Given the increased frequency of data breaches and the high-stakes class action litigation that often follows, it is critical for counsel to be aware of the key issues that corporate defendants are currently facing in this fast-evolving space. Below we discuss three hotly litigated issues that we expect will continue to be at the forefront of data breach litigation and important to follow this year.

Article III Standing Challenges

When the U.S. Supreme Court issued its decision in TransUnion v. Ramirez in June 2021, it appeared to mark a watershed moment in class action practice in federal courts. Counsel specializing in data breach litigation have anticipated that Ramirez's holding—that a mere "risk of harm" cannot confer standing to seek damages—will undercut the key injury theory of risk of identity theft that has been ubiquitous in data breach litigation for years. But while Ramirez has been thoroughly analyzed by legal commentators, courts are only beginning to define its contours. Moreover, the courts that have considered the "risk of harm" issue post-Ramirez have come to different conclusions, making it difficult to predict Ramirez's reach and an area to watch in 2022.

Thus far, some courts addressing Ramirez in data breach cases have been hesitant to read the decision as a sea change in standing law. For example, the District of South Carolina in In re Blackbaud Customer Data Breach Litigation recently distinguished Ramirez on procedural grounds. There, the plaintiffs alleged they were at an increased risk of harm following a ransomware attack. The court reasoned that unlike in Ramirez, where the case had proceeded through trial, the Blackbaud plaintiffs were entitled at the pleading stage to rest on their mere allegation of a risk of harm.