What Goes Around Comes Around: The Resurgence of Data Breach Class Actions

Data breach class actions are again on the rise, with a recent report by Lex Machina confirming what many cybersecurity practitioners have seen first-hand over the last two years. The findings also reaffirm longstanding best practices: preparation mitigates cost and improves defenses when victim-organizations are required to defend a class action or regulatory proceeding.

The report shows that 2,040 data breach class actions were filed in 2023—nearly three times the number filed in 2022. The defendants in these matters spanned a range of industries, with financial services and health care companies among the most frequently targeted. These cases also often involve multi-district litigation (MDL), such as the MDL in federal court in Boston that stems from the 2023 cyberattack involving Progress Software’s MOVEit file-transfer software.

The report goes on to list the federal districts with the highest number of consumer class actions, which include data breach matters. The leading districts were the Central District of California (where one of these authors is based), the Middle District of Florida (where the other two authors are based), and the Northern District of Illinois.

Key Takeaways

Invest. Companies are wise to continue to invest in cybersecurity. This includes not only developing a robust cybersecurity program to guard the organization but also a well-designed incident detection and response program, including a playbook, that will help the organization identify, investigate, and respond promptly to a suspected cybersecurity incident. Multiple industry reports, as well as anecdotal evidence, have shown that organizations with an incident response playbook (that has been tested through tabletop exercises) not only mitigate the cost of a data breach but also have better defenses in any litigation or regulatory proceeding.
What’s the Harm? Data breach plaintiffs continue to pursue claims in federal court, despite the (often) absence of injury and the possibility that the case will be dismissed for lack of standing. In this way, the plaintiffs’ bar does not appear deterred by the Supreme Court’s TransUnion decision in 2021, a landmark case for standing in these types of matters. Companies facing a data breach class action in federal court are thus wise to consider, as part of an early case assessment, the prospect of a motion to dismiss that includes an argument that the lead plaintiff does not have standing, depending on the district where the action is brought. Early involvement of outside counsel can also help companies assess the relative pros and cons of engaging in early settlement discussions or filing dispositive motions with state law claims.
Supply Chain Risk. Large-scale attacks often engender significant class action litigation, as was the case with the Progress Software attack and the 2017 Equifax data breach. These attacks—and the litigation that often ensues—pose interesting issues involving duty to third parties, vendor liability, and proof of causation. Both Progress Software and Equifax, as examples, are major parts of the supply chain across multiple industries. These incidents are proof that all organizations need to thoroughly vet their supply chain, regardless of size or reputation. Organizations can start by prioritizing key vendors and working with counsel to analyze the contracts for those vendors. Organizations should also consider insurance coverage for claims that stem from vendor or other third-party breaches.

The bottom line is that investment in cybersecurity preparedness are dollars well spent both from a deterrence and litigation perspective. Tabletop exercises, supply chain risk management, and litigation strategy all play key roles in reducing the impact of data breach class action litigation. Our team at Foley has country-wide experience in preparing, responding, and defending organizations faced with these significant risks.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.