2020 has been a year for the record books, and the area of data breach litigation is no exception. Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year. So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.
Overview of Industries Impacted by Data Breach Litigation in 2020
What industries were impacted by data breach litigations in 2020? The short answer: all of them.
Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common. CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program. However, many of the most common vulnerabilities can be addressed without complex technical solutions.” Top five practical recommendations to reduce cyber risk can be reviewed here.
In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology. In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.
What Has Changed with Data Breach Litigations in 2020?
Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex. This is due to several factors.
First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions). The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general. Hence plaintiffs’ reliance on common law and tort based theories. Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage). The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).
Second, there was a monumental development in the spring that sent shockwaves through the data breach defense bar. A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach. The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel. [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack. The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack. Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways. Plaintiffs can also use this information to substantiate their claims.] This ruling reaffirmed several key lessons for companies facing cyber incidents. This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation. Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.
And third, as seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives. A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals. Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.
What Changed With Standing in Data Breach Cases in 2020?
Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation. The reason for this discrepancy is simple: although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches. This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.
As you will recall, Article III standing consists of three elements: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.
When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury. Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime? Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury? These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.
Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints. One strategy has been to allege a negligence cause of action. This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach. In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim. In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments. The parties held oral argument in November and a decision remains pending. Our previous coverage provides more information.
While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend. In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach. After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed. This factual finding was included in the notice that the defendant sent to its patients.
The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss. Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred. The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.” The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”
Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing. This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury. See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).
Another case highlighted the current circuit split concerning injury in data breaches. In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform. The court granted Macy’s motion to dismiss, attributing three reasons for its holding: (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.
Hartigan has at least two takeaways. First, the change brought by Blahous may be an anomaly. In Blahous, the court found no standing when a Social Security number was disclosed. The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury. Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.
Second, Hartigan highlighted the current circuit split regarding standing in data breach cases. The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper. The court then looked to six other circuits for guidance. It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury. It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury. Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.
Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing). At least one notable standing opinion highlights what may be to come. In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach. A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.
The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss. The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.” The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations. Cal. Civ. Code § 1798.150(h). That part of the California Code of Regulations includes in its definition of “resident”: (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.
Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.
Trends in 2021
The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.
With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation. Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action. The CCPA, which permits private causes of action for California residents, may be one source of influence. Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.
The change of administration will also likely influence data privacy trends. The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action. When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues. In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy. The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).
2021 may also be the year of the Supreme Court. In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches. 2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs. Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs. Additionally, the circuit split referenced in Hartigan may be coming to a head. Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.
CPW will be there to cover these developments, as they occur. Stay tuned.