Duane Morris Class Action Review - 2023 - Report - Page 31
Rutter’s, the court denied work product protection for the forensic report because the
company’s statement of work with its vendor stated that the overall purpose of the
investigation would be to determine whether unauthorized activity within the system
resulted in the compromise of sensitive data and, if so, to determine the scope of such
compromise. The court found that this language demonstrated that defendant did not
have a “unilateral” belief that litigation would result at the time it requested the report. In
light of these key rulings, 2022 was replete with legal articles, blogs, and webinars on
the topic of how to protect these types of reports in data breach cases, particularly class
actions, where the stakes are often significantly greater.
Finally, corporations suffered setbacks as courts disagreed over the application of the
U.S. Supreme Court’s decision in TransUnion v. Ramirez, et al., 141 S. Ct. 2190 (2021),
to data breach cases. In TransUnion, the Supreme Court ruled that certain putative
class members, who did not have their credit reports shared with third parties, did not
suffer concrete harm and, therefore, lacked standing to sue. Since the decision,
standing has emerged as a key defense to data breach litigation because the plaintiffs
often have difficulty demonstrating that class members suffered concrete harm. Courts,
however, have continued to disagree over the application of TransUnion in the data
breach context and have handed down varying decisions.
Whereas some courts have applied TransUnion strictly and dismissed data breach
cases basing claims on the anticipated risk of future harm, others have allowed such
lawsuits to proceed based on allegations regarding the potential for future harm
(arguably ignoring Ramirez). For example, in Legg, et al. v. Leaders Life Insurance,
2021 U.S. Dist. LEXIS 2322833 (W.D. Okla. Dec. 6, 2021), the court followed Ramirez
and dismissed a data breach class action because plaintiff did not allege that he or any
other class member had been the victim of identity theft or fraud but instead described
his injuries as including an imminent, immediate, and continuing risk of harm from
identity theft and fraud.
On the other hand, the Third Circuit in Clemens, et al. v. ExecuPharm, Inc., 48 F.4th 36
(3d Cir. 2022), took a different approach in analyzing Ramirez, finding that allegations of
future injury in a data breach case will be sufficient for standing if the injury is “certainly
impending” or there is a “substantial risk that harm will occur.” In assessing whether
harm was certainly impending, the Third Circuit examined the facts particular to the
breach such as whether the breach was intentional versus negligent, whether the data
was used (e.g., an attempt to open a bank account), and whether the nature of the data
subjects a plaintiff to risk of identity theft (e.g., social security numbers, birth dates,
names) as opposed to non-identifiable data such as account numbers with no names.
Thus, the Supreme Court decision in Ramirez has not resulted in a bright line rule on
standing in data breach cases, as courts continue to apply different interpretations of
Ramirez when analyzing the particular circumstances surrounding the breach in
assessing the question of standing.
30
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023