Emerging Issues in Data Breach and Privacy Regulation Class Actions
In a 2018 survey of over 400 general counsel, their direct reports, and chief legal officers, roughly 30% identified data privacy and security as the next significant wave of class action litigation. See The 2018 Carlton Fields Class Action Survey at 9. There are two basic types of class actions at play: “data breach” and “data privacy regulation.”
In the typical data breach case, a malign third party exploits a security vulnerability and steals data. Common breaches include network hacks, exposed networks, nation-state attacks, insider attacks, cyber-espionage, and lost or stolen data devices. The stolen data then is used for identity fraud, held ransom, appropriated for competitive advantage, or exploited for intelligence-gathering purposes. Plaintiffs claim that the target company acted negligently, engaged in unfair business practices, fraud or misrepresentation and/or breached its contract, by failing to take reasonable measures to secure personal identifying information (“PII”), respond promptly to system breaches, and provide timely notification to protect against identity theft and associated losses.
In contrast, data privacy regulation cases do not necessarily involve a third-party theft nor are they based on tort or contract claims. Instead, data privacy claims are based on mere technical violations of consumer protection regulations governing the collection, handling and use of PII.
Depending on the type of case, plaintiffs may include consumers, insureds, employees, business partners, and financial service firms. The damages and other equitable relief obtained can be substantial, as can awards of attorneys’ fees under consumer protection statutes. Courts are still grappling with how to deal with the resulting lawsuits. We highlight some of the emerging issues in the federal cases involving jurisdiction, mandatory arbitration provisions, pleading sufficiency, discovery privileges, class certification and settlement.