One of the main risks for a company in the event of a data breach is the threat of litigation. Data breach litigation continued to proliferate in 2024, as it has in prior years.
In the past year, plaintiffs continued to seek relief following data breaches under state common-law doctrines, and the Alabama Supreme Court joined the other state courts of last resort who have addressed data-breach litigation in published decisions. Federal data breach plaintiffs contended with standing issues in the wake of the Supreme Court's decision in TransUnion LLC v. Ramirez, and an apparent circuit split between the Tenth and Eleventh Circuits deepened when the Third Circuit weighed in. The District of New Jersey also provided further guidance to companies on the scope of the attorney-client privilege when responding to data breaches.
This post examines these trends. Follow the WilmerHale Privacy and Cybersecurity Law Blog to stay up-to-date on the latest privacy news.
Common-Law Claims For Traditional Data Breaches
More traditional common-law claims (e.g., negligence, breach of contract) based on data breaches were common in 2024, as in prior years. In many instances, such claims survived a motion to dismiss.1
One notable exception is the Alabama Supreme Court's decision in Griggs v. NHS Management.2 In Griggs, the court rejected claims for negligence, negligence per se, invasion of privacy, unjust enrichment, breach of confidence, and breach of fiduciary duty related to a data breach suffered by NHS, a provider of administrative services for nursing homes and physical rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri.3 The court established a high bar for making out invasion of privacy, breach of confidence, and unjust enrichment claims in the traditional data breach litigation context involving hacking by a third-party.
- Invasion of privacy. The court stated that the tort of invasion of privacy requires intentional wrongful intrusion into one's private activities, and the fact that "Griggs makes no effort to demonstrate that she alleged that NHS's conduct was intentional" was fatal to her invasion of privacy claim.4 Requiring plaintiffs to show that a data breach victim's conduct was intentional will cause many claims to fail, as most defendants are not acting intentionally when their systems are hacked.
- Breach of confidence. The court stated that a breach of confidence claim requires affirmative disclosure by the defendant and that "theft by a third party is not sufficient."5
- Unjust enrichment. The court stated that "Griggs's allegation that she somehow conferred a benefit on NHS in exchange for data protection is insufficient" and therefore her unjust enrichment claim failed.6The implication here is that an individual who pays for administrative services related to healthcare is not also paying for the protection of their data by the provider.
It is important to note, however, that aspects of the decision suggest that future data breach claims filed in Alabama may receive more favorable treatment. Justice Shaw wrote separately, for example, to note that, although Griggs waived the issue, he would be open to finding a duty for purposes of a negligence action in a future case.7It is quite possible future data breach claims filed in Alabama will receive more favorable treatment.
Concrete Injuries Sufficient to Confer Standing
Like all federal plaintiffs, plaintiffs in federal data breach suits must satisfy Article III's standing requirement, which requires an injury in fact that is both traceable to the defendant and redressable by the relief sought. In 2021, the Supreme Court in TransUnion clarified that a risk of future harm stemming from disclosure of a data-breach plaintiff's personal information does not alone support standing to sue for damages.8 Instead, plaintiffs must identify an actual, concrete injury. Throughout 2024, federal courts continued to grapple with what types of concrete harm are sufficient to confer standing for damages...
