Privacy Litigation 2022 Year in Review: Data Breach Litigation
Privacy Litigation 2022 Year in Review: Data Breach Litigation
2022 was another record-setting year for data breach class actions. Here’s our take on the key developments and trends we have seen over the past year, as well as what we should watch for in 2023.
We count 43 major data breach class actions filed this past year, treating multiple cases filed against a single defendant as one major class action. This continues the upward trend, from 25 in 2020 to 36 in 2021, even though we have narrowed our definition of major cases each year. Of the new cases, four are subject to MDL proceedings, 30 are consolidated or have pending motions to consolidate, and nine are proceeding as individual actions.
How many people were impacted. Defendants estimated the number of individuals whose data was exfiltrated in 38 of the cases. These estimates topped out at 8.2 million impacted individuals. The estimated number of impacted individuals exceeded 1 million in 16 of those cases and was between 500,000 and 1 million in eight of those cases.
Who was targeted. Healthcare companies were defendants in 18 of the 43 major data breach cases, followed by nine defendant companies that provide support services (i.e., consulting, billing, and personnel management). Technology and financial services providers rounded out the list.
What was stolen. We count four fewer cases alleging disclosure of payment card information and six more cases alleging disclosure of social security numbers compared to 2021. One trend that has continued—over half of the major data breach cases filed this year alleged the compromise of sensitive medical information.
What types of incidents lead to class action lawsuits. Third-party hackers allegedly exfiltrated data in 37 cases, including six that allegedly involved a ransomware attack. The rest allegedly involved unauthorized access or disclosure, usually through the error of one of defendant’s employees.
Motions to Dismiss. So far, defendants brought motions to dismiss some or all claims in about 25% of major data breach cases filed this year. In addressing these motions, we saw courts start to grapple with the Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, in which the Court opined on the circumstances in which risk of future harm is sufficient to create standing. The Third Circuit is the first appellate court to apply TransUnion in a data breach case. Reversing the district court, the court found a concrete injury sufficient to satisfy the Article III standing requirement based on a three-step inquiry: 1) alleged intentional access to the data by the bad actor; 2) alleged misuse of the data; and 3) alleged access to types of data that could be used for identify theft or other fraud. District courts in other circuits have reached different conclusions on standing, including several courts that have distinguished TransUnion on grounds that the ruling came after a jury trial rather than at the pleading stage.
Motions to Remand. We saw a few plaintiffs challenge federal jurisdiction after defendants removed from state court. In two cases, plaintiffs relied on the “home state exception” to the Class Action Fairness Act of 2005. In the other cases, plaintiffs challenged defendant healthcare providers’ removals under a statute allowing “employee[s] of the Public Health Service” to sue in federal court. The court granted the motion in one of the cases removed by healthcare providers, and the other motions remain pending.
Class Certification. Whether plaintiffs can rely on expert testimony to establish damages caused by a breach on a classwide basis continues to be pivotal to class certification. Last year, we reported that a trial court had certified a class for which plaintiffs’ expert had estimated the average value of stolen information, class members’ time, lost opportunities, and out-of-pocket costs. An appeal of the ruling in that case is still pending in the Eleventh Circuit. This year, a trial court certified a class based on a different theory of harm: overpayment for services as compared to the amount consumers would be willing to pay had they known of the defendant’s “inadequate data security.” The court rejected plaintiffs’ second theory that it could prove how much the breach reduced the market value of class members’ personal information on a classwide basis. In accepting the overpayment theory, the court narrowed the class to individuals who paid for the services and individuals who were members of the company’s loyalty program and therefore subject to the same contractual terms. Plaintiffs recognized that their overpayment theory could not be used to establish causation and harm on their negligence claim, but the court certified Rule 23(c)(4) issue classes on duty and breach. The Fourth Circuit granted defendant’s petition to review the trial court’s ruling, which remains pending.
There were 20 settlements in federal data breach cases in 2022, up from 16 in 2021. A few comments on those settlements:
Settlement structure moved toward funds this year. In general, we continue to see data breach settlements following one of two well-developed templates: injunctive relief and offer of credit‑monitoring services combined with either a claims-made settlement (sometimes with an aggregate cap) or a non-reversionary settlement fund. That said, settlements included injunctive relief and credit monitoring less frequently than in 2021. Of the 20 settlements, 14 included injunctive relief, nine included credit monitoring, and four included neither.
In 2022, we saw a 50/50 split between settlements with a non-reversionary fund structure and settlements with a claims-made structure (with or without a cap). This represents a relative increase in settlement funds and a relative decrease in claims-made structures compared to settlements in 2021.
Claim rates and number of objectors remain low. Most of the settlements had claims rates up to 1%, which is consistent with the claims rates in settlements last year. There were a few outliers, though, in which approximately 2% to 6% of individuals submitted claims. We do not detect any common themes among these outliers—such as settlement class size or benefit amount—that would account for the significantly higher claim rate in these cases.
As was the case last year, we continue to see very few objectors in data breach settlements. There were no objections filed in 12 of 20 cases. The largest number of objectors was 43, but the case involved 15 million settlement class members.
Longer litigation, larger settlement class, higher cost. We continue to see larger attorneys’ fees awards in cases pending the longest. Courts awarded over four times as much in fees for cases pending more than 18 months compared to cases pending up to 18 months. We note, though, that the cases pending the longest before settling also have the largest settlement classes. Not surprisingly, then, the larger the settlement class, the greater the attorneys’ fees. On the other end of the scale, we see larger per-class-member settlement benefits for classes on the smaller end of the range.
We again predict that the number of data breach class actions filed and settled will increase next year, including because of the increase in cases filed this year. We will continue watching the petitions challenging class certification pending in the Eleventh and Fourth Circuits. Those rulings could give plaintiffs new ways to distinguish their theories from rulings in earlier cases that whether and how exfiltration of personal information harmed a particular plaintiff are inherently individual issues not amenable to class treatment. Standing also will continue to be a hot topic in 2023 as we wait to see how TransUnion affects the landscape.
 In gathering cases, we defined major data breach litigation as cases in which: 1) the breach impacted at least 200,000 individuals; and 2) multiple actions were filed regarding the same incident. This is a more limited definition than we used in our 2021 year-in-review, when we counted all cases in which multiple actions were filed.
 141 S. Ct. 2190 (2021).
 Clemens v. ExecuPharm Inc., 48 F.4th 146, 157 (3d Cir. 2022).
 Compare, e.g., In re Blackbaud, Inc., No. 3:20-mn-02972-JMC, 2021 U.S. Dist. LEXIS 123355 at *18 n.15 (D.S.C. July 1, 2021) (inquiry into whether plaintiffs established that their “alleged risk of future harm materialized into a sufficient ‘concrete’ harm as held in [TransUnion]” is not proper when ruling on a motion to dismiss) and I.C. v. Zynga, Inc., No. 20-cv-01539-YGR, 2022 U.S. Dist. LEXIS 112601 (N.D. Cal. Apr. 29, 2022) (relying on TransUnion to dismiss for lack of standing because plaintiffs failed to allege identity theft or imminent risk of fraud).
 42 U.S.C. § 233(a), (c), (l)(2).
 In re Marriott Int’l, Inc., 341 F.R.D. 128, 153 (D. Md. 2022).