cybersecurity

Supreme Court Declines to Take Up Circuit Split on Whether Courts May Grant Class Certification by Averaging Different Class Member Damages

Practice area:

On April 29, 2024, the Supreme Court issued an Order List indicating that certiorari had been denied in Brinker International, Inc. v. Steinmetz, Docket No. 23-648.

The Eleventh Circuit Brinker Decision

Brinker was a July 2023 Eleventh Circuit decision affirming class certification and holding that class members’ exposure of their payment information to the dark web was sufficient harm to establish standing in a data breach case. The Eleventh Circuit set forth an expansive view of when data breaches can create Article III constitutional standing to support class action certification. The case arose from a 2018 attack on Chili’s restaurant computer systems, after which hackers posted stolen customer credit card data to an online marketplace for stolen information on the dark web. The Eleventh Circuit held that class members who alleged their credit card information was exposed for sale on the dark web had satisfied the “actual misuse” standard for sufficient

New England Cybersecurity and Data Privacy Class Action Filings Soar in 2023

Practice area:

Earlier in 2023, we launched our New England and First Circuit Class Action Tracker, as a tool to analyze class action litigation trends in Massachusetts, Maine, New Hampshire, and Rhode Island. In July, we updated our tracker to include data through the second quarter of 2023. A review of new filings submitted during that latest quarter reinforces the trends that we recently observed in our client alert on the enforcement of U.S. Consumer Data Privacy laws through private litigation. Namely, we are seeing record-high levels of data privacy and cybersecurity class action filings, particularly in Massachusetts courts, in the first half of 2023.

Data privacy and cybersecurity class action suits continue to represent the largest share of annual class action filings in New England to date. Although the healthcare sector continues to represent the largest share of defendants, other sectors, such as tech, retail and manufacturing, and financial and professional services industries are also experiencing high rates of cybersecurity and data

First Circuit Revives Data Breach Class Action Claims in Webb v. Injured Workers Pharmacy, LLC

Practice area:

Courts and class action counsel have been considering what kinds of injuries can confer standing to pursue federal claims following the Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, which held that the defendants’ alleged actions that “deprived [plaintiffs] of their right to receive information in the format required by statute” was not sufficient to establish a concrete injury necessary to bring a claim. Ever since the TransUnion decision, the question of what is sufficient injury has been reverberating throughout the lower courts and reaching federal courts of appeal.

The First Circuit has now confronted that question on multiple occasions, including its 2022 decision in Laufer v. Acheson (now on appeal to the Supreme Court) that held “dignitary harm” from discrimination was sufficient, along with allegations of “frustration and humiliation” to confer standing on a serial plaintiff who is a website accessibility tester. For more on Laufer,

District of Massachusetts Dismisses Data Breach Class Action for Lack of Injury

Practice area:

On October 18, 2022, in Webb v. Injured Workers Pharmacy, LLC, the District of Massachusetts dismissed a class action complaint brought by former pharmacy patients alleging that their sensitive personal information had been exposed in a data breach affecting more than 75,000 customers. In its analysis, the court determined that the named plaintiffs and putative class members could not satisfy the injury-in-fact requirement for constitutional standing. Plaintiffs Webb and Charley had claimed the breach caused “anxiety, sleep disruption, stress, and fear” and cost them “considerable time and effort” monitoring their accounts.

The court rejected these factual allegations as an insufficient basis to confer constitutional standing under Article III:

The Complaint does not sufficiently allege that the breach caused any identifiable harm. It is only alleged that Webb and Charley spent “considerable time and effort” monitoring their accounts and, in Webb’s case, dealing with the IRS. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based