Massive Increase in Data Breaches Prompts Rise in Related Lawsuits, Lawyers Say
The surge in data breach lawsuits is a result of the rise in breaches and plaintiffs’ lawyers determining that such litigation is a lucrative space, said Jackson Lewis attorneys in a podcast Thursday. Courts are also helping make these suits easier to bring and speed counts, they added.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Breaches ... [are] not slowing down,” said John Harris, a lawyer who defends companies in privacy class-action litigation. “They're picking up, if anything, and there's more and more opportunity for plaintiffs to file lawsuits over" data breaches.
Damon Silver, another Jackson Lewis privacy lawyer, noted that in 2021, around 300 data breach class actions were filed. "In 2022, that jumped to 600. That number more than doubled, to 1300 in 2023, and last year we were up to 1500," he said.
Also contributing to the rise in breach-related lawsuits is that courts have a low bar for what it means to have suffered an injury and obtain standing to bring a case, Harris said. Negligence is often a key claim in the suits, along with implied contract claims, unjust enrichment and common law claims, among others, he noted.
Accordingly, when approaching breach lawsuits, attorneys will often ask, “What was the state of the client's [data privacy] program at the time of the breach?” said Silver.
Usually, within a week or two of data breach notifications being sent to impacted consumers, the first lawsuit will be filed, and then it’s a clown car, Harris said. “If you get to the courthouse first, your slice of the cake is bigger, and so you're racing to get there as soon as possible.”
As such, privacy law compliance is "not just a matter of checking the box. It really is going to have downstream impact if you are unfortunate enough to end up in one of these litigations,” Silver said. Accordingly, Harris said, companies should take extra precautions around safeguarding data.
One example of the rapidity of lawsuits taking shape after breach notifications are sent is the Healthcare Services Group (HSGI) incident. On Monday, the health care firm began notifying impacted individuals of a 2024 data breach that leaked personal information. Just days later, on Thursday, Philadelphia-based law firm Edelson Lechtzin announced it was investigating the breach on behalf of victims.
A sample notification letter from HSGI said that on October 7, 2024, it "learned of potential unauthorized access to certain HSGI computer systems,” and “quickly took steps to secure its computer systems and began an investigation to determine the nature and scope of the activity.”
“The investigation determined that an unauthorized actor may have accessed and copied certain files on HSGI’s computer systems between September 27, 2024, and October 3, 2024,” the letter added. An “extensive review of the involved files” was conducted, and determined that certain personal information was present in the impacted files, including Social Security number, driver’s license number, state identification number, financial account information and full access credentials.
The letter was specific to Maine residents, as it was attached to the report from that state’s attorney general’s office from Monday. It said that 3,871 of the total 624,496 individuals affected were Maine residents.
Vermont’s AG reported the breach Monday as well, with a sample notification letter that HSGI crafted for that state's residents attached. The Texas OAG also reported the breach Tuesday, and noted 82,280 Texans were impacted.