Litigation Readiness: Seven Things to Keep in Mind

Data breach class actions inevitably follow from nearly every major security incident. Here are seven things in-house counsel can do to prepare for litigation.

1. Create a Strong Foundation

Depending on the nature and scope of the breach, companies can expect one or more class action lawsuits in the days and weeks after announcing a breach—perhaps dozens or even hundreds. At this early stage, companies need outside counsel who can manage multiple lawsuits, so you can focus on your company’s business. Ideally, you have chosen in advance a firm that can handle both the security incident and any follow-on litigation.

2. Preserve Documents and Manage Communications

A company’s obligation to preserve documents arises when litigation is reasonably anticipated—not once it begins. As part of the breach response, issue a legal hold to individuals likely to have relevant information. You should also disable all auto-delete functions, including those affecting non-custodial sources like databases with relevant information.

While companies must preserve relevant materials, they are not obligated to create new ones. And while various teams will need to communicate effectively to respond to a data security incident, there are steps you can take to manage their communications so they are communicating candidly but responsibly. Remind teams working on the incident to communicate factually and without emotion. There is no room for speculation or guesswork on the part of the teams working to respond to an incident.

At the same time, you should ensure that in-house counsel is coordinating with outside counsel to gather information necessary to prepare for litigation in a manner that maximizes the protection of the attorney-client privilege.

3. Impose Order on the Chaos

When multiple cases are filed across jurisdictions, the company should consolidate the various lawsuits before one court, or, if not possible, pursue stays where strategically optimal. Assuming a significant number of cases in federal court, the company or plaintiffs’ counsel will typically file a petition before the Judicial Panel on Multidistrict Litigation (JPML). But because the process takes time, outside counsel should coordinate with local counsel to manage early procedural steps and ensure consistent messaging across cases.

Local counsel will be familiar with local courts and local court rules. As a result, they are best positioned to deploy early procedural motions, such as seeking an extension of time to respond to a complaint or a stay in the proceedings while coordination efforts proceed before the JPML. Experienced outside counsel will have relationships with strong local counsel in most of the jurisdictions where cases are typically filed and can quickly vet and engage local counsel in any other jurisdictions.

4. Defend Against Jockeying by Certain Plaintiffs’ Counsel

Many data breach class actions are filed by repeat players: a set of plaintiffs’ counsel that has been part of most major data breach cases. These lawyers know that the cases will eventually be consolidated, so they do not push to litigate every case. Instead, they file one or more cases as quickly as they can and count on their experience in prior data breach cases to convince the court to appoint them as sole or among several “lead” counsel who control the plaintiffs’ side of the litigation.

But some plaintiffs’ attorneys will go against the grain. They will file ex parte motions regarding document preservation or discovery soon after they file their clients’ lawsuits to try to put themselves in a position to seek appointment as lead counsel in the consolidated action because their clients’ cases are further along.

Most judges see through this gamesmanship and deny attempts to push particular cases forward. Outside counsel will have to be prepared to fight these battles, even with the plaintiffs’ attorneys’ low likelihood of success.

5. Expect to Wait for the Cases to Be Consolidated

The JPML determines whether cases filed in federal court will be consolidated for pre-trial purposes in a multi-district litigation (MDL). The JPML only sits every other month, and 60 to 120 days may pass before it rules on consolidation. Once granted, the JPML typically assigns the MDL to a federal judge, often in a district where the company’s principal place of business is located.

After the JPML assigns the MDL, the clerks of the districts where the original cases were filed send the dockets for the lawsuits. Typically, the assigned judge holds an initial case management conference a month or two after the assignment. At this conference, counsel discuss the timing for appointing lead plaintiffs’ counsel in the MDL (usually 45 to 60 days from the conference), as well as the timeframe for the plaintiffs to file a consolidated complaint (usually 30 to 60 days after the court appoints lead plaintiffs’ counsel).

In practice, six to ten months (or more) may elapse between the initial complaint and the filing of a consolidated complaint in the MDL proceeding, which kicks off the litigation of plaintiffs’ claims. Use this period to strengthen internal coordination, refine defenses, and maintain insurer engagement.

6. In the Meantime, Keep Insurers Updated

Unless self-insured, most companies have cyber insurance covering data breach litigation. Policies generally require prompt notice and ongoing updates of case developments.

The company’s internal risk management team or in-house counsel should notify the insurer about all lawsuits in a timely manner. An open and continuous dialogue, preferably via virtual meetings or phone calls, regarding the lawsuits and litigation strategy will help the insurer understand why the company proposes a particular approach. It will also benefit the company if it wants to consider settlement by providing opportunities for the insurer to understand the strengths and weaknesses of the company’s defenses.

7. Finally, Keep Calm

Data breach litigation can be expensive and distracting, but it need not derail operations. By staying calm, focusing on core business and remediation, and trusting your outside counsel to guide the litigation fallout, you can efficiently and effectively manage the initial steps in data breach class action litigation. Preparation and perspective are as critical as strategy.