs continued to seek relief following data breaches under state common-law doctrines, and the Alabama Supreme Court joined the other state courts of last resort who have addressed data-breach litigation in published decisions. Federal data breach plaintiffs contended with standing issues in the wake of the Supreme Court's decision in TransUnion LLC v. Ramirez, and an apparent circuit split between the Tenth and Eleventh Circuits deepened when the Third Circuit weighed in. The District of New Jersey also provided further guidance to companies on the scope of the attorney-client privilege when responding to data breaches.
This post examines these trends. Follow the WilmerHale Privacy and Cybersecurity Law Blog to stay up-to-date on the latest privacy news.
Common-Law Claims For Traditional Data Breaches
More traditional common-law claims (e.g., negligence, breach of contract) based on data breaches were common in 2024, as in prior years. In many instances, such claims survived a motion to dismiss.1
One notable exception is the Alabama Supreme Court's decision in Griggs v. NHS Management.2 In Griggs, the court rejected claims for negligence, negligence per se, invasion of privacy, unjust enrichment, breach of confidence, and breach of fiduciary duty related to a data breach suffered by NHS, a provider of administrative services for nursing homes and physical rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri.3 The court established a high bar for making out invasion of privacy, breach of confidence, and unjust enrichment claims in the traditional data breach litigation context involving hacking by a third-party.
- Invasion of privacy. The court stated that the tort of invasion of privacy requires intentional wrongful intrusion into one's private activities, and the fact that "Griggs makes no effort to demonstrate that she alleged that NHS's conduct was intentional" was fatal to her invasion of privacy claim.4 Requiring plaintiffs to show that a data breach victim's conduct was intentional will cause many claims to fail, as most defendants are not acting intentionally when their systems are hacked.
- Breach of confidence. The court stated that a breach of confidence claim requires affirmative disclosure by the defendant and that "theft by a third party is not sufficient."5
- Unjust enrichment. The court stated that "Griggs's allegation that she somehow conferred a benefit on NHS in exchange for data protection is insufficient" and therefore her unjust enrichment claim failed.6The implication here is that an individual who pays for administrative services related to healthcare is not also paying for the protection of their data by the provider.
It is important to note, however, that aspects of the decision suggest that future data breach claims filed in Alabama may receive more favorable treatment. Justice Shaw wrote separately, for example, to note that, although Griggs waived the issue, he would be open to finding a duty for purposes of a negligence action in a future case.7It is quite possible future data breach claims filed in Alabama will receive more favorable treatment.
Concrete Injuries Sufficient to Confer Standing
Like all federal plaintiffs, plaintiffs in federal data breach suits must satisfy Article III's standing requirement, which requires an injury in fact that is both traceable to the defendant and redressable by the relief sought. In 2021, the Supreme Court in TransUnion clarified that a risk of future harm stemming from disclosure of a data-breach plaintiff's personal information does not alone support standing to sue for damages.8 Instead, plaintiffs must identify an actual, concrete injury. Throughout 2024, federal courts continued to grapple with what types of concrete harm are sufficient to confer standing for damages claims.
The leading data-breach standing case in 2024 was the Ninth Circuit's decision in Greenstein v. Noblr. The court held that a general notice to a plaintiff that their personal information may have been exposed, without confirmation that the specific plaintiff's information had been stolen, was not sufficient to establish a risk of future harm. Plaintiffs could not rely on the "increased risk such a theft might have posed had it occurred," because they had not sufficiently alleged that their personal information was actually stolen in the first place.9 The Court did, however, leave open the possibility that mitigation costs (e.g., money spent on identity theft monitoring services, time spent monitoring financial accounts for potential fraud, etc.) could constitute the requisite concrete injury in conjunction with an appropriately pled risk of future harm, such as confirmation that a plaintiff's personal information was in fact accessed during a data breach.10 In doing so, the Ninth Circuit followed recent decisions of the First and Second Circuits that similarly concluded that plaintiffs suffered concrete harms because they spent time and money mitigating the risks that their breached data will be misused.11
Also in 2024, the Third Circuit weighed in on an existing circuit split regarding the proper methodology for determining the concreteness of intangible injuries. One side of the split, represented by the Eleventh Circuit, has adopted an element-based approach, "wherein a plaintiff's alleged harm must not lack any element of the comparator tort that was essential to liability at common law."12 The Tenth Circuit. on the other hand, has adopted a comparative-harm approach, which compares "the kind of harm a plaintiff alleges with the kind of harm caused by the comparator tort."13
In Barclift v. Keystone Credit Services, LLC, the Third Circuit joined the Tenth Circuit in adopting the comparative-harm approach. The court viewed the comparative approach as more faithful to TransUnion's instruction to ask "whether the asserted harm has a 'close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms including (as relevant here) reputational harm."14 Barclift involved a violation of the Fair Debt Collection Practices Act, which the court compared to the tort of public disclosure of private information.15 The Third Circuit explained that the harm caused by this tort stems from both the "offensive character of the information and its disclosure to the public" and determined that communication of personal information between a debt collector and an intermediary tasked with contacting the consumer did not constitute this kind of harm.16 As a result, the court concluded that theBarcliftplaintiffs lacked a concrete injury and had not established Article III standing.17
Privilege Applicable to Post-Breach Forensic Analysis
Attorney-client privilege is intended to protect confidential communications between an attorney and their client related to legal advice or services, but determining which communications qualify with regards to forensic analysis post-data breach can be difficult. Historically courts have been reticent to expand the scope of attorney-client privilege in the data breach context. Parties should not assume that communications with forensic experts automatically qualify under the privilege.
In In re Samsung Customer Data Security Breach Litigation, an MDL consolidated in the District of New Jersey, Special Master Freda L. Wolfson (ret.) surveyed data breach cases nationwide and created a list of factors to be used to evaluate whether attorney-client privilege should be found in the data breach litigation context.18She acknowledged that attorney-client privilege must be assessed on a case-by-case basis and construed narrowly. The factors she articulated are:
- Type of services rendered by the third-party consulting firm to outside counsel;
- The purpose and scope of the investigation as evidence by the investigative materials or the services contract between outside counsel and third-party consulting firm;
- Existence of a two-track investigation commissioned by the impacted company;
- The extent of a preexisting relationship between the impacted company and the third-party consulting firm;
- The extent to which the third-party consulting firm's investigative materials were shared with members of the impacted company and/or any other outside entities, including the government; and
- Whether the third-party consulting firm's investigative services assisted the law firm in providing legal advice to the impacted company; put differently, whether the purported privileged materials would not have been created in the ordinary course of business irrespective of litigation.19
It remains to be seen whether judges seize on this set of factors as a template to govern their attorney-client privilege analysis in data breach cases moving forward. Regardless, corporate data breach victims should be aware of these factors as they engage in their forensic investigations post-breach.
Footnotes
1 See, e.g., In re Sequoia Benefits and Insurance Data Breach Litigation, No. 22-cv-08217-RFL, 2024 WL 1091195 (N.D. Cal. Feb. 22, 2024) (motion to dismiss negligence and breach of contract claims denied); In re Accellion, Inc. Data Breach Litigation, 713 F.Supp.3d 623 (N.D. Cal. 2024) (motion to dismiss negligence claim denied); Baton v. Ledger SAS, No. 21-cv-02470-EMC, 2024 WL 3447511 (N.D. Cal. Jul. 16, 2024) (motion to dismiss negligence claim denied); In re Eureka Casino Breach Litigation, No. 2:23-cv-00276-CDS-BNW, 2024 WL 4253198 (D. Nev. Sept. 19, 2024) (motion to dismiss negligence and unjust enrichment claims denied; Haney v. Charter Foods North, LLC, No. 2:23-cv-46, 2024 WL 4054361 (E.D. Ten. Aug. 28, 2024) (motion to dismiss negligence, breach of implied contract, and breach of the implied covenant of good faith and fair dealing claims denied).
2 No. SC-2023-0784, 2024 WL 4797211 (Ala. 2024).
3 Id. at *1.
4 Id. at *6.
5 Id. at *7.
6 Id. at *6.
7 Id. at *14 (Shaw, J., concurring) ("[a]lthough I am not wholly convinced that, in a case like this, the law will not impose a duty for purposes of a negligence action, the issue has been waived.").
8 TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021).
9 Greenstein v. Noblr Reciprocal Exchange, No. 22-17023, 2024 WL 3886977, at *2 (9th Cir. 2024).
10 Greenstein, 2024 WL 3886977, at *3.
11 Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 376-77 (1st Cir. 2023) (holding that lost time spent taking protective measures that would otherwise have been put to some productive use was a sufficient concrete, present harm caused by the plaintiffs' exposure to the risk of future harm); Bohnak v. Marsh & McLennan Cos., 79 F.4th 276, 286 (2d Cir. 2023) (holding that "out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and lost time and other opportunity costs associated with attempting to mitigate the consequences of the data breach" were separate and concrete harms that gave rise to a material risk of future harm) (internal quotation marks omitted).
12 Barclift v. Keystone Credit Services, LLC, 93 F.4th 136, 144 (3d Cir. 2024) (citing Hunstein v. Preferred Collection and Management Services, Inc., 48 F.4th 1236, 1244-45 (11th Cir. 2022)).
13 Barclift, 93 F.4th at 144-45 (citingShields v. Professional Bureau of Collections of Maryland, Inc., 55 F.4th 823, 829 (10th Cir. 2022)).
14 Barclift, 93 F.4th at 145 (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 417 (2021)).
15 Id. at 146.
16 Id.
17 Id. at 148.
18 In re Samsung Customer Data Security Breach Litigation, No. 23-3055(CPO)(EAP), 2024 WL 3861330 (D.N.J. Aug. 19, 2024).
19 Id. at *11-12.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.