How Courts are Responding to the Rise of Data Breach Class Action Suits

Francesca-Castagnola

Francesca Castagnola

August 14, 2019

Learn More About Grand Merchant Settlement Services

As the proliferation of cybercrime continues unabated—with an estimated two million cyber attacks resulting in more than $45 billion in losses worldwide in 2018—the explosive growth of data-privacy class action suits will continue as well, along with the complexity and size of that litigation.

In response, U.S. courts are instituting new rules aimed at establishing efficiencies en route to resolving these massive claims. Those rules have significant implications for attorneys seeking settlement approval in data-privacy cases, and meeting their standards will require heightened due diligence throughout the litigation process—and after cases are settled.

A brief overview of the new rules — and how best to approach them

In December of last year, amendments to Federal Rule of Civil Procedure 23, which governs class actions, took effect. Understanding these changes is crucial, as they already reflect current practice in several U.S. districts and will likely accelerate several related trends.

The amendments focused on four issues—here’s an overview of each, and some tips for managing with them successfully.

Authorization of electronic notice

Courts have historically mandated notice via direct mail — an expensive method that, nowadays, is inconsistent with the way people receive information. As such, the new rule now authorizes electronic notice and expands the definition of the term “electronic” to include everything from banner ads to text messages to email and social media.

This shift is especially important given the sheer size and scope of data privacy cases — cases whose victims may not have experienced a tangible (or even monetary) impact, and who thus may require more encouragement to get involved.

Uniformity in the settlement process

While largely consistent with existing practice, the amendments also now provide new, express and uniform instructions on the proper procedures and substantive assessments courts must implement when considering whether to grant preliminary and final approval of class action settlements.

To prevent parties from spending time and money notifying a class that the court is ultimately unlikely to approve, the new rule requires parties seeking preliminary approval to demonstrate that the proposed settlement will likely be granted final approval.

As for final approval, the amended Rule 23 compels courts to consider five specific factors: adequate representation of the class, arm’s length negotiation, methods of delivering relief, the equitability of class members and identification of any agreements made in connection with the proposal.

These new criteria have several significant implications for attorneys. Importantly, given the added stakes of preliminary approval, counsel must treat the first hearing before the court as if it were the last. To meet the new standards at this hearing, the declaration of a plaintiff’s lawyer will no longer suffice—especially in complex data-privacy cases, technical experts should be brought in early to articulate not only liability evidence but also damage analysis.

Proving the effectiveness of any proposed method of delivering relief also poses a challenge in data privacy cases. After all, we may know what was exfiltrated, but we don’t know how it necessarily impacted the class—a set of plaintiffs that can number in the millions. Carefully comparing the settlements reached in like cases, including claim rates and distribution methods, should be a best practice.

Curbing unwanted objections, and new appeal standards

The final two issues addressed in the Rule 23 amendments involve efforts to curb unwanted objections (by clarifying new standards for what must be included in an objection) and changes to the appeal process (by forbidding an appeal of approval of notice and by extending time to file against the federal government).

From settlement approval to distribution: How to choose a settlement services provider who can meet new standards

For attorneys hoping to meet the court’s new standards in data privacy cases, cutting corners is no longer an option. The same holds true for decisions made after settlement approval, including settlement services providers.

Here are three qualities to look for in a banking resource.

Security. On the one hand, this means selecting a provider that can protect against the very thing that led to these cases in the first place — does your bank, for instance, have cybersecurity programs? Do they employ encrypted documentation practices? Use cash management services that offer automated fraud detection? On the other hand, security entails ensuring high returns without putting principal at risk. A good settlement services provider will avoid stock or corporate bonds, investing instead in U.S. Treasury Bills or other deposit options with expansive FDIC coverage during escrow — a period that, in data privacy cases, tends to be longer than normal.

Industry experience and expertise. Under the new standards, judges want to know that lawyers are choosing claims administrators and settlement services providers with proven track records. Look for banking resources who understand the entire lifecycle of settlement funds, and make sure they’re comfortable working with different industry-specific stakeholders, from attorneys and claims administrators to special masters and lien release specialists.

Find a true resource—and look to the people. When the stakes are high, attorneys must know they can trust the people they work with. Your settlement services provider should offer a single point of contact who’s responsive to an attorney’s needs. This person should be transparent, up to date on the details of the account and have the experience, flexibility, and authority to develop custom solutions—fast.

Cybercrime won’t stop any time soon, and the class action suits that follow will only grow vaster and more complex. As courts react in kind with higher and higher standards, attorneys must step up their due diligence—both during the settlement approval process, and afterwards.