Quinn Emanuel Urquhart & Sullivan, LLP write, in part:
Companies face yet another major risk after a data breach—one which is increasing exponentially—data breach litigation brought by private plaintiffs, often in the form of class actions brought by sophisticated plaintiffs’ counsel who specialize in such cases. Private civil litigation is now a probability, not a possibility, after a major data breach. 36 major data breach class actions were filed in 2021, a 44% increase from 2020. Private plaintiffs typically race to the courthouse to jockey for position, with complaints now brought on average within four weeks of a breach announcement.
These private actions, had they been pursued a decade earlier, would have faced little prospect of success. Private plaintiffs during the initial wave of data breach litigation struggled to establish standing or successfully plead duty, causation, and damages See, e.g., In re: Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1212 (N.D. Cal. 2014) (noting that “courts in data breach cases regularly” dismiss claims because “increased risk of future harm is insufficient to confer Article III standing”); In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 963-65 (S.D. Cal. 2014) (dismissing negligence claims because “Plaintiffs’ allegations of causation and harm are wholly conclusory” and Plaintiffs “failed to allege a single cognizable injury proximately caused by Sony’s resulting breach”). Their task was complicated by facts that, by their nature, often involve incremental risk and latent harm. In the intervening years, however, the plaintiffs’ bar has developed a series of creative theories that have frequently succeeded in moving data breach actions beyond the pleadings stage. The result is that large settlements of consumer data breach cases are now quite common, with notable recent resolutions involving T-Mobile ($350 million to consumers), Equifax ($380.5 million), Capital One ($190 million), Zoom ($85 million), Hy-Vee ($20 million), and Home Depot ($12.88 million).
This article explores the latest developments in private data breach litigation. We focus first on the challenges that plaintiffs face in establishing standing and damages. The assessment of whether these plaintiffs have suffered a cognizable injury-in-fact (as required for Article III standing) is necessarily intertwined with the type and viability of the harms they allege. Accordingly, we first consider both standing and damages. We then analyze the state-of-the-art claims currently being asserted by plaintiffs and the defenses being deployed by companies in response. Finally, we conclude with a discussion of expected future trends.
Read the article at JDSupra.