Cyber incidents top the list of issues keeping in-house counsel up at night. And as we continue to see the number of incidents climb, we continue to see class actions filed in their wake. So what are the highlights from 2021 and what can we expect in the coming year?
We count 36 major data breach class actions filed this past year, treating multiple cases filed against a single defendant as one major class action. This is a significant increase over the 25 major class actions filed last year. Here’s what we are seeing in these cases:
Plaintiff’s counsel continue to jockey for position. Plaintiff’s attorneys continue to try to beat others to the courthouse. In five of the major data breach cases filed, plaintiffs filed the first-filed case within a week of announcement of the breach. On average, cases were filed within four weeks of the announcement. Three of the cases were the subject of MDL proceedings; 21 of them were consolidated.
What was stolen. In 26 cases, plaintiffs alleged exfiltration of social security numbers, significantly more than the number of cases we saw last year. Last year, the majority of cases concerned allegedly compromised payment card information. This kind of information allegedly was compromised in about one-third of the cases this year, and about half of the cases concerned alleged exfiltration of sensitive medical data.
Who was impacted. As compared to 15% of the cases last year, plaintiffs in about one-third of the cases this year were employees. The rest of the plaintiffs were customers, patients, or account holders.
Novel liability theories. We saw further evolution of plaintiff’s counsel’s theories in the last year. In a suit filed in response to the Colonial Pipeline ransomware attack, for example, plaintiff alleges that consumers and gas station owners were harmed by increased gas prices as a result of the company’s negligence. And a federal court in Los Angeles followed other courts in rejecting plaintiff’s theory that the value of his personal information decreased due to the breach.
Motions to compel arbitration. As we reported last year, defendants in several of these cases had filed motions to compel arbitration. We’ve seen several rulings on these motions, including five in which courts enforced a class action waiver and ordered plaintiffs to arbitrate their claims on an individual basis. We did not see any data breach-specific arguments made by plaintiffs in opposing these motions.
Class certification. Courts issued two decisions on motions to certify a class in data breach cases this year. The courts reached opposite conclusions on whether plaintiffs met their burden to show common issues predominate over individual issues, particularly as to questions of causation and damages. The courts reached different conclusions on two key issues: a) whether plaintiffs could prove that the data breach caused them harm on a class-wide basis, including in particular how exfiltration of plaintiff’s and putative class members’ data in other breaches impacted the analysis; and b) whether expert testimony can get plaintiffs over the hurdle of individualized issues regarding whether the data breach caused a putative class member any harm. The Eleventh Circuit granted a Rule 23(f) petition to consider the trial court’s ruling granting class certification, so watch for further developments here.
We continue to see courts compel disclosure of reports prepared by incident response consultants hired by counsel. In two decisions this year, the courts basically followed the analysis of the Capital One rulings in 2020. Both courts focused on whether the report served a broader purpose than assisting in preparation for litigation. The courts viewed distribution of the report beyond the legal team, whether within the company or to law enforcement as evidence that the work would have been conducted regardless of the lawsuit. One of the courts looked to the purpose stated in the SOW in finding the report contained facts, not attorney-client privileged information. These decisions add to the growing number of courts expressing skepticism about claims of attorney-client privilege or work product protection for incident response reports.
We count 16 settlements in major federal data breach cases in 2021. A few takeaways:
Claims-made settlements made a comeback this year. We continue to see data breach settlements follow one of two well-developed templates: injunctive relief and offer of credited monitoring services combined with either a claims-made settlement (sometimes with an aggregate cap) or a settlement fund. As compared to last year, we see an increase in the number of claims-made settlements (nine in 2021, compared to four in 2020) and a reduction in settlement funds (six in 2021, compared to nine in 2020).
We also saw one settlement under Rule 23(b)(2). Defendant agreed to injunctive relief, but there was no individual relief for settlement class members.
Very low claims rates. Claims rates for monetary relief in claims-made settlements were very small, between 0.1% and 1% of settlement class members. The rate of enrollment in credit monitoring products ranged from 0.8% to 5.2% in the two cases in which it was reported in the papers supporting final approval. Plaintiffs submitted information about the total amount of monetary relief in only a couple of the cases. For those cases, plaintiffs reported total monetary relief of roughly $840,000 (compared to $1,575,000 awarded for attorney’s fees and costs) and $300,000 (compared to $739,000 awarded for attorney’s fees and costs).
Longer litigation, higher fees. No surprises here. The longer the litigation, the higher the legal fees. Courts awarded an average of $270,000 for cases pending up to 18 months as compared to an average of $1.3 million for cases pending more than 18 months (excluding one outlier settlement with attorney’s fees nearly twice the next highest fees amount).
Few objectors. There were no objections filed in 11 of the 16 cases. In the rest of the cases, the number of objectors was small, less than .002% of settlement class members. An appeal was filed in only one case.
Even with the significant increase in major data breach litigation filed in 2021, we again predict that we will see even more major data breach cases filed next year given the enormous increase in all types of security incidents in 2021. We will be watching the briefing and the Eleventh Circuit’s ruling on the district court’s order granting class certification in the Brinker data breach litigation. The appeal tees up several related issues we see in all data breach class actions, including whether the court can certify a class in which the majority of putative class members have no injury and therefore lack Article III standing, whether individual issues predominate in proving harm caused by the breach, and whether plaintiffs can rely on an expert opinion attempting to smooth out individual issues by proposing an average amount of damages per putative class member.
 In gathering these cases, we defined major data breach litigation as cases in which multiple actions were filed regarding the same incident. Note that this is a more limited definition than the one we used for the 2020 year-in-review analysis, when we also counted cases in which plaintiffs alleged at least 100,000 individuals were impacted by the breach.
 See Class Action Complaint, Dickerson v. CDPQ Colonial Partners, L.P., No. 1:21-cv-02098 (N.D. Ga. May 18, 2021).
 Rahman v. Marriott Int’l, Inc., No. SA CV 20-00654-DOC-KES, 2021 U.S. Dist. LEXIS 15155 (C.D. Cal. Jan. 12, 2021).
 McGlenn v. Driveline Retail Merch., Inc., No. 18-cv-2097, 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) and In re Brinker Data Incident Litig., No. 3:18-cv-686-TJC-MCR, 2021 U.S. Dist. LEXIS 71965 (M.D. Fla. Apr. 14, 2021).
 Wengui v. Clark Hill, PLC, 338 F.R.D. 7 (D.D.C. 2021); In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021).