As Data Breaches Proliferate, Class Action Law Hustles to Keep Pace


Francesca Castagnola

June 11, 2020

Even before the COVID-19 outbreak, the proliferation of data breaches had left few businesses untouched, forcing the legal system to grapple with a new type of class action – and often to manage the massive amounts of data involved in those matters.

The onset of the global pandemic has created new risks for companies that must now manage cybersecurity with employees suddenly forced to work remotely and hackers moving to take advantage of the inevitable weaknesses created by that unexpected shift.

On March 4, 2020, just before the pandemic forced many U.S. businesses to close their offices, a panel at the Class Action Law Forum, hosted by Western Alliance Bank, Member FDIC, enumerated many of the challenges and developments in data-breach class actions. And on May 19, Western Alliance hosted a webinar featuring further analysis and discussion of issues in mass data-breach litigation.

At the forum and webinar alike, a group of attorneys and claims administrators exchanged insights and perspectives on this fast-growing area of class action law. Here are the highlights of their conversation:

So much data. The massive amounts of data companies generate and collect presents many challenges in class action litigation. The first is in discovery, where parties must establish what is in the defendant’s possession, custody and control. Ariana Tadler, founding partner of Tadler Law Group, emphasized that plaintiff’s counsel does not want all the defendant’s data; they want the data that will help them determine whether the case will succeed, sometimes leading to scenarios where plaintiffs ask courts to limit defendants’ data production.

On the defense side, Jeremy Smith, a partner at Gibson, Dunn & Crutcher, emphasized that the question of what data to produce is especially critical in class-certification decisions, which he considers the equivalent of the trial itself in class actions. And while more and more data-breach cases are reaching the class-certification phase, most that survive motions to dismiss still settle, Kate Baxter-Kauf, Partner at Lockridge Grindal Nauen, said on the webinar. And for those that do reach class certification will be on uncertain ground concerning the key issues of individualized injuries and choice of law; courts remain divided on both of those issues.

Privacy, data integrity, privilege collide. Describing information as “the new oil,” John Yanchunis, a partner at Morgan & Morgan and leader of the firm’s Class Action Department, said courts are seeking to balance plaintiffs’ legitimate discovery needs with the recognition that the information they’re seeking can result in individual identification. That could create privacy issues – and because consumers have grown increasingly aware of privacy risks in sharing their data, Smith said, many often give false names and other misinformation to businesses. That can make it difficult to identify class members and actual harm in a class action proceeding.

Questions of attorney-client privilege can further complicate discovery in data-breach cases, according to Baxter-Kauf. Because defendants often hire outside attorneys to investigate breaches shortly after they happen, but before litigation, they often claim all the attorneys’ findings should be privileged and not subject to discovery. Plaintiffs argue that defendants should anticipate litigation in every data breach – particularly when law enforcement is already involved. Some have argued that states should define and adopt a new, qualified form of privilege specifically for data-breach matters.

CCPA: a game-changer. California’s Consumer Privacy Act, enacted in 2018, has influenced organizations far beyond the state’s borders, because of its broad application to any companies doing business in the Golden State. And by creating a statutory cause of action for data breaches – and thereby relieving plaintiffs of the often-difficult burden of proving actionable harm – the law is a potential game-changer, Michelle Visser of Orrick said on the webinar.

Inside California, the law is creating tension, in part because it creates a private right of action only for data breaches. All other data-privacy matters are to be enforced by the state’s attorney general – but Timothy G. Blood of Blood, Hurst & O’Reardon LLP, pointed out at the Class Action Law Forum that the Attorney General’s office can only handle about three enforcement actions per year.

Settlement administration: keep it simple. Both David Kaufman, Senior Director at Heffler Claims Group, and Aideen Gaffney, Vice President, Class Action & Mass Tort Solutions at Epiq, emphasized the importance of simplifying the claims process in data-breach settlements. Class members in these matters tend to be emotional and angry about having their personal information compromised, so administrators should be careful not to frustrate them further with complex claim forms. Kaufman cited explanatory videos as a best practice for helping class members understand the process. And Gaffney said Epiq has seen take rates jump as high as 10% just by simplifying the claims process.

The COVID-19 outbreak has made getting payments out quickly and accurately even more important. On the webinar, Kaufman noted that many class members are out of work and want to get their proceeds any way they can. Knowing that, and in light of the Post Office’s pandemic-related challenges, using digital payment methods is strongly recommended – and processing claims as quickly as possible should be the focus.

Class Action Law Forum Panel: