Data breach class action filings and settlement amounts surged in 2023, but a 2021 US Supreme Court decision has kept plaintiffs’ success rates low.
A report published by law firm Duane Morris this month analysed 2023 federal and state court filings across various practice areas including data breaches and data privacy.
According to the law firm, 1,320 data breach class actions were filed in 2023 – more than double the 604 filed in 2022. Litigants filed 44.5 data breach class actions on average each month from January to August 2023, compared to the 20.6 per month averaged in 2022.
Duane Morris said the uptick was accelerated by the 2023 MOVEit cyberattack. The filings were also fueled by greater public disclosure regarding data breaches, Duane Morris partner Jerry Maatman Jr. told GDR.
“You see a much more informed public – much more informed users of the internet that are keen and know all that's going on in this space,” he said.
Their awareness appears to be paying off. According to the report, the top 10 data breach settlements finalised in 2023 came to $515.75 million. In contrast, the top 10 data breach class actions finalised in 2022 secured only $350 million.
But last year wasn’t all gloom and doom for corporate defendants. Despite the large amount of data breach class actions filed, courts only certified 14% of cases in 2023.
Maatman noted data breach class actions’ class certification success rates pale in comparison to other practice areas. Indeed, Duane Morris found that 72% of class certification motions were granted in 2023 across all major class action areas – such as antitrust, product liability and Family and Medical Leave Act cases.
Maatman said courts have dismissed data breach class actions for failing to allege injury in the wake of 2021’s TransUnion v Ramirez US Supreme Court decision.
In addition to breach class actions, 2023 also saw an increase in privacy class action settlements. According to Duane Morris, the top 10 privacy settlements finalised in 2023 totalled $1.32 billion, with In Re Facebook Inc. Consumer Privacy User Profile Litigation's $725 million topping that list and Epic Games’ $245 million settlement with the FTC at a distant second.
Privacy class actions’ momentum is likely to grow, according to Duane Morris’ report. The report predicts that plaintiff-friendly state court decisions involving Illinois’ Biometric Information Privacy Act (BIPA) will fuel further privacy class actions.
In January 2023, for instance, plaintiffs filed 28 lawsuits alleging BIPA violations in Illinois state and federal courts. In March 2023 alone – a month after the Illinois Supreme Court issued two separate decisions in February 2023 that a BIPA claim accrues each time entities collect or disclose biometrics and ruling that BIPA has a five-year statute of limitations – 77 BIPA class actions were filed, according to Duane Morris’ report.
But BIPA isn’t the only privacy law companies should be worried about. Video Privacy Protection Act (VPPA) class actions are still common, despite taking a slight dip in 2023. In 2023, 137 class actions were filed arguing that federal law was violated; 150 were filed in 2022 and 69 in 2021.
The VPPA claims are usually sandwiched with states’ wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act and the Florida Security of Communications Act and other laws that prohibit unauthorised electronic communications.