By now, companies across all industries have become familiar with the lifecycle and stages of a ransomware incident. Generally, once an attack is contained, remediation and rebuilding will follow. Shortly after, the crisis begins to subside, and legal reviews of impacted data and notifications to potentially impacted individuals, state attorneys general, and regulators all follow (often with the assistance of an e-discovery firm). Not long ago, this signaled the end of the incident. But now, for an increasing number of companies, it preludes the next stage: litigation.
The litigation strategy of many plaintiffs' counsel has become routine: within days of the publication of a security incident notification, they file class-action lawsuits seeking millions in damages. Given the tightening deadlines for notifying regulators of a security incident—and the growing number of regulators requiring and publishing such notifications—plaintiffs' counsel are able to obtain more information, more quickly, on which to base lawsuits. Unsurprisingly, the number of civil complaints filed against companies victimized by ransomware criminals, among others, has risen significantly in 2024, and the volume of cases will likely continue to rise.
This Legal Update discusses recent cyber-litigation trends, notable data breach class-action litigation, and considerations for protecting privilege during a security incident.
Recent Litigation Trends
Volume of Complaints Filed
In August 2024, Bloomberg analyzed federal court dockets for
complaints mentioning ransomware filed between 2021 and 2023. In
2021, roughly 104 complaints mentioned "ransomware;" by
2023, there were 736, an increase of more than 600%. Similarly,
complaints mentioning "data breach" increased from 391 in
2021 to 1278 in 2023, a 227% increase.
According to Bloomberg, companies are often targeted by multiple
class action lawsuits, as class action attorneys typically seek to
represent nationwide and state-specific subclasses. Indeed, a
single incident can lead to hundreds of complaints:
- the Progress Software and Fortra incidents resulted in 279 federal complaints;
- a telecommunications provider's 2023 incident resulted in 140 federal complaints;
- a healthcare company's 2024 incident resulted in 79 federal complaints; and
- a biotech company's 2023 incident resulted 28 federal complaints.
Article III Standing
The most frequently contested issue in federal data breach litigation is whether the plaintiff has sufficiently alleged "actual or imminent" harm, fairly traceable to the defendant's conduct, as required to establish Article III standing.1 Defendants who successfully challenge standing can potentially win the dismissal of the entire lawsuit early in the litigation, prior to discovery. Most often, plaintiffs attempt to meet their burden by claiming that they are at "future risk of imminent harm" that resulted in various mitigation "costs."
Typically, data breach plaintiffs allege at least one of the following theories of harm:
- Future risk of imminent harm and resulting mitigation costs: This theory is the most common way plaintiffs try to establish standing. Most courts have held that a plaintiff has standing if (i) the harm is imminent (more on that below), and (ii) they allege that they spent money and/or time to mitigate the data breach.2
- Loss of value in personally identifiable information (PII): This theory has garnered support in some courts.3 The majority view, however, is that this is not a concrete injury that would support standing, unless the plaintiff alleges that they intended to sell their PII or were foreclosed from entering into a transaction relating to their PII.4
- Benefit of the bargain losses: Many courts have agreed that this theory supports standing when a plaintiff alleges that they purchased a product or service from the defendant-victim and that part of the purchase price was for the defendant to implement security measures.5 Absent these allegations, however, other courts have held that this theory of harm does not confer standing.6 Some courts have outright rejected this theory of harm even when plaintiffs allege paying for services or a product, because they failed to allege either (i) reliance on a defendant-victim's security policies, or (ii) that the data breach diminished the value of the service/product the plaintiffs received.7
- Invasion of privacy (i.e., public disclosure of private facts): Many courts have held that this theory supports standing because it bears a close relationship to the harm associated with the tort of public disclosure of private facts.8 Other courts have rejected this theory of standing because plaintiffs could not allege a key element of that tort: publication of their information to a wide audience (e.g., the dark web).9
- Emotional distress: Most courts have held that this theory of harm may establish standing when coupled with sufficient allegations that the plaintiff is at risk of future harm.10 But absent an imminent risk of future harm, allegations of emotional harm premised on that risk cannot confer standing.11
Types of Claims
Plaintiffs often bring claims under various state statutes that
have private rights of action or various state common law claims.
These common law claims include negligence, breach of contract,
invasion of privacy, and unjust enrichment. Of these claims,
contract and negligence claims are more likely to survive dismissal
at the pleading stage because of the many factual issues that arise
with the merits of these claims (e.g., the existence of a contract,
whether a duty was breached, etc.).12
With respect to negligence claims, some federal courts have
recognized a duty to protect PII where the defendant-company
allegedly created a situation that it "knew or should have
known" would pose a substantial risk to a plaintiff (i.e., its
intentional collection and storage of plaintiffs'
information).13 Further, plaintiffs often allege that
the defendant-company had a duty to protect their PII under various
federal and state laws, such as Section 5 of the Federal Trade
Commission Act (FTC Act), the Health Insurance Portability and
Accountability Act (HIPAA), or the California Consumer Privacy Act.
Plaintiffs often allege this by claiming that the defendant-company
"should" have been aware that its security practices
would make it a target of a cyber-attack. Although most courts
agree that the FTC Act and HIPAA do not create a duty under
negligence per se,14 most courts also agree that these
two statutes can "inform" the basis for a
duty.15
Data Breach Litigation Continues to Evolve
Article III standing requirements for a future risk of harm theory have been trending towards uniformity among certain circuits.16 And a recent, unpublished Ninth Circuit decision analyzed data breach notification letters and how they fit within the Article III standing analysis, which could spark changes in pleading requirements across various federal jurisdictions. See Greenstein v. Noblr Reciprocal Exch., No. 22-17023, 2024 WL 3886977, at *1 (9th Cir. Aug. 21, 2024).17
As explained below, Greenstein underscores the need for legal teams to scrutinize notification letters during incidents. Some key takeaways include:
- To have standing under a future risk of harm theory and mitigation expenses in the Ninth Circuit, plaintiffs must plead either the misuse of their sensitive information or at least the theft of their sensitive information.
- To allege sufficiently that sensitive information was stolen, plaintiffs cannot rely only on a data breach notification that informs individuals that their data "may have been impacted." Plaintiffs must plead additional factual allegations.
- Allegations of misuse cannot be fairly traceable to the defendant if fraudsters need more information, such as a Social Security number, to commit identify theft.
In Greenstein, the plaintiffs filed a putative class action against Noblr Reciprocal Exchange after receiving a notification letter stating that their driver's license numbers "may have been accessed" during a cyberattack. The plaintiffs alleged that they and the Class Members faced an imminent threat of future harm in the form of identity theft, and suffered both economic and non-economic damages and actual injury because of their driver's license numbers were involved in the cyberattack. However, the notice letter sent to potentially impacted individuals did not state that any driver's license numbers were actually stolen, nor did it explain how any of the recipients were impacted. Ultimately, the court held that the plaintiffs could not rely on the notification letter to establish that their information was stolen. And because the plaintiffs did not otherwise provide any other factual allegations, they lacked standing.
Privilege Considerations
During the chaos of a security incident, deciding whether to put
certain details in writing—and whom to include on
communications—may not be top of mind for employees working
tirelessly to mitigate the impacts of the incident. However, the
increase in litigation underscores the importance of maintaining
privilege over multiple aspects of an investigation, including: (i)
communications among the "core group," breach counsel,
and data review vendors; (ii) forensic reports; and (iii) breach
counsel recommendations and decisions carried out by the
client.
As a result, it is important to keep privilege in mind with the
following best practices:
- Include attorneys in incident response-related meetings, to help ensure that sensitive, deliberative conversations are informed by legal advice and remain privileged.
- Include legal counsel on communications with third parties, to ensure legal counsel is gathering the facts necessary to provide legal advice and to maximize privilege.
- Share information internally and strictly on a need-to-know basis to avoid waiving privilege.
-
- When in doubt, check with legal counsel about whether to widen the distribution of incident response communications and related materials.
- Review distribution lists to confirm that emails about the incident are not distributed to unintended recipients.
- Refraining from sharing information with third parties not retained to provide legal advice on the incident.
- Sharing communications regarding potential findings, conclusions, observations, recommendations, or concerns (especially about the causes of the incident) should generally occur orally (in person or via a secure conference call) with legal counsel present.
- Include legal counsel on all written communications concerning the investigation, and mark the communication with the appropriate privilege and confidentiality markings.
Privilege Litigation Examples and War Stories
Many of the above privilege considerations are derived from examples of privilege issues litigated in court, the outcome of which required the defendant to disclose forensic reports generated during an incident.
- In re Capital One Consumer Data Security Breach Litig., 2020 WL 2731238 (E.D. Va. May 26, 2020): The court held that privilege did not apply to the forensic report. As an initial matter, the court explained that the investigation completed at the direction of outside counsel, rather than Capital One, did not warrant work product protection. Further, a prior MSA agreement between Capital One and the vendor that created the forensic report indicated that the relationship was created for a business purpose, not in anticipation of litigation. This, coupled with the fact that the report was widely shared outside Capital One's legal team, did not warrant protection of the report under privilege.
- Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. 2021): The court held that privilege did not apply to the forensic report. The court concluded that the forensic report was generated for a business purpose, not in anticipation of litigation. Among other things, the court noted that the forensic report was used for many non-litigation purposes, including to manage issues related to the incident and to share with the FBI. The report also revealed the forensics firm worked with other outside third parties to manage the incident without counsel present.
- Leonard v. McMenamins Inc., 2023 WL 8447918, at *4 (W.D. Wash. Dec. 6, 2023): The court held that privilege did not apply. The court found that the forensics report only provided factual information and that the forensics firm contributed to business discussions and assisted with restoration services, rather than supporting legal advice. The report was also widely shared with leadership and IT. While the forensics firm was retained by counsel, that alone did not protect the forensics report under privilege.
- In re Samsung Customer Data Sec. Breach Litig., 2024 WL 3861330, at *13 (D.N.J. Aug. 19, 2024): The court held that privilege did not apply. The court determined that the forensic report was generated for a business purpose because it was widely shared with 15 different Samsung high-level executives, including Samsung's security team.
As demonstrated, motions to compel investigative reports have become all too familiar in data breach cases, and courts have trended towards rejecting claims of privilege over those reports, if companies use them in the ordinary course of business rather than in anticipation of litigation.
What Does This Mean For My Business?
- Litigation arising from ransomware and data breaches is an increasingly common occurrence for companies across many sectors.
- New and/or revised incident reporting requirements could provide plaintiffs' firms and class action shops with more information about—and, in some cases, quicker notice of—cybersecurity incidents affecting companies.
- Data breach class action firms operate on a volume-based business model, casting a wide net, leading to multiple complaints for one security incident.
- Having counsel that understands how actions and decisions during incident response can impact subsequent litigation is critical, as case law is constantly evolving.
- Maintaining attorney-client privilege throughout an incident will both help mitigate risk during the incident and provide your defense team with the tools to dispute discovery requests on privilege grounds.
Footnotes
1 Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992).
2 In re Sequoia Benefits and Ins. Data Breach Litig., 2024 WL 1091195, at *1 (N.D. Cal. Feb. 22, 2024) ("Here, in response to the material risk of fraud and identity theft caused by the data breach, Plaintiffs allege that they spent significant time monitoring their accounts to check for identity theft . . . As circuit courts have roundly concluded, such an injury is sufficiently concrete for standing to pursue damage"); Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365, 376–77 (1st Cir. 2023) ("To establish standing to pursue damages, the complaint must also plausibly allege a separate concrete, present harm caused 'by [the plaintiffs'] exposure to [this] risk [of future harm].' We conclude that the complaint has done so based on the allegations of the plaintiffs' lost time spent taking protective measures that would otherwise have been put to some productive use." (citation omitted))
3 Baton v. Ledger SAS, 2024 WL 3447511, at *11 (N.D. Cal. July 16, 2024) (holding that plaintiff's allegations that he lost value in his PII established an injury-in-fact); Stallone v. Farmers Group, Inc., 2022 WL 10091489, at *7 (D. Nev. Oct. 15, 2022) (same).
4 Owens v. Smith, Gambrell and Russell Intl., LLP, 2024 WL 3914663, at *6 (C.D. Cal. May 30, 2024) ("The [complaint] does not present any allegations about a market for Plaintiffs' PII and offers no allegation that Plaintiffs would somehow attain a financial benefit from their PII on such a market."); Tate v. EyeMed Vision Care, LLC, No. 1:21-CV-36, 2023 WL 6383467, at *5 (S.D. Ohio Sept. 29, 2023) ("[Plaintiffs] allege that because their PII has a quantifiable market value and because cybercriminals allegedly stole their PII due to EyeMed's negligence, that this purported theft of personal property is itself an injury to Plaintiffs because it prevents Plaintiffs from capitalizing on the value of their PII . . . . But Plaintiffs do not explain how they are injured by this."); Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 46 (D. Ariz. Sept. 27, 2021) ("[W]ithout identifying a market in which they can or could and intend or intended to sell their information, Plaintiffs here fail to demonstrate a loss in value of their PII or PHI.").
5 Baton v. Ledger SAS, 2024 WL 3447511, at *10 (N.D. Cal. July 16, 2024) ("Under California law, the economic injury of paying a premium for a falsely advertised product is sufficient harm to maintain a cause of action.")
6 Williams v. Bienville Orthopaedic Specialists, LLC, 2024 WL 3387169, at *6 (S.D. Miss. June 18, 2024) ("There is no allegation that any of the plaintiffs paid a certain amount of money to Bienville in exchange for protection of their private information or that they intend to sell their private information.")
7 DiPierro v. Fla. Health Scis. Ctr., Inc., 2024 WL 3051320, at *9 (M.D. Fla. June 18, 2024) ("Because Plaintiffs have not plausibly alleged that Tampa General's data security practices deprived them of the benefit of their bargain for healthcare services, this theory of class-wide injury also fails."); In re Practicefirst Data Breach Litig., 2022 WL 354544, at *8, n. 11 (W.D.N.Y. Feb. 2, 2022) ("The Court also rejects any attempt by plaintiffs to establish standing by alleging that they failed to receive the 'benefit of their bargain' by providing their private information to their medical providers, who then entrusted the data to defendants.")
8 Krefting v. Kaye-Smith Enterprises Inc., 2023 WL 4846850, at *3 (W.D. Wash. July 28, 2023) ("The Court finds that Plaintiff's claimed injuries flowing from these acts have a close historical and common-law analog since the theft and loss of control over PII is akin to traditional claims for invasions of privacy and intrusion upon seclusion."); Medoff v. Minka Lighting, LLC, 2023 WL 4291973, at *3 (C.D. Cal. May 8, 2023) ("Here, Plaintiff alleges that he has suffered a privacy injury through the exposure of social security information and the posting of his social security number on the Dark Web."); Leonard v. McMenamins, Inc., 2022 WL 4017674, at *4 (W.D. Wash. Sept. 2, 2022) ("The Court finds that Plaintiffs have adequately alleged a harm bearing a 'close relationship' to the harm associated with the tort of 'disclosure of private information.'")
9 Holmes v. Villages Tri-Cnty. Med. Ctr., Inc., 2023 WL 315019, at *5 (M.D. Fla. Jan. 19, 2023) ("[T]here are no allegations of such publicity; instead, Plaintiffs allege only that private actors 'may have' accessed their information, not that anyone made that information public. And as noted earlier, the allegations of access by even one person in this case are speculative at best.")
10 Briggs v. N. Highland Co., 2024 WL 519722, at *6 (N.D. Ga. Feb. 9, 2024) ("[T]he Court finds that Plaintiff's allegations that his knowledge of the substantial risk of identity theft causes him to presently experience emotional distress satisfies the standing inquiry.")
11 In re Illuminate Educ. Data Sec. Incident Litig., 2023 WL 8888839, at *5 (C.D. Cal. Nov. 6, 2023) ("Plaintiffs have no standing where the harm is based on time lost on mitigation measures or emotional distress").
12 Cahill v. Memorial Heart Institute, 2024 WL 4311648, at *7 (E.D. Tenn. Sept. 26, 2024) (holding that plaintiffs alleged a breach of duty under negligence and explaining that "[w]hile the allegation about unencrypted data is stated 'upon information and belief,' the Court draws all reasonable inferences from the entire pleading in favor of Plaintiffs, including consideration of the facts plead about Karakurk's typical methods"); Owen-Brooks v. Dish Network Corp., 2024 WL 4333660 (D. Colo. Sept. 27, 2024) ("And so, while Plaintiffs are pursuing both negligence and implied contract claims concerning the same subject, and no discovery has yet been done to provide a fuller factual context, this court finds it premature to decide whether Colorado's law of special relationship applies and imposes the duty that Plaintiffs assert it does, or whether Colorado otherwise recognizes such a tort duty.").
13 Owens v. Smith, Gambrell and Russell Intl., LLP, 2024 WL 3914663, at *9 (C.D. Cal. May 30, 2024) ("When applying those factors, courts have generally found that a business owes a duty of care to prevent breaches of sensitive data, even when the individuals whose data is at issue are not 'customers or otherwise in privity' with the business."); Brooks v. Peoples Bank, 2024 WL 2314538, at *7 (S.D. Ohio May 6, 2024) ("Plaintiffs have adequately pleaded Limestone had a common law duty to safeguard their PII."); In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *14 (D.N.J. Dec. 16, 2021) (recognizing that "[o]nce Defendants collected Plaintiffs' information, they had a duty to protect Plaintiffs from foreseeable harm by taking reasonable precautions to safeguard that information").
14 See, e.g., Cahill, 2024 WL 4311648, at *9 (holding that neither HIPAA nor the FTC Act creates a standard of care relevant to plaintiffs' negligence per se claim). We note, however, that some courts have permitted negligence per se claims premising duty on the FTC Act. See Dustershoft v. OneTouchpoint Corp., 2024 WL 4263762, at *11 (E.D. Wis. Sept. 23, 2024) ("At this stage, the Court concludes that Plaintiffs have alleged sufficient facts for their negligence per se claims to survive this motion to dismiss. But the Court is not convinced that either HIPAA or the FTC Act can form the basis for negligence per se, and OneTouchPoint can renew this argument at summary judgment"); McLaughlin v. Taylor Univ., 2024 WL 4274848, at *7 (N.D. Ind. Sept. 23, 2024) ("That said, 'the [FTCA] can serve as the basis of a negligence per se claim[,]' Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 760-61 (C.D. Ill. 2020), and Plaintiffs have plausibly alleged such a claim.").
15 In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623, 639–40 (N.D. Cal. 2024) ("the Court also will not preclude Plaintiffs from relying on the provisions of the FTC Act, HIPAA, CCRA, or COPPA in support of the elements in their negligence claim"); In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1142 (C.D. Cal. 2021) (allowing reference to FTC Act and HIPAA for breach of medical information).
16 McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021) (applying a three part test for determining imminence in data breach cases, and holding that courts in the second circuit must consider whether: (i) the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (ii) any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (iii) the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023) (following the second circuit)).
17 Greenstein is an unpublished case and is not binding. The plaintiffs in that case sought en banc review on September 4, 2024.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.