The tide of litigation from an increasingly frequent form of cybercrime, data breaches, is on the rise in the United States and globally. Data breaches are sector-agnostic, impacting governments, healthcare providers, telecommunications and critical infrastructure players, retailers, tech firms, and many others. In addition to the work of assuaging the public and oversight agencies and dealing with ransom demands and bad press, entities who sustain breaches are increasingly contending with litigation.
A search for pleadings filed in the last ten years involving data breaches or related terminology shows that an average of 1.3 new cases were filed per week, with that figure jumping to 2.3 per week in the last three months.
Searching just for data breach terminology likely does not capture all data breaches, and not all data breaches result in litigation. In 2022, the Identity Theft Resource Center reported that there were 1,802 data breaches. By comparison, a Docket Alarm search shows that 720 new pleadings relating to data breaches were filed last year, some of which were filed about the same breach.
In this article, we take a closer look at trends pertaining to forum and multi-district litigation (MDL), average case length, and which law firms are most frequently involved in data breach cases.
Forum
In the last ten years, the courts that saw the most frequent filings related to data breaches were either the corporate home of companies that experienced data breaches or the district selected to host an MDL.
| Court | Data Breach/MDL | Year |
| SDNY | Saks Incorporated Morgan Stanley Warner Music Waste Management Inc. Others | 2019 2020 2020 2021 |
| D. Or. | Premera Blue Cross MDL | 2015 |
| EDVA | Capital One MDL | 2019 |
| NDGA | Equifax MDL | 2019 |
| EDPA | WaWa Inc. | 2020 |
One other venue that bears discussion is the Western District of Missouri, where not one but two data breach cases against T-Mobile were consolidated as MDLs. The first concerned a 2021 breach of more than 75 million current, former, and prospective customers’ data. The MDL settled earlier this year for $350 million wherein Stueve Siegel Hanson LLP, Keller Rorhback L.L.P., and Hausfeld LLP served as interim co-lead counsel and T-Mobile was represented by Alston & Bird LLP and Spencer Fane LLP.
This month, the same judge, Brian C. Wimes, was tapped to preside over a 2022 data breach impacting approximately half as many customers, according to a Judicial Panel on Multi-district Litigation order issued several weeks ago.
A search of JPML “transfer order” records shows consistent data breach-related orders, varying between one and two per month for the last ten years.
Case Length
For the cases within Docket Alarm Analytics’ sweep, the average case length was about two years and one month.
This figure is perhaps surprisingly low considering the size of these cases. Some implicate millions of Americans and/or entities and state dozens of causes of actions in the contract and tort realm, under the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, and other privacy or data-oriented laws.
One interview by TechTarget with plaintiffs’ lawyers indicated that a factor driving early settlement was risk on part of all litigants. The nascency of the data breach litigation field, the looming (or already present) spectre of bad press for companies that suffer the breaches, as well as financial cost of litigating are some of the factors propelling early settlement, the article said.
A JDSupra note by Quinn Emmanuel attorneys also pointed out that in recent years, the plaintiffs’ bar has come forward with “a series of creative theories that have frequently succeeded in moving data breach actions beyond the pleadings stage.” In turn, the article said, plaintiffs have been able to secure large settlements without venturing far beyond dismissal proceedings. Some recent settlements include: T-Mobile ($350 million to consumers), Equifax ($380.5 million), Capital One ($190 million), Zoom ($85 million), Hy-Vee ($20 million), and Home Depot ($12.88 million).
Counsel
Looking at the same time frame, the last ten years, a couple of defense firms rose to the top of the list.
In Docket Alarm’s data set, the most-tapped firm, Baker & Hostetler of Cleveland, Ohio, served client Premera Blue Cross in the west coast MDL. Other healthcare-industry clients whom the firm has represented in data breach litigation include Keystone Rural Healthcare and 21st Century Oncology Holdings, the latter of whom also settled a 2016 data breach MDL for $12.5 million.
For plaintiffs, usually consumers impacted by the loss of their “personally identifying information” or PII, the list was characterized by several dominant firms.
Beyond the Data
Encapsulating the universe of data breach litigation by the numbers is admittedly difficult as cases are diffused across state and federal forums and duplicative filings are common. It’s worth noting that nuances aside from data breach frequency and severity may be driving litigation and that data breaches themselves may not be tracking on quite the same, upward trajectory.
For example, according to Baker & Hostetler’s 2022 Data Security Incident Response report, more class action suits are being filed per incident. The report calls the phenomenon a “race to the court house,” and explains that one cause for this trend is the recent publication of two critical class certification rulings, Fero v. Excellus Health Plan, Inc. (2020) and In re Brinker Data Incident Litig. (2021). The report claims that the decisions “are emboldening plaintiffs’ firms, in both the number of their litigation filings and their negotiation tactics during mediations.”
However, in 2021, the Supreme Court issued TransUnion LLC v. Ramirez, a case that narrowed litigants’ ability to obtain class certification for damages based on the theory that demonstration of the risk of future harm can only be used to pursue forward-looking, injunctive relief, not retrospective damages.
There was speculation that the standing decision could cripple data breach cases as they approached class certification, according to a JDSupra article by Locke Lord LLP. Yet, courts handling data breaches “have generally found procedural or substantive ways of distinguishing Ramirez,” the article said.
Despite the ebb and flow of case law, data breach class actions and MDLs have arrived, and as long as major data breaches continue, the litigation does not appear to be going anywhere. Based on Docket Alarm Analytics trends in venue will likely continue to track the factors outlined above, as will case length, barring major changes of law that trend away from early settlement.
