Duane Morris Class Action Review - 2023 - Report - Page 30
Trend # 7 – Data Protection Issues Continued To Plague Corporate
Defendants
In 2012, General Keith B. Alexander, former head of the National Security Agency and
U.S. Cyber Command, stated “either you know you’ve been hacked, or you’ve been
hacked and you don’t know you’ve been hacked.” Ten years after that statement, the
number of data breaches continues to rise, costing U.S. businesses millions of dollars.
High profile companies such as Apple, Meta, Twitter, and Samsung have all disclosed
cybersecurity attacks in 2022. Companies that experienced data breaches faced a
convergence of risk factors in 2022 as data protection issues continued to plague
corporate defendants.
Companies that fall victim to such attacks have to contend not only with the significant
costs of responding to the data breach and potential of government fines, but also the
high costs of dealing with high-stakes class action lawsuits. Capital One suffered a
massive data breach in 2019 that involved 80,000 US bank accounts and led to a $190
million settlement that did not reach its claim filing close date until September 2022.
Other notable settlements include the data breach involving 76 million Americans which
led to a settlement of $350 million that received preliminary approval in July 2022, and
the TikTok data breach that impacted nearly a billion users globally and resulted in a
$92 million settlement that received final approval in August 2022.
The settlement of such cases faced hurdles in 2022 as courts increased their scrutiny of
claims rates. Although not every settlement is of astronomical proportions like those
discussed above, many follow a similar structure in that they include injunctive relief and
provide for credit monitoring services along with a claims mechanism. The claims rate
for data breach class lawsuits has been comparatively low, easing the ultimate payout
for the targets of data breach class actions. In Powers, et al. v. Filters Fast, LLC, U.S.
Dist. LEXIS 119148 (W.D. Wash. July 6, 2022), the grounds that the claims rate of
barely 1.0% was suspiciously low. Another example is the historic Anthem data breach
that settled for $115 million. Although the court granted final approval, the overall claims
rate for a class size of nearly 80 million was only 1.7%. See In Re Anthem Data Breach
Litigation, Case No. 15-MD-02617 (N.D. Cal.).
The victims of data breaches also faced hurdles on the internal investigation front as
courts questioned whether data breach forensic reports are protected by the attorneyclient privilege and work product doctrine. In the wake of In Re Capital One Consumer
Data Security Breach Litigation, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25,
2020), Wengui, et al. v. Clark Hill PLC, 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12,
2021), and In Re Rutter’s Data Security Breach Litigation, 2021 U.S. Dist. LEXIS
136220 (E.D. Penn. July 22, 2021), federal courts sounded alarm bells when they
ordered the production of internal forensic reports.
For example, in Clark Hill, the court found that, in addition to sharing the report with
outside and in-house counsel, the company shared the report with members of the
company’s leadership and IT teams, provided a copy to the FBI in response to its
investigation, and used the report for a range of non-litigation purposes. In In Re
29
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023