Data breaches made headlines throughout 2024, affecting governments, health care groups, and telecoms. Follow-on litigation has kept pace. Nearly 4,000 class actions involving data privacy issues are estimated to be filed in federal courts by the end of this year.

Growth in litigation meant that 2024 saw legal developments in several areas including standing to sue and web video suits. Increased attention on cybersecurity and privacy incidents unsurprisingly corresponded with active SEC enforcement and derivative suits related to inadequate data security.

Standing Developments

Tracking the increase in litigation, the case law regarding who can bring suit in the wake of a data breach has continued to develop in notable ways.

Standing remains a hurdle many plaintiffs cannot clear because they have not experienced an injury-in-fact. Illustratively, a federal appellate court on the East Coast held this year that disclosure of information to a vendor in possible violation of federal debt collection rules was not enough to give the plaintiff standing. Barclift v. Keystone Credit Servs., 93 F.4th 136, 146 (3rd Cir. 2024). The Third Circuit concluded, in particular, that the plaintiff had not suffered the “humiliation” that normally attends the public-disclosure-of-private-facts cause of action because her debt was communicated to an intermediary for collection, rather than published to the public. Barclift, 93 F.4th at 146. On the West Coast, the absence of a policy required by statute—for example, the absence of a publicly available biometric information retention policy—did not confer standing on a plaintiff who was not uniquely harmed. Zellmer v. Meta Platforms, Inc., 104 F.4th 1117, 1127 (9th Cir. 2024). The Ninth Circuit instead concluded that the duty to have a publicly available policy was owed to the public in general and a mere allegation that the policy was absent, without an additional allegation of particularized harm, was insufficient. Zellmer, 104 F.4th at 1127.

In certain other contexts where there is at least some allegation of present, tangible injury, courts have expressed willingness to reconsider standing, but these are limited and often fact specific. For example, where plaintiffs alleged minimal tangible losses that had already occurred, the Seventh Circuit pushed back on the idea that vanishingly small losses are not a sufficient injury. Alcarez v. Akorn, Inc., 99 F.4th 368, 374 (7th Cir. 2024). We will be monitoring the effect such pushback has on data breach cases going forward.

Web Video Suits

Predictably, most private plaintiffs allege violations of statutes that entitle successful plaintiffs to statutory damages and, often, payment of their attorneys’ fees—the Video Privacy Protection Act, or VPPA, is a prime example. Passed in 1988 in the wake of the revelation of Robert Bork’s video rental history during Supreme Court confirmation hearings, the VPPA has found new application in the internet era.

In general, entities risk liability when they disclose identifying information regarding which of their customers watch which of their videos. Often that occurs when videos are linked to targeted ads. It is all too easy to unwittingly run afoul of video privacy rules: A company need not be in the business of providing audiovisual products to be at risk. Hosting tracked video and offering subscription-based “goods or services” may be sufficient basis for a suit even when the two are not linked from a business perspective. Salazar v. Nat’l Basketball Ass’n, No. 23-1147 (2d Cir. Oct. 15, 2024); Aldana v. GameStop, Inc., No. 22-CV-7063-LTS (S.D.N.Y. Feb. 21, 2024). Recently, the Second Circuit held that a newsletter recipient is a “subscriber of goods and services” for purposes of the VPPA even when the newsletter and the tracked video content were entirely separate. Salazar, No. 23-1147 (2d Cir. Oct. 15, 2024). Businesses should also be wary of relying on consumer consent in the tracked video context. At early stages of litigation, it is not an ironclad defense provided there are factual disputes over the nature and legal effect of the consent. Pileggi v. Wash. Newspaper Publ’g Co., Civil Action 23-345 (BAH), at *14 (D.D.C. Jan. 29, 2024).

Data Security at Public Companies

The SEC continued to shape the litigation landscape on cybersecurity issues in 2024. In June, it updated its guidance on reporting cybersecurity incidents. Among other updates, the SEC clarified that a registrant must file an Item 1.05 Form 8-K within four business days of determining a cybersecurity incident is material; delay is only permitted if the Attorney General notifies the registrant in writing that disclosure would jeopardize public safety or national security before the four business days are up. The resulting increase in cybersecurity disclosures has already led to multiple court cases. Then, in October 2024, the SEC brought charges against four companies for allegedly making materially misleading cybersecurity disclosures. In one instance, an entity allegedly reported cybersecurity risks in “hypothetical” terms despite knowing that confidential information had already been exfiltrated. In another, the SEC alleged that an entity “minimized the compromise and omitted material facts known to [] personnel” in its reporting. Continued attention to properly framing cybersecurity risks in disclosures will be important throughout the rest of 2024 and into 2025. As the Acting Chief of the SEC’s Crypto Assets and Cyber Unit put it: “Downplaying the extent of a material cybersecurity breach is a bad strategy.”

Derivative suits related to questionable data practices have also percolated through the courts this year. In Harper v. Sievert, for instance, shareholders challenged the implementation of an allegedly insecure data structure at a telecommunications company. Harper v. Sievert, C. A. 2022-0819-SG (Del. Ch. May 31, 2024). The Delaware Chancery Court found that the telecoms company’s board did not disloyally disregard data security risks, in turn rendering the failure of the shareholder to submit a litigation demand fatal to the suit. Id. at 21. That disposition underscores that boards may avoid derivative liability by monitoring the business-specific risks and benefits of data structure options. Id. at *21. Failure to do so invites litigation, especially if a business touts its expertise in securing data, avoiding data breach is “mission critical,” or the data storage decision was made by a controlling corporate parent. Ont. Provincial Council of Carpenters’ Pension Tr. Fund v. Walton, 294 A.3d 65, 85-86 (Del. Ch. 2023). In each of those situations, a suit alleging failure to properly oversee data security risks is more likely to survive a motion to dismiss. Id.

Looking Forward to 2025

Looking back, 2024 made clear that privacy and cybersecurity litigation is not going away. Private plaintiffs continue to pursue novel class action strategies, sometimes reviving statutes meant to apply outside the digital context. And the SEC and shareholders pay more attention to privacy and cybersecurity incidents than ever. The data privacy and cybersecurity team will continue to track these areas throughout 2025.  We also will continue tracking the litigation risk posed by new state-level legislation. Up until now, the sweeping expansion in state-level comprehensive privacy rules have not affected the volume of privacy litigation as significantly as other laws, primarily because only California’s rules provide private plaintiffs the right to sue for violations (and then only in limited circumstances). That may change in 2025. Active privacy bills in Massachusetts and Michigan could provide private parties the right to sue for violations. That would mark a sea change in the litigation risk non-compliant businesses face. Should those bills pass, retaining privacy counsel and considering data protection proactively will be more important than ever.

For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Riskclick here.