New England sees surge in cybersecurity and data privacy class action filings

In 2023, New England has witnessed a significant increase in the number of class action lawsuits related to cybersecurity and data privacy. Massachusetts courts, in particular, have been inundated with record-high levels of such filings. While the healthcare sector remains a primary target for these suits, industries like tech, retail, manufacturing, financial services, and professional services have also experienced a surge in cybersecurity and data privacy class actions.

Two major trends stand out when analyzing these cases. The second quarter of 2023 saw a remarkable phenomenon: a single cyber attack resulted in multiple class action complaints against affected businesses. Out of the eighty actions filed in or transferred to the District of Massachusetts, a staggering twenty-six were connected to five separate cyber attacks on different entities, with three of them operating in the healthcare sector. One major incident involving a prominent Boston-based health insurer led to eleven distinct class action complaints. These related complaints exhibit striking similarities in terms of structure, content, and allegations.

Diverse claims arise in cybersecurity and privacy complaints

The class action complaints arising from these cybersecurity and privacy cases often include claims based on negligence, negligence per se, breach of contract, breach of implied contract, violations of state unfair and deceptive trade practices acts, and breach of third-party beneficiary contract. In some instances, complaints also include less common theories for relief such as unjust enrichment, bailment, and negligent misrepresentation. The lawsuits frequently make references to federal and state regulations, such as the Federal Trade Commission's stance on reasonable cybersecurity measures and the HIPAA Security and Breach Notification Rules. Additionally, industry standards like the NIST Cybersecurity Framework are cited as well, providing guidance for potential defendants regarding the types of claims they may face.

Article III Challenges Surround Alleged Harms in Cybersecurity Cases

One significant challenge faced by plaintiffs in these cybersecurity class actions relates to Article III standing, which requires a concrete and particularized injury. Many courts have been skeptical of considering the costs and time incurred to protect against potential future misuse of compromised personal information as sufficient to establish concrete injury. However, the First Circuit's decision in Webb v. Injured Workers Pharmacy, LLC suggests a changing perspective. The court held that actual misuse of personally identifiable information and lost professional time spent monitoring accounts to protect against future identity theft constitute concrete injuries. This broader interpretation of concrete harm may signal a shift in standing requirements.

Monitoring Ongoing Developments in New England Class Actions

As these cybersecurity and data privacy class actions continue to unfold, it is crucial to monitor further developments in the New England region, particularly within the jurisdiction of the First Circuit. Updates from the third quarter of 2023 will be published in our New England and First Circuit Class Action Tracker. The evolvinglandscape of non-economic harms and preventative expenditures that satisfy Article III standing will undoubtedly impact future cases. Defendants will likely continue to challenge standing based on Article III requirements, leading to fact-specific decisions. Stay informed for further updates on this evolving legal landscape.