Cybersecurity Class Actions: Protecting Individual Rights in the Digital Age

In 2021, the Internet Crime Complaint Center (IC3) received a record number of data breach complaints from the American public. This represents,7% increase from the previous year, with potential losses exceeding $6.9 billion.¹ This surge in data breaches highlights the need for a legal mechanism that can effectively protect the rights of impacted individuals. Class actions have proved an effective legal instrument in addressing the issue of data breaches, providing a means for individuals to seek compensation for the harm suffered.

Class actions provide several benefits in the context of data breaches. These include procedural efficiency and economy. Consolidating the similar claims of numerous individuals can preclude the risk of contradictory decisions, which can create confusion and result in conflicting outcomes for similarly impacted parties.²

The primary objective of class actions in data breach cases is to obtain monetary damages for the impacted individuals. This requires proof of both actual and future damages. Class actions are the only legal instrument capable of effectively addressing the growing problem of massive data breaches. The calculation of damages in these cases can be a significant challenge, as the harm suffered by individual plaintiffs may vary significantly and be difficult to quantify. Additionally, proving future damages requires demonstrating a causal link between the breach and future harm, which can be challenging to establish with certainty.³

The standing theory of liability in cybersecurity class actions relies on the legal principle that establishes the right of an individual or a group of individuals to bring a damages lawsuit to court. Further, in cybersecurity class actions, standing refers to the requirement that plaintiffs prove a concrete injury directly resulting from a defendant’s alleged wrongful conduct. The standing principle is an interpretation of the Article III of the American Constitution, and its requirement serves to prevent frivolous lawsuits.⁴

The Supreme Court created a three-part test to determine standing. First, plaintiff must suffer an “injury in fact,” meaning that the injury is of a legally protected interest which is; (a) concrete and particularized and (b) actual or imminent Second, one must establish a causal connection between the injury and the conduct brought before the court. Finally, there must be a reasonable, non-speculative that a favorable decision by the court will redress the injury.⁵

This test makes it almost impossible to prove the existence of the heightened standard of proven damages in cybersecurity class actions, even when damages are palpably evident.

It is imperative to delve into the critical aspects of damages, including future damages,. These actions pose unique challenges for plaintiffs, as they must demonstrate quantifiable harm directly attributable to a data breach or other cybersecurity incident. Exploring the intricacies of proving these damages becomes paramount in understanding the complexities plaintiffs face in these lawsuits.

In many cases, the injury is intangible and may not result in a direct monetary loss. For example, a data breach may expose sensitive personal information, such as a Social Security number or credit card information, leading to potential identity theft or financial fraud. While these harms can have severe and long-lasting consequences, they may be difficult to quantify and prove in court.

¹ Paul Abbate, Federal Bureau of Investigation Internet Crime Report 2021,
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf, (“In 2021, IC3 continued to receive a
record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase
from 2020, with potential losses exceeding $6.9 billion. Among the 2021 complaints received, ransomware,
business e-mail compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top
incidents reported. In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4
billion”).

² ANTONIO GIDI, A CLASS ACTION COMO INSTRUMENTO DE TUTELA COLETIVA DOS DIREITOS. UMA
PERSPECTIVA COMPARADA [THE CLASS ACTION AS A TOOL FOR COLLECTIVE PROTECTION OF RIGHTS. A
COMPARATIVE PERSPECTIVE] 25 (Revista dos Tribunais (2007).

³ In re Yahoo! Inc. Customer Data Sec. Breach Litig., Case No. 16-MD-02752-LHK, 28 (N.D. Cal. Jul. 22, 2020); (“”Estimates of what constitutes a fair settlement figure are tempered by factors such as the risk of losing at trial, the expense of litigating the case, and the expected delay in recovery (often measured in years).” Browne, 2010 WL 9499072, at *12. Thus, “[t]he fact that a proposed settlement may only amount to a fraction of the potential recovery does not, in and of itself, mean that the proposed settlement is grossly inadequate and should be disapproved.” Linney, 151 F.3d at 1242 (internal quotation marks omitted). Additionally, these objectors do not account for the fact that the Settlement Fund does not constitute all of the relief to the Settlement Class”).

⁴ Cass R. Sunstein, What’s Standing After Lujan? Of Citizen Suits, “Injuries,” and Article III, 91 Mich. L. Rev. 163, 166 (1992). (“Lujan holds that the requirement of an “injury in fact” is a limitation on congressional power; but an “injury in fact,” as the Court understands it, is neither a necessary nor a sufficient condition for standing. The relevant question is instead whether the law — governing statutes, the Constitution, or federal common law – – has conferred on the plaintiffs a cause of action”).

⁵ TransUnion LLC v. Ramirez, 210 L. Ed. 2d 568, 141 S. Ct. 2190, 2203 (2021). (“[T]o establish standing, a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” Id. (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)).