Duane Morris Class Action Review - 2023 - Report - Page 130
might be able to recover damages for the inherent value of their personal information
stolen during the breach based upon Marriott’s own valuation of that same data. The
court also discussed how the valuation of personal information is still fairly new territory,
and that this decision is the first case to reach class certification on the issue. These
findings were the first time a court reached the damages issue at the class certification
stage and laid out the framework for future plaintiffs on how to allege a concrete and
particularized harm in data breach class action cases. It will be interesting to track data
breach class actions and how plaintiffs will plead injuries stemming from the data
breach following this decision.
In sum, data breach class action litigation continues to grow into a high-stakes arena.
The playbook of the plaintiffs’ class action bar in data breach cases continues to press
the legal envelope on how courts are willing to interpret injuries stemming from data
breaches and methods for calculating damages. And while a data breach can be
perpetrated in any number of ways, the legal issues that arise from the theft or loss of
data largely fall within the same set of legal paradigms. The focus of this chapter is to
survey the recent developments and settlements of the law in the area of data breach
consumer class action litigation.
B.
The U.S. Supreme Court’s TransUnion Decision
In regards to recent jurisprudence that has impacted the data breach class action
landscape, the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, et al.,
141 S.Ct. 2190 (2021), is a game-changer for defendants. In TransUnion, a class of
8,185 individuals sued a credit report agency for failing to use reasonable procedures to
ensure the accuracy of their credit reports. Id. TransUnion used a third-party software to
cross-reference its database with the Office of Foreign Assets Control’s (OFAC) terrorist
list. Id. at 2201. The “cross-referencing” consisted only of comparing the first and last
name of the individual with the first and last name of suspected terrorists on the OFAC
list. Id.
Part of the class (1,853 members) were tagged as “suspected” matches and had their
misleading credit report distributed by TransUnion to a third-party business. Id. at 2200.
For example, the named plaintiff Sergio Ramirez was denied the ability to purchase a
car at a Nissan dealership because of an inaccurate OFAC alert on his credit report. Id.
at 2201. The remaining members of the class had an inaccurate OFAC alerts on their
credit report, but did not have their credit reports distributed. Id.
The Supreme Court concluded that only the class members who had their misleading
credit report actually distributed suffered a “concrete harm” and thus had Article III
standing. The Supreme Court compared the injury to a “person [who] is injured when a
defamatory statement ‘that would subject him to hatred, contempt, or ridicule’ is
published to a third party.” Id. at 2209. Because such a harm has a “close relationship”
to harms traditionally recognized in American law, it was sufficient to establish an injuryin-fact for purposes of Article III standing.
129
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
