illustration of a "data pirate" reaching for binary code with a foggy blue-green background that fades to black

An Update on Data Breach Litigation: Trends in Multidistrict Litigation

Photo Credit: https://www.forbes.com/sites/steveandriole/2019/07/30/the-capital-one-data-breach-is-no-exception-why-we-can-expect-many-many-more/#ab9831bfc48b

By: Nick Jackson
Managing Editor, American Journal of Trial Advocacy

Data breaches are becoming the “new normal” in American society.  In what used to be “headline” news, major data breaches are no longer the rarity that they once were.  Today, data breaches occur on a small scale nearly every day across the United States.  In fact since 2005, more than 4,500 data breaches have been made public.[1]  However, this statistic only addresses breaches that have been made public and not every single breach that has occurred.[2]  The latest statistics are even more concerning and demonstrate that data breaches are on the rise.[3]  For example in 2017, alone, nearly 1,579 data breaches were reported.[4]  Following this trend of an increase in the actual number of data breaches, litigation involving the breaches is increasing at a steady pace as well.  

In what used to be considered an anomaly, data breach lawsuits are being filed at the near instance that the news of the breaches becomes public.  For example, on July 29, 2019, Capital One first disclosed a data breach that compromised the personal information of more than 100 million people.[5]  The next day, on July 30, 2019, the law firm of Morgan and Morgan filed a lawsuit in “the United States District Court for the Eastern District of Virginia on behalf of the millions of consumers affected by the breach.”[6]  Dozens of similar lawsuits would eventually follow suit.[7]  Today, dozens of lawsuits being filed in response to a breach is not a rarity.  For example, in November 2018, Marriott revealed that it had suffered a massive data breach affecting the personal information of up to 500 million customers.[8]  Subsequently, nearly 70 related actions were filed in response to the announcement.[9]  In comparison, in 2016, a mere 14 related actions were filed in response to a breach affecting the personal information of nearly 500 million Yahoo! customers.[10]   

Statistics show that there has been a drastic increase in data breach litigation in recent years, particularly in the area of multidistrict litigation (“MDL”).[11]  Regardless of the cause of this increase, the impact is clear: data breach litigation is on the rise, and judicial efficiency is an ever-constant problem for the administration of litigation that impacts a large number of individuals.  The solution for this problem has become evident: centralizing the actions under 28 U.S.C. § 1407.  For example, at the time of the writing of this article, 15 MDLs were pending in the areas of data breach and consumer privacy.[12]  

Data breach litigation typically is presented in the form of a class action due to the large number of plaintiffs that are generally involved and the “limitations in the damages they can collect.”[13]  28. U.S.C. § 1407 states that the centralization of civil actions with common issues is appropriate upon the determination that centralization will serve “the convenience of parties and witnesses and will promote the just and efficient conduct of such actions.”[14]  With data breaches often encompassing the entire nation, centralization under Section 1407 is often the only way to efficiently manage litigation stemming from large data breaches.  At the time the Judicial Panel on Multidistrict Litigation (“JPML”) centralized the litigation stemming from the Marriott data breach, the litigation was comprised of nearly 70 lawsuits.[15]  In centralizing the matter under 28 U.S.C. § 1407, the JPML held, “[c]entralization will eliminate duplicative discovery, prevent inconsistent pretrial rulings on class certification and other issues, and conserve the resources of the parties, their counsel, and the judiciary.”[16]  

Centralization is not always the ultimate result in data breach litigation, and in reality, only a small number of the thousands of breaches that occur every year get centralized into an MDL.[17]  However, it can certainly be said that most large data breaches are eventually centralized for pretrial proceedings under Section 1407.  For example, In re Capital One Customer Data Security Breach Litigation, In re Marriott International, Inc., Customer Data Security Breach Litigation, In re Yahoo! Inc. Customer Data Security Breach Litigation, and In re: Target Corp. Customer Data Security Breach Litigation,the JPML noted that in each matter, litigation was pending in numerous districts across the country.[18]  Yet, it is important to note that a “large” data breach does not necessarily automatically point to centralization.  Although the JPML has not specifically pointed to the difference between a “large” data breach and “large” amounts of litigation, the court has made a distinction nonetheless.  

Historically, data breaches with a large number of actions pending in various districts are typically centralized.[19]  However, in In re First American Financial Corporation Customer Data Security Breach Litigation,[20] the JPML denied centralization of a “large” data breach.[21]  In denying centralization, the JPML noted Plaintiffs’ allegations of a data breach impacting individuals nationwide.[22]  In fact, data security analysts estimate that First American’s data breach exposed nearly 885 million consumer files.[23]  However, the JPML pointed to the size of the litigation finding there were “a relatively small number of actions in this controversy, and most are pending in a single district.”[24]  In denying centralization, the JPML held that “centralization under Section 1407 should be the last solution after considered review of all other options.”[25]  The JPML continued to hold that conventional transfer was more appropriate and that “[e]ven if the pending transfer motion does not eliminate the multidistrict character of this litigation, voluntary cooperation and coordination among the small number of involved courts appears eminently feasible.”[26] 

From In re First American, one may draw a simple conclusion: the size of the data breach is not determinative in deciding whether centralization is appropriate; however, the size of the litigation is.  In all, the First American data breach was massive to say the least.  In coming to its conclusion, the JPML noted the allegations that First American’s data breach affected millions of consumers and “resulted in the exposure of approximately 885 million records related to mortgage deals dating back sixteen years.”[27]  The JPML further noted that the personal information allegedly exposed was comprised of “names, bank account numbers, bank account statements, mortgage records, tax records, Social Security numbers, wire transaction receipts, drivers’ license images, and other personal financial information.”[28]  

The First American breach was extensive, and in all, it was much larger than many of the other data breach matters that the JPML has decided to centralize.  In fact, in In re 21st Century Oncology Customer Data Security Breach Litigation,[29] the JPML centralized a data breach involving a mere two million consumers.[30] However, at the time of centralization, sixteen actions were pending in three districts across the country.[31]  A key distinction can be made between the JPML’s decisions in In re 21st Century and in In re First American.  Although the First American breach was much larger, the litigation that resulted was not.  

The number of data breaches in the United States will likely continue to rise.  Similarly, the litigation that results from these breaches will likely continue to rise as well.  The centralization of these matters is likely, but the fate of every piece of litigation will not necessarily be the same.  Although the JPML has yet to explicitly recognize the distinction between large data breaches and the size of litigation, it does not necessarily have to.  In all, Section 1407’s purpose remains the same: to serve the convenience of the parties and witnesses and to promote the just and efficient conduct of such actions.[32]  Centralizing a large data breach does not necessarily promote this purpose; however, centralizing numerous matters across various districts does.  Thus, the number of actions pending and the locations of these actions should be extremely influential factors in a party’s determination of whether to seek centralization under Section 1407.  It remains true that large breaches are often centralized; however, the JPML’s determination does not turn on the size of the breach, alone.  Instead, the JPML’s determination likely turns on more conventional centralization factors such as eliminating “duplicative discovery,” preventing “inconsistent pretrial rulings on class certification and other issues,” and conserving “the resources of the parties, their counsel, and the judiciary.”[33] 


[1] Juliana De Groot, The History of Data Breaches, Digital Guardian: DataInsider Blog (Oct. 24, 2019), https://digitalguardian.com/blog/history-data-breaches.

[2] Id.

[3] Id.

[4] Id.

[5] AJ Dellinger, Capital One Hit With Class-Action Lawsuit Following Massive Data Breach, Forbes (July 30, 2019, 10:30 P.M.) https://www.forbes.com/sites/ajdellinger/2019/07/30/capital-one-hit-with-class-action-lawsuit-following-massive-data-breach/#63be2cb06b1a.

[6] Id.

[7] See, e.g., In re Capital One Customer Data Sec. Breach Litig., 396 F. Supp. 3d 1364, 1364 (J.P.M.L. 2019).

[8] Kate O’Flaherty, Marriott CEO Reveals New Details About Mega Breach, Forbes (Mar. 11, 2019, 05:45 A.M.) https://www.forbes.com/sites/kateoflahertyuk/2019/03/11/marriott-ceo-reveals-new-details-about-mega-breach/#56e7b0ae155c.

[9] In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 363 F. Supp. 3d 1372, 1373 (J.P.M.L. 2019).

[10] In re Yahoo! Inc. Customer Data Sec. Breach Litig., 223 F. Supp. 3d 1353, 1354 (J.P.M.L. 2016).

[11] See Alan Rothman, And Now a Word from the Panel: 4 MDL Lessons at 40, Mondaq (July 29, 2019), http://www.mondaq.com/unitedstates/x/830948/trials+appeals+compensation/And+Now+A+Word+From+The+Panel+4+MDL+Lessons+At+40 (“A growth category is data breach and privacy MDLs . . . .”).

[12] MDL Statistics Report—Docket Type Summary, JPML (Nov. 19, 2019) https://www.jpml.uscourts.gov/sites/jpml/files/Pending_MDLs_%20by_Type-November-19-2019.pdf.

[13] Bianca Karim, Cause of Action for Breach of Data Security for Consumers’ Information, 85 Causes of Action 2d 635 (Oct. 2019).

[14] 28 U.S.C.A. § 1407(a) (West 2020).

[15] In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 363 F. Supp. 3d 1372, 1373 (J.P.M.L. 2019).

[16] Id. at 1374.

[17] See Dan Rafter, 2019 Data Breaches: 4 Billion Records Breached So Far, Norton https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html (last visited Jan. 26, 2020) (stating there were 3,800 publicly disclosed preaches in the first half of 2019); see also MDL Statistics Report—Docket Type Summary, supra at note 12 (stating there are 15 pending MDLs relating to data security or consumer privacy).

[18] In re Capital One Customer Data Sec. Breach Litig., 396 F. Supp. 3d 1364, 1364 (J.P.M.L. 2019); In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 363 F. Supp. 3d 1372, 1373 (J.P.M.L. 2019); In re Yahoo! Inc. Customer Data Sec. Breach Litig., 223 F. Supp. 3d 1353, 1354 (J.P.M.L. 2016); In re: Target Corp. Customer Data Sec. Breach Litig., 11 F. Supp. 3d 1338, 1338 (J.P.M.L. 2014).

[19] In re Capital One Customer Data Sec. Breach Litig., 396 F. Supp. 3d 1364, 1364 (J.P.M.L. 2019); In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 363 F. Supp. 3d 1372, 1373 (J.P.M.L. 2019); In re Yahoo! Inc. Customer Data Sec. Breach Litig., 223 F. Supp. 3d 1353, 1354 (J.P.M.L. 2016); In re: Target Corp. Customer Data Sec. Breach Litig., 11 F. Supp. 3d 1338, 1338 (J.P.M.L. 2014).

[20] 396 F. Supp. 3d 1372 (J.P.M.L. 2019) (mem.).

[21] Id. at 1374.

[22] Id. at 1372-73.

[23] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records, Krebs on Sec. (May 24, 2019), https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/.

[24] In re First American Fin. Corp. Customer Data Sec. Breach Litig., 396 F. Supp. 3d at 1373.

[25] Id. (internal quotations omitted) (quoting In re Best Buy Co. Inc., Cali. Song-Beverly Credit Card Litig., 804 F. Supp. 2d 1376, 1378 (J.P.M.L 2011)).

[26] Id.

[27] Id.

[28] Id.

[29] 214 F. Supp. 3d 1357 (J.P.M.L. 2016).

[30] Id. at 1358.

[31] Id. at 1357-58.

[32] 28 U.S.C.A § 1407(a) (West 2020).

[33] In re Capital One Customer Data Sec. Breach Litig., 396 F. Supp. 3d at 1365. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s