This year was an active one for plaintiffs pursuing relief in data breach lawsuits as cybersecurity incidents became an even more regular occurrence.
However, 2022 did not see the US Supreme Court revisit what has developed into a complicated landscape for federal data breach lawsuits following its landmark TransUnion decision in 2021. And in the absence of further clarity regarding the issue of what qualifies as a concrete injury that may be redressed by the federal courts, private litigants in data breach suits will continue to pursue creative theories using traditional common-law claims.
Recent court decisions, however, have indicated that these claims will be met with some skepticism in 2023.
The Standard in the Wake of TransUnion
2022 showed that claimants still face an uneven path in federal court, especially where there’s a question of whether the plaintiff suffered a concrete injury—a requirement to have standing to even bring a claim at all. 2023 is shaping up to be a continuation of a landscape where the federal circuits take a varying, fact-specific approach toward determining who may bring a claim.
The Supreme Court’s 2021 decision in TransUnion v. Ramirez brought some clarity to the issue of what constitutes a concrete injury. It re-emphasized the standard from Spokeo v. Robinson: The harm should have a close relationship to one “traditionally recognized” as providing a basis for a lawsuit in US courts. Damages solely arising from a “bare procedural violation” of a statute aren’t sufficient. The court’s opinion stated that the common-law claims that have traditionally been recognized by the courts—whether alleging tangible (e.g., monetary) or intangible (e.g., invasion of privacy) harms—provide a firmer basis for a data breach lawsuit than a simple failure to comply with necessary data protocols.
However, while these “traditionally recognized” harms are sometimes found in data breach cases, they aren’t always. Since TransUnion, the lower courts’ treatment of claims based on common law shows that some face better odds of surviving defendants’ challenges than others.
Negligence Is Still the Strongest Cause of Action
Plaintiffs’ lawyers have long combined claims like negligence and negligence per se with state and federal statutory claims. The goal, in many cases, has been to hold a defendant accountable for breaches stemming from its failure to properly secure the plaintiffs’ personal information.
In some cases, the claimants fell victim to identity theft following a data breach. But in others, their personal information was merely accessed, with little evidence that it was ever used by a third party. In those cases, plaintiffs have attempted to recover damages for the costs incurred and time spent for things like monitoring their accounts and credit reports.
The TransUnion decision has limited the ability of claims based on more attenuated injuries to survive past the pleading stage. Negligence claims have been dismissed because the alleged injury was too speculative to establish standing. Even where the plaintiff was later the victim of identity theft, courts have thrown out claims due to their inability to establish a nexus between the data breach and the subsequent identity theft. Plaintiffs must establish a logical connection between the two events, showing that the personal information stolen during the breach incident at issue was the same information used to steal their identity rather than from another, unrelated, theft.
However, cases such as McMorris v. Carlos Lopez & Assoc. out of the Second Circuit have shown that some courts are still willing to find that a substantial risk of future harm can be enough to support standing. More recently, the Third Circuit, in Clemens v. ExecuPharm, held that a plaintiff’s substantial risk of identity fraud when her data was stolen and published on the dark web was sufficiently imminent and sufficient to proceed with a negligence claim, as long as they allege that the exposure to that risk caused additional, currently felt concrete harms.
Cases like this show that, even with the TransUnion limitations, negligence still offers the best theory of the case for those claimants that can show that they have suffered an immediate, concrete injury as a direct result of the defendant’s failure to adequately secure their data.
Implied Contracts Can Offer an Additional Pathway
In the absence of a written agreement, contract claims based in equity like unjust enrichment—arguing that a company obtained a benefit from the plaintiff and that it would be inequitable for the company to retain it without paying fair value—can also withstand challenges under certain circumstances.
This type of claim is often pursued as a substitute for an express contract and usually rests on the argument that the plaintiffs conferred a benefit to the defendant with the expectation that they would provide adequate security for their sensitive information.
However, as with other common-law theories, the rules for unjust enrichment vary by state. A Florida trial court’s decision in Allgood v. PaperlessPay Corp., for example, rejected an unjust enrichment claim for failing to adequately identify the monetary or direct benefits conferred on the defendant or to allege that it had knowledge of the benefit and retained it.
However, assuming that the plaintiffs can meet their state’s requirements, complaints based on a theory of implied contract can offer a persuasive argument that the defendant failed to perform its duties to secure the plaintiffs’ personal information.
Invasion of Privacy Is the Steepest Hurdle
The most difficult common-law theory to pursue is one alleging invasion of privacy by publication of private facts. Under that theory, the plaintiff needs to claim that the defendant took an affirmative action to publicize their data (e.g., posting it on a website) and must show that because of the publicity, the information is certain to become public knowledge.
Federal district court cases—like Aponte v. Northeast Radiology in the Southern District of New York in May—show that these claims are difficult because they require an allegation that the plaintiff’s data was improperly accessed by the party defendant instead of a third party. Further, the court in Allgood rejected a similar claim for failing to allege facts suggesting that the defendant intentionally exposed the plaintiffs’ information or caused the breach.
2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims. However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.
Access additional analyses from our Bloomberg Law 2023 series here, covering trends in Litigation, Transactional, ESG & Employment, Technology, and the Future of the Legal Industry.
Bloomberg Law subscribers can find related Practical Guidance documents, tools for keeping track of new laws, and in-depth reference materials on our our Privacy & Data Security Practice Center resource and our Litigation Practical Guidance Library page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.