The global pandemic has affected everything. COVID-19 is not just grinding trials to a halt and foreclosing live, in-person judicial proceedings, it has changed the class action litigation landscape, including data breach class actions. I recently had the opportunity to discuss the pandemic’s impact on data breach class actions with Daniel Raymond, a cyber & tech claims manager based in Beazley’s Chicago office.
SOLOVE: Before we get into the details, can you briefly describe what you mean by data breach class actions?
RAYMOND: A class action refers to a lawsuit brought on behalf of a large number of people initiated by a few individuals who act as representatives of the group. So, when I refer to a data breach class action, I am talking about a lawsuit brought by a few representative individuals on behalf of a class of people who claim to have suffered harm as a result of a data breach. Consumer class action lawsuits following a data breach have become routine with lawsuits filed after every major and not-so-major report of a cyber incident or data breach.
SOLOVE: Has the pandemic resulted in fewer data breach class actions being filed?
RAYMOND: It is hard to say. According to Lex Machina, a leading information provider and pioneer in delivering legal insights and research solutions, there were about 100 fewer federal data breach class action filings in 2020 compared to 2019. But, filings of federal data breach class actions are volatile year-over-year. For instance, Lex Machina accounts for 155 filings in 2016, 581 filings in 2017, and then the number of filings drops to about 264 filings in 2018. It is, therefore, hard to conclude that there are fewer filings in 2020 because of the pandemic. Regardless, federal consumer class actions filings in 2020 are down— so it is not surprising this trend is reflected in data breach class action filings.
Even though fewer data breach class actions have been filed, data breach class actions appear to account for a higher percentage of consumer class actions filed during the pandemic. For instance, a recent Law360 article analyzed all consumer class action complaints filed in October of 2020. See Jessica Miller et al, The State of Consumer Class Actions Amid Covid-19 (Dec. 2, 2020). According to that article, there were only 148 class action complaints filed in October compared to 290 filed in October of 2019. But, notably, of all class action complaints filed in October, a significant number (8%) were data breach class actions.
SOLOVE: What about resolving data breach class actions? Has the pandemic made it harder to resolve these cases?
RAYMOND: Data breach class actions, being relatively easy to litigate remotely, are still moving through the court systems although a little slower than pre-pandemic rates. Before the pandemic, around 50% of data breach class actions ended within 140 days, according to Lex Machina. In 2020, around 50% of data breach class actions ended within around 260 days. The same pattern holds true for the median time it takes for a case to be dismissed after a contested motion. In 2020, it took a median of around 240 days for a case to be dismissed after a contested motion. Data breach class actions are still moving through the court systems but at a little slower pace— much like everything else from 2020 (and 2021).
SOLOVE: Most data breach class actions are either won through contested motion or settled, right?
RAYMOND: Yes, that is correct. Most are won after contested motion to dismiss or settled. Only a handful (around 8) out of around 2,600 federal data breach class actions had a contested class certification motion decided by a judge.
SOLOVE: Can you explain what a class settlement entails?
RAYMOND: The Federal Rules of Civil Procedure require that a court review the settlement and find that a proper class exists and that the settlement is fundamentally fair, adequate, and reasonable. The hard look required by the federal rules makes sense considering that only a few are bringing action on behalf of many, and a settlement on behalf of the class forecloses the rights of many.
Also, since class settlement funds are going to many, the settlement has to spell out the method by which the settlement funds are distributed to the class. Of relevance here are two common types of settlements: common-fund and claims-made settlements. In a common-fund settlement, claiming class members receive shares of the fund based on an agreed upon formula and the costs of administrating the settlement and attorneys’ fees come from the same fixed fund. In a claims-made settlement, the defendant agrees to pay all valid claims—and the parties then agree on what is a valid claim and the amount that class members can claim. Settlement costs and attorneys’ fees are paid separate from any class compensation in a claims-made settlement.
Common-fund settlements provide certainty—a defendant (and/or the insurer) knows the financial quantum of the fund—and that is all that is required. Claims-made settlements are less certain as the payments to the class depend on how many individuals make a claim. Claims-made settlements have grown in popularity as a means to provide redress for those class members able to demonstrate actual harm, rather than paying pennies on the dollar to every potential class member.
SOLOVE: What are the challenges in settling a data breach class action during a pandemic?
RAYMOND: The biggest challenges are with time and attention. Court closures and slowdowns are impacting the speed by which courts approve and finalize settlements. Other challenges include client attention and resource. There is no question that the pandemic understandably shifted priorities within organizations—especially among healthcare entities.
Mediations also play a significant role in class action settlements. With in-person mediations off the table, the parties have had to adjust to virtual mediations, which come with their own virtual conference challenges.
SOLOVE: Have you seen any new trends in data breach class action settlements during COVID-19?
RAYMOND: At the beginning of the pandemic, the assumption was that people would make more claims. This is important for a claims-made settlement since the compensation paid to the class is not certain. Instead, the compensation paid to the class depends on how many class members make valid claims. The number of class members that make valid claims is known as the claims rate. Typically, in consumer class actions, the claims rate is between 1-5%. Data breach class action settlements trend to 1-3%.
There was a real concern that the pandemic would drive claims rates drastically higher, resulting in much higher compensation paid to the class than expected when the class action settled.
So far, this concern has not panned out. The claims rate for data breach class action settlements have not changed. For example, the chart below includes the claim rates, size, and type of case for a few pre-pandemic and post-pandemic data breach class actions. In the end, the claim rates reflected what was expected given the type of case and compensation offered to the class.
It is not all good news though, as the number of non-valid and fraudulent claims have increased. Although non-valid claims and fraudulent claims do not impact the claim rate, they do increase the cost of administering the class action. To keep these costs down, it is critical to be clear in the settlement what a valid claim is and make it as easy as possible to dispose of non-valid and fraudulent claims. Defendants and insurers are wise to consider caps on the costs of settlement administration as well.
SOLOVE: Any final thoughts on what the lasting impact of the pandemic will be on class action litigation?
RAYMOND: I’ll leave you with three takeaways:
First, data breach class actions will remain popular among the plaintiffs’ bar. Given state statutory notification and publication requirements, data breaches are easy for plaintiffs’ attorneys to identify, find representative plaintiffs, and then file a class action complaint. It is also becoming more difficult for defendants to win these cases outright on a motion to dismiss, increasing the chances of settlement.
Second, we will continue to see a proliferation of plaintiffs’ firms enter the data breach class action space with increasingly creative arguments and novel approaches.
Finally, virtual mediations and court hearings are here to stay.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.