The 50-State Cybersecurity Class Action Is Here to Stay. How to Defend Against It!
In recent years, plaintiff class actions lawyers have shifted their focus in cybersecurity cases from pleading federal claims to asserting claims under state law of residents of all 50 states. However, this potentially raises class certification issues that make these claims difficult for plaintiff to succeed on. How should one prosecute them? How should one defend them? How could one plead and prove that the plaintiffs were injured because of the breach?
March 01, 2019 at 03:30 PM
9 minute read
In recent years, plaintiff class actions lawyers have shifted their focus in cybersecurity cases from pleading federal claims to asserting claims under state law of residents of all 50 states. However, this potentially raises class certification issues that make these claims difficult for plaintiff to succeed on. How should one prosecute them? How should one defend them? How could one plead and prove that the plaintiffs were injured because of the breach? All these questions were debated strongly, litigated in various courts on a one-off basis, and were the result of several court opinions on their potential merits. The recoveries were slim. The plaintiffs' chances for success? Mediocre at best even for the big ones.
Things have significantly changed over the years, especially for defendants. For instance, Statutory Article III standing, once a big issue, is now less of an issue in some courts. Cybersecurity class actions have now graduated elementary school, beginning November 2017 with one of the first national cybersecurity class actions brought by residents of all 50 states. “The complaint is an ambitious 322-page document that names plaintiffs from every state and the District of Columbia who claim to have been injured to varying degrees by the Equifax security breach.” See Tara Swaminatha, “Equifax now hit with a rare 50-state class-action lawsuit,” CSO Online (Nov. 22, 2017).
Today, there are others. Are nationwide federal court, cybersecurity class actions here to stay? One may posit they are, until the U.S. Supreme Court or a Circuit Court says they are not viable or makes them too difficult for a plaintiff's counsel to proceed in an economically rational fashion.
But that raises the second question: How can you defend against them? Though this area of the law is very new, here are some suggestions on how to potentially defeat this sort of nationwide class action—especially when it comes to the issue of predominance.
|Standing
The “case or controversy” requirement of Article III, §2 generally requires that a plaintiff establish “standing,” i.e., an “injury-in-fact that is concrete and particularized” and “actual or imminent” and not mere conjecture.
In early cases, the “actual or imminent” harm requirement spelled doom to plaintiffs in data breach class actions. Though data may have been lost or stolen, plaintiffs sometimes could not show or plead it was misused and that they resultantly suffered a “loss.” Historically, however, courts have tended to either have broad views or narrow views of what constituted true loss. In Spokeo v. Robins, the U.S. Supreme Court reversed and remanded a decision of the Ninth Circuit, holding that the Article III injury that must be plead must be both “concrete and particularized.” However, the holding was more complicated than that. The Supreme Court noted that though “concrete” suggested real harm, concrete did not mean the harm needed to be “tangible” as well. Indeed, intangible harm if not risk of harm can satisfy as concrete harm under Article III. The court concluded, however, that mere violation of a statutory or procedural right alone was not enough. The violation of the right must also cause the plaintiff to suffer some sort of real world harm. Another Supreme Court case, Clapper v. Amnesty Int'l USA, 133 S.Ct 1138 (2013) did nothing to lower the standing bar for plaintiffs. In Clapper, the question was whether the allegation by a plaintiff of future injury could confer standing. The Supreme Court held that the plaintiff would have to demonstrate that injury is “certainly impending.”
Courts have diverged in their application of the “concrete” harm pleading requirement. Some courts (e.g., Second, Fourth and Eighth Circuits) have held that there is no Article III standing where there is no actual identity theft or fraud that occurs as a result of the breach. In one case, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the Fourth Circuit held that under existing precedent, the “risk of” identity theft is too speculative to confer standing. See also In re SuperValu, 870 F.3d 763 (8th Cir. 2017) (mere future risk of injury was not enough to confer standing); Whalen v. Michaels Stores, (2d. Cir. 2017) (plaintiff had not suffered a “particularized and concrete injury” because any resulting fraudulent charges had been reimbursed).
The Third, Sixth, Seventh, Eleventh and D.C. Circuits diverge away from decisions such as Beck v. SuperValu and take a less onerous view of what constitutes “injury.” For instance, in Galaria v. Nationwide Mutual Insurance Company, No. 15-3386, (6th Cir. 2016), where there was a theft of insurance information of more than one million customers, the court found that, even though it was not “literally certain” that the data breach would cause harm to customers, there was a sufficiently substantial risk of injury, noting that when hackers specially target personal information, it is a “reasonable inference” that the data will be used for fraudulent purposes. See also Attias v. Carefirst, 865 F.3d 620 (D.C. Cir. 2017) (reversing the district court's dismissal for lack of standing, finding that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken”); see generally Ian C. Ballon, Defending Security Breach Class Action Litigation, Ch. 27, E-Commerce and Internet Law: A Legal Treatise With Forms, Second Edition (Thomson/West Publishing 2018) (noting differences among the circuits on standing in cybersecurity class actions).
|Conflicts of Laws and Rule 23(b)(3)'s Predominance Requirement
If a plaintiff can get over the Article III standing issue by pleading harm by showing injury or a substantial risk of injury, then what other issues are present which could derail his or her case? Well, it would be the basics of Rule 23. The most common prong of contention is Rule 23(b)(3), which states:
(b) Types of Class Actions. A class action may be maintained … if:
(3) the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.
The words “common” and “predominate” spell out the problem with 50-state cybersecurity class actions: Who is involved? How were they injured (if at all)? And what law applies to their claims? Justice Antonin Scalia's majority U.S. Supreme Court opinion in Comcast v. Behrend, 569 U.S. 27 (2013) reaffirmed the basics of the court's Rule 23 analysis: that “[t]he class action is 'an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only' … To come within the exception, a party seeking to maintain a class action 'must affirmatively demonstrate his compliance' with Rule 23.” To determine whether this requirement is met, it “may be necessary for the court to probe behind the pleadings” by engaging in “a rigorous analysis” that may “overlap with the merits of the plaintiff's underlying claim.” The court applied these principles to the analysis of Rule 23(b), concluding that “[i]f anything, Rule 23(b)(3)'s predominance criterion is even more demanding than Rule 23(a).”
State laws could vary when you consider that at some point all 50 states' data breach laws might be at issue. That was the point of two recent decisions. Thought it is not a cybersecurity breach case, In re Hyundai and Kia Fuel Economy Litigation is instructive. The case involved a discussion of the predominance aspects of Rule 23(b)(3) in the context of the settlement of a nationwide class action dealing with allegations of fuel economy of certain models of the defendants' cars. Though the District Court certified a proposed settlement of the class, certain plaintiffs (most notably the Virginia plaintiffs) objected to the settlement on the grounds that the District Court did not analyze differences in the 20 state consumer protection laws at issue. The Ninth Circuit reversed and vacated, noting that the failure to ascertain differences in state law was in error (in the settlement context), as differences in state law could “swamp” any common issues and defeat Rule 23's predominance requirement.
This holding makes sense. What if, for example, the laws of one state (State 1) provide for a damages standard and standard of liability far less onerous that the laws of other states (e.g., States 2, 3 and 4)? But the numbers of citizens in States 2, 3 and 4 dwarf State 1, and the laws of States 2, 3 and 4 put far more hurdles upon a plaintiff seeking to recover. How would a federal court deal with such varying individual state laws? Should all these claims be litigated together as a class? That was the point of Hyundai and Kia, and that is the point of Rule 23. This case is now back to the Ninth Circuit on an en banc appeal. The facts in Langan v. Johnson & Johnson, No. 17-1605 (2d Cir. 2018), a consumer class action, were a little different (the case was not in settlement mode), but the results were the same. The court held that plaintiffs in a class action have the burden to demonstrate that variations in state laws “do not predominate over the similarities.” In a 50-state cybersecurity class action, there could indeed be variations in many states' cyber laws, creating the same underlying problem in Hyundai and Langan.
|Conclusion
Though standing remains an obstacle to the nationwide cybersecurity class action, its effect has been both good and bad to plaintiffs and defendants. The “predominance” of the cybersecurity laws that apply to the class action now appears to be the new game in town. We will see who wins.
Paul Ferrillo is a shareholder in Greenberg Traurig's cybersecurity, privacy and crisis management practice in New York City. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation, and internal investigations.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
