Add a 270% increase in data breaches to the long list of unprecedented challenges in 2020. Cybersecurity is on the short list of major risks facing companies. And when a security incident happens, class actions often follow. Although data breach class actions are not new, we continue to see increases in the number of cases filed, evolving theories from plaintiffs’ counsel, and the development of settlement templates in these cases.
We count 25 major data breach class actions filed this past year, treating multiple cases filed against a single defendant as one major class action. Here’s what we are seeing in these cases:
Plaintiffs’ counsel jockey for position. More than one case was filed in response to over half of the data breaches that led to class actions in 2020. Three of these sets of cases were the subject of MDL proceedings; ten of them were consolidated. The remaining two cases are in the very early stages, so we expect consolidation in 2021.
There continues to be a race to the courthouse in these cases. One of the cases was filed the day after the defendant announced the breach. Many were filed within two to three weeks of disclosure.
Jockeying takes time. Defendants have either responded or filed an initial motion in only a third of the data breach cases filed this year. The rest are still in the very early stages. On average, it was about five months between case filing and the filing of defendant’s response to the complaint.
What was stolen. In a majority of the class actions, the allegedly compromised data was limited to payment card information. Courts have recognized that payment card information is less sensitive than other types of personal data, given that consumers are not liable for fraudulent use of the cards and that consumers can replace their credit cards. About a third of the cases involved alleged exfiltration of social security numbers. Sensitive medical information allegedly was at issue in only two of the major breach cases filed this year.
Who was impacted. Plaintiffs in about 15% of the major data breach cases were employees. In the rest of the cases, plaintiffs were customers, patients, users, account-holders, or individuals who accessed defendants’ payment platforms.
Possible arbitration defense. Defendants in several of the major data breach class actions filed this year have moved to compel arbitration. These motions have yet to be fully briefed or decided, but we can see that defendants are turning to alternative dispute resolution in response to these lawsuits.
We continue to see fierce litigation over whether companies can protect reports prepared by incident response consultants hired by counsel. The decisions in In re: Capital One Customer Data Security Breach Litig., E.D. Va., No. 1:19-md-02915, are illustrative.
The Capital One court issued different rulings with respect to two different reports. First, the district court required Capital One to disclose an incident report prepared by its cybersecurity firm in the wake of a 2019 data breach, finding the report was not protected by the work product doctrine. A few months later, the court ruled that Capital One did not have to disclose a root cause analysis of the same breach incident prepared by its consulting firm, finding the report was protected as attorney work product.
A few high-level takeaways from these rulings:
A few takeaways from the 13 settlements in data breach class actions in federal court this year:
Settlement structure is fairly well settled. We continue to see data breach settlements follow one of two well-developed templates: injunctive relief and offer of credit monitoring services combined with either a claims made settlement with a cap (four settlements) or a settlement fund (nine settlements).
Time spent litigating doesn’t seem to impact settlement value. Conventional wisdom says aggressive litigation leads to more favorable settlements. Not so much in the data breach space. The average per-person all-in settlement amount was fairly constant across major breaches regardless of time spent litigating. So cases that resolved before briefing any major motions or engaging in discovery settled for about the same per-settlement class member cost as settlements reached after two or three years of battle (and related litigation costs).
Nature of exfiltrated data doesn’t seem to impact settlement value either. Sensitivity of exfiltrated data doesn’t seem to impact settlement value. Whether the data was credit card data, social security numbers, health data, or some combination of those types of data, the per-person settlement cost was about the same.
Few objectors or appeals. In most of the cases, no class members filed objections. In the few cases in which objections were filed, the number of objectors was very small, less than 0.05% of all class members, on average. Objectors filed appeals in two of the 13 settled cases.
We’d expect the enormous increase in security incidents this year to lead to even more data breach litigation in 2021. Watch for plaintiffs’ counsel to continue to try to get around the challenges in bringing these cases and certifying a class, including by continuing to attempt to prove intrinsic value of personal information. We also will be watching the Supreme Court’s ruling in TransUnion LLC v. Ramirez, in which the justices will again consider whether plaintiffs may pursue a damages class action where the vast majority of the class did not suffer any injury or did not suffer an injury like that suffered by the class representative. We’ve been down this path before with Spokeo, so we’ll see if we get any more clarity from the Supreme Court that shapes the data breach class action landscape. No matter how the ruling comes out, though, we can look forward to another busy year for data breach class actions in 2021.
 In gathering these cases, we defined major data breach litigation as cases in which: 1) plaintiffs alleged at least 100,000 individuals were impacted by the breach, or 2) multiple actions were filed regarding the same incident. As a cross-reference for our research, we consulted Eugene Bekker, 2020 Data Breaches: The Worst So Far, and Charlie Osborne, The biggest hacks, data breaches of 2020.
 See In re: Capital One Consumer Data Sec. Breach Litig., No. 1:19-md-02915 (AJT/JFA), 2020 WL 2731238 (E.D. Va. May 26, 2020), aff’d, 2020 WL 3470261 (E.D. Va. June 25, 2020); In re: Capital One Consumer Data Sec. Breach Litig., No. 1:19-md-02915 (E.D. Va. Nov. 25, 2020), ECF No. 1058.
 In re: Capital One Consumer Data Sec. Breach Litig., No. 1:19-md-02915 (E.D. Va. Nov. 25, 2020), ECF No. 1058.
 In re: Ronald Schwartz, et al. v. Yahoo! Inc. et al., No. 20-16633 (9th Cir. Aug. 24, 2020); Shiyang Huang v. Brian Spector, et al., No. 20-10249 (11th Cir. Jan. 21, 2020).