2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments. CPW has been tracking these cases throughout the year. Read on for key trends and what to expect going into the 2022.
Recap of Data Breach and Cybersecurity Litigations in 2020
2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come. However, in many ways 2021 litigation trends were congruent with the year prior. Before delving into where we may be headed for this important area of data privacy litigation in 2022, let's do a short recap of where we were at the end of 2020.
Recall that the number of data events in 2020 was more than double that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology. In this instance, correlation equaled causation'as more entities experienced crippling security breaches, the number of data breach litigations filed also increased. There were three trends that marked the cybersecurity landscape that we covered in CPW's 2020 Year in Review:
First, in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there were exceptions). Challenges to a plaintiff's Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.
Second, in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach. The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel. Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.
And third, there were several warning signs that the legal fallout from a data breach can extend to company executives and the board. As just one instance, in 2020 a company's former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.
Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.
Article III Standing in Cybersecurity Class Action Litigations
The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different. Standing under Article III of the U.S. Constitution, in the Supreme Court's oft-repeated phrasing, is an "irreducible constitutional minimum" requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant's conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.
The standing issue that defined 2021 was "speculative future harm." In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm. In Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), the court found that standing required a concrete and particularized injury that was actual or imminent. The Tsao plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft. In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.
Other courts likewise joined in this skepticism of standing based on speculative future harm. The Central District of Illinois expressed doubt in McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021) whether speculative future harm could confer standing at all. The Middle District of Florida, following Tsao, recommended in Hymes v. Earl Enters. Holdings, 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021) that approval for a...
