Duane Morris Class Action Review - 2023 - Report - Page 129
CHAPTER 8
Data Breach Class Actions
I.
Executive Summary
A.
Introduction
Class action litigation in the data breach space has continued to become more routine
with lawsuits being filed after every major and not-so-major report of a breach and
through many high-profile data breach cases that create headlines on a regular basis. In
recent years, companies such as Microsoft, Wattpad, Meta/Facebook, Estee Lauder,
Whisper and Advanced Info Service, have experienced significant breach events
affecting hundreds of millions of their records. Most recently, in In Re Marriott
International Customer Data Securities Breach Litigation, 341 F.R.D. 128 (D. Md. May
3, 2022), a federal judge in Maryland granted class certification in a data breach
impacting over 133 million American consumers against hotel chain Marriott and its data
security vendor Accenture. This was, to date, the largest data breach case in the
country. We expect to see more large-scale data breaches impacting companies across
industries as the shift to remote working, cloud-based storage, and the rise in
sophisticated cybercriminals threatens data security.
While data breach actions pursued a decade ago faced little prospect of success, recent
developments in the law have favored the ability of the plaintiffs’ class action bar to
show standing and successfully plead duty, causation, and damages. The main
question in most data breach class actions is whether the plaintiff can show that he or
she has standing to assert claims. While it is well settled that those who have
experienced direct economic injury from a breach (such as fraudulent charges) have
standing, as do those who can plausibly allege that their data was improperly accessed,
the standing of group members who do not have a firm indication that their data was
accessed or misused by an unauthorized party is highly contested. Plaintiffs’ attorneys
typically allege several “harms” to try to establish a cognizable injury to this subset of
claims. Such “injuries” include the lost economic value of their personal information,
overpayment for the defendant’s services, lost “benefit of the bargain,” and an increased
risk of future identity theft. Additionally, individual data breach plaintiffs now utilize a
wide array of state law causes of action to circumvent the limitations of federal law. It is
not uncommon to see negligence claims survive motions to dismiss, as industry
guidelines for data security may serve as the standard of care. In addition, plaintiffs can
plausibly allege that a company has a duty to take “reasonable precautions” to forestall
the theft of sensitive personal information within its possession.
The litigation of In Re Marriott International Customer Data Securities Breach Litigation
focused on the individual and class damages calculations. In granting class certification,
the court found that the plaintiffs adequately alleged individual and class standing. As a
result, the court allowed the plaintiffs to seek damages related to overpayment for hotel
rooms, as well as statutory and nominal damages. The court also found that consumers
128
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
