Duane Morris Class Action Review - 2023 - Report - Page 138
misrepresentation claim with prejudice. Id. at *28. Third, the court held that the plaintiffs
adequately alleged damages as a result of the defendant’s breach, and therefore, the
plaintiffs adequately pled their implied contract claims. Id. at *31. Fourth, the court held
that it was unable to conclude that the plaintiffs’ alleged injuries could not be remedied
by money damages when that was the precise remedy requested, and therefore it
dismissed the plaintiffs’ unjust enrichment claims with leave to amend. Id. at *37.
Finally, the court declined to dismiss any of the state law claims, except for those
brought under Ohio Trade Practices Act and the Oregon Unlawful Trade Practices Act.
For these reasons, the court granted in part and denied in part the defendant’s motion
to dismiss. Id. at *63.
C.
Federal Appellate Rulings On Data Breach Class Claims
Allen, et al. v. Vertafore, Inc., 28 F.4th 613 (5th Cir. 2022), represented one of the key
appellate rulings of 2022.
In Allen, the plaintiffs, a group of Texas driver's license holders, brought a class action
alleging violation of the Driver's Privacy Protection Act (DPPA) after the defendant’s
announcement that unauthorized users had gained access to personal information
stored on unsecured external servers. The district court granted the defendant’s motion
to dismiss pursuant to Rule 12(b)(6). On appeal, the Fifth Circuit affirmed the district
court’s ruling. The plaintiffs alleged that the defendant knowingly violated the DPPA by
storing drivers’ license information on unsecured external servers. The defendant
argued that the plaintiffs failed to allege both that the defendant acted with an
impermissible purpose and that it made a knowing disclosure. The Fifth Circuit agreed
with the defendant’s argument that the plaintiffs failed to allege a “disclosure” within the
meaning of the DPPA. The Fifth Circuit ruled that the facts alleged in the plaintiffs'
complaint were only that the defendant stored personal information on the unsecured
external servers and that unauthorized users accessed that information. The Fifth
Circuit opined that these facts failed to plausibly state a "disclosure" consistent with the
plain meaning of that word because there was not access to public view or evidence
that the defendant granted or facilitated that access. Id. at 617. Thus, the Fifth Circuit
ruled that because the plaintiffs had not alleged a disclosure within the meaning of the
DPPA, their complaint failed to state a plausible claim for relief. For these reasons, the
Fifth Circuit affirmed the district court’s ruling granting the defendant’s motion to
dismiss.
D.
State Court Rulings On Data Breach Class Claims
State courts also adjudicated these issues in 2022.
In Shedd, et al. v. Sturdy Memorials Hospital, 2022 Mass. Super. LEXIS 7 (Mass.
Super. Ct. Apr. 5, 2022), the plaintiffs, a group of individuals whose information had
been exposed during a ransomware attack on a hospital, alleged that one or more
unauthorized persons gained access to the defendant’s computer systems and to the
personal and confidential information of the defendant’s patients and others (PII). The
defendant paid a ransom, secured its systems, and obtained assurances that the PII
137
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
