chevron-down Created with Sketch Beta.
January 24, 2024 Feature

Court-Appointed Neutrals Can Help Address Challenges in Complex Cybersecurity Litigation

By Lucy L. Thomson

The dramatic increase in data breaches and attacks on critical infrastructure, the ever-growing complexity of emerging technology, and the Supreme Court’s stringent class action standing and certification requirements are creating challenges for the courts. Cybersecurity experts who serve as court-appointed neutrals (what Fed. R. Civ. P. 53 refers to as “masters”) can assist courts at every stage of the complex proceedings in class action data breach cases. They can provide recommendations regarding the technical aspects of the cases, assist courts with the certification of class actions, and oversee e-discovery and the implementation of appropriate relief. Without intending to be exhaustive, this article provides examples of how neutrals can serve in numerous ways to help judges manage the complex issues in cybersecurity litigation and make these significant, multifaceted cases fairer, more efficient, less expensive, and easier for the courts to manage and decide.

Cybersecurity Attacks on the Rise and Resulting Harm

Over the past two decades, data breaches have increased with alarming frequency. Many involve the theft of or unauthorized access to highly sensitive personal and financial data and medical records of many millions of consumers and patients. Data breaches are often the result of lax security practices by companies and government agencies that result in devastating consequences for the individual victims whose data were stolen.

Organizations that collect, use, and store large amounts of personally identifiable information (PII) or IP and strategic business data of high value to criminals have become prime targets of attacks by state-sponsored hackers and overseas organized crime. Alerts from law enforcement in the United States and globally have warned of dangerous, sophisticated attacks by state actors and cybercriminals that are threatening the security of companies, health care providers, financial institutions, government agencies, and critical infrastructure. The Intelligence Community’s (IC) 2023 Annual Threat Assessment identifies prominent cyber adversaries—nation-states Russia, China, North Korea, and Iran—as well as terrorist groups and cybercriminals.

With high-level government and private sector concern about the proliferation of cyberattacks, an entire field of specialized cybersecurity expertise has developed that the courts can and should draw on to ensure that the analysis of and remedies in data breach cases are consistent with well-accepted security standards and best practices.

Overall, the number of personal records exposed in data breaches since 2005 is now more than a half billion. The largest data breaches—spanning the financial, health care, retail, technology, and government sectors—illustrate the heightened risk to millions of individuals when large datasets of sensitive personal information are compromised.

Data breaches can harm both individuals and institutions. Ransomware and phishing attacks, now the most common causes of data breaches, have resulted in enormous harm to individuals whose personal and financial data and medical records have been stolen. A ransomware attack can make information systems unavailable and enable attackers to steal and exfiltrate sensitive personal data and IP. Hackers are pursuing an aggressive, multipronged attack strategy by encrypting network files to make them unavailable and posting stolen company and client data on the dark web or leaking data more broadly to the world. At the same time, they are making extortion demands to both restore access to the data and information systems and to not publicly release the stolen data.

Data such as credit card details, purchase histories, and names and addresses can be all the information criminals need to carry out identity theft. They may also stockpile personal data over time, increasing their ability to use the data for financial gain. When hackers obtain personal data and health insurance information, they can obtain a medical procedure or test in the patient’s name, use the information to buy prescription drugs and medical equipment, or make fraudulent insurance claims. Health care data are highly sensitive, and, when compromised, may lead to faulty treatment, resulting in fatal or irreversible losses to patients. The breach of genetic data is particularly harmful to individuals because it cannot be changed or replaced like a credit card, and it can be misused continuously.

The schemes by which hackers exploit vulnerabilities to gain access to networks and systems are complex and difficult to detect and understand. A neutral who knows how data breach investigations are conducted would be able to assist the court and the parties in sorting out the facts and could provide a simplified explanation of the issues by illustrating them in a visual such as this:

Simplifying a data breach investigation

Simplifying a data breach investigation

Anatomy of a Data Breach

Complex Technology Challenges for the Courts

Many judges may not have the requisite knowledge or background in information technology to efficiently evaluate the issues in data breach class actions—knowledge that a neutral can provide to conserve scarce judicial resources and advance the litigation.

Technology, including the emergence of artificial intelligence, is advancing at a rapid pace. The convergence of information technology and physical operations in which computers control a broad array of consumer and industrial devices and systems presents new security concerns for organizations. It is predicted that by 2025, more than 30 billion devices will be connected to the internet and to each other. The Internet of Things (IoT) and smart systems, in which companies use AI in robotics to automate smart homes, streamline industrial work, and transform defense and aerospace, represent some recent innovations.

Outsourcing is a business trend with serious security implications as cyberattacks resulting in breaches of third-party business partners and vendors have increased. Organizations interconnect their networks electronically for a variety of purposes ranging from information technology (IT), finance, accounting, and human resources to procurement, contract management, data analytics, and investigations. Cybercriminals have targeted vendors who have access to a larger organization’s information or a business that holds the valuable information of multiple organizations. These entities may have fewer security measures than the organizations they serve.

Exploitation of software flaws is a longstanding attack method. Hackers have exploited vulnerabilities in key software products to steal personal information, client data, and IP. The year 2022 saw significant vulnerabilities that made headlines and affected a wide range of systems and devices, including web servers, collaboration platforms, office software, and network devices.

A neutral with both cybersecurity and litigation expertise can help the court make sense of these complex technology challenges.

Data Breach Class Actions

Often after a data breach is disclosed, it is only a matter of days before class action lawsuits are filed and government regulatory investigations begin. Most data breach cases involve causes of action for negligence and fraud, false advertising, unfair or deceptive trade practices, unjust enrichment, breach of contract, breach of warranty, breach of fiduciary duty, and invasion of privacy.

The lawsuits generally allege that the breach was foreseeable, the defendant was aware of the risk, the breach could have been prevented if the defendant had appropriate security measures in place, and the defendant failed to follow federal and state laws and regulations that require reasonable and appropriate security.

Data breach cases can range from a few thousand class members to hundreds of millions. A review of the number of records impacted in some of the largest data breach cases provides a look into the daunting scope of this work:

Company Number of Records impacted
First American Financial Corporation, title insurance and real estate services (2019) 885,000,000
Marriott International, hotels and resorts (2020) 530,000,000
Capital One, financial services (2019) $190 million class action settlement (Feb. 2022) 206,115,615
Zynga Corp., online games (2019) 200,000,000
Equifax, credit bureau (2017) 148,000,000
Evite—social planning and e-invitations (2019) Hacker put its data up for sale on the dark web in April 2019 101,000,000
TJX Stores—retail (2017) 100,000,000
Anthem Blue Cross Blue Shield—health insurance (2015) 78,800,000
Source: PrivacyRights.org  

Focusing on recent cases, a total of 408 million records were breached in 2022. Financial services and health care are now the most often attacked industry sectors. The number of records impacted in 10 of the largest data breaches in 2022 ranged from 16 million to 69 million.

A neutral’s knowledge of legal requirements and litigation, as well as expertise in IT, could be useful to the court from the very outset of the case. In complex class action cases involving a large number of plaintiffs, a neutral can be helpful in setting the parameters of discovery and organizing and evaluating vast amounts of data. The use of a neutral to manage e-discovery can assist in controlling costs and provide a mechanism for resolving disputes.

For example, a cybersecurity neutral could be asked to meet with the parties in advance of the first pretrial conference to establish a process to identify relevant information they will need to evaluate the case and facilitate efficient resolution of the issues. A neutral can help the parties agree on how to handle assertions of privilege, evaluate options for technologically assisted review to obtain information at reasonable cost, consider whether they can save on hosting costs by maintaining a common database (with blind access for each of the parties), and determine where the information is located, how it can be obtained, and in what format. The neutral can help manage discovery so that requests are not repeated numerous times, depositions are taken once for all parties, and schedules are coordinated. A neutral can oversee the development of protocols that govern the exchange and maintenance of discovery to ensure that court records and personal information of class members are maintained securely.

Or neutrals can be used as advisors to the court to provide impartial review and comment on the parties’ expert reports or to meet with experts from both sides and issue an independent report.

Navigating Standing and Class Certification Requirements

Stringent Supreme Court requirements for standing and class certification in federal cases create several hurdles for the courts to address in data breach class action cases. These may require potentially time-consuming examinations at an early stage in the litigation of the nature of the injuries each of the plaintiffs suffered, including an assessment of complex technology involved in the data breach and how it failed to protect the sensitive data of class members—all matters where a neutral could assist the court with both technical matters and the administration of aspects of the class action where it might be impractical for a court to do so.

Article III Standing

To establish standing to sue in federal court under Article III of the U.S. Constitution, a plaintiff must show, among other things, that they suffered concrete injury that is actual or imminent, not conjectural or hypothetical.

In TransUnion LLC v. Ramirez, a statutory damages case under the Fair Credit Reporting Act, the Supreme Court reaffirmed principles in Spokeo v. Robins that courts must “[a]ssess . . . whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts—such as physical harm, monetary harm, or various intangible harms including (as relevant here) reputational harm.” The Court concluded that the risk of future harm cannot supply the basis for their standing. Further, under the TransUnion standard, all class members must have standing, not just a subset of the entire group.

Prior to the Supreme Court’s TransUnion decision, circuit court decisions were split on whether the risk of a future injury after a data breach was sufficient to confer Article III standing. The Second Circuit may have resolved questions on that issue.

In McMorris v. Carlos Lopez & Associates, LLC, the Second Circuit determined in April 2021 that plaintiffs can establish injury in fact under an increased risk theory, provided the plaintiffs can allege sufficient facts to meet this three-factor test:

  1. whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
  2. whether any portion of the [compromised] dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
  3. whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

The Eleventh Circuit cited the McMorris decision favorably when holding that “the allegations of some Plaintiffs that they have suffered injuries resulting from actual identity theft support the sufficiency of all Plaintiffs’ allegations that they face a risk of identity theft.”

Lower courts have suggested that the evidence required to show standing may be dependent on the stage of litigation. Thus, in future data breach cases, courts must decide at what stage of the litigation standing will need to be established: At the pleadings stage? At class certification? After class certification? At trial?

Further, in the TransUnion case, the Supreme Court acknowledged that it failed to “address the distinct question whether every class member must demonstrate standing before a court certifies a class.”

Irrespective of the standard a court may wish to employ to establish Article III standing, a neutral could assist the court by establishing a process to determine the nature and extent of the harm suffered by individual class members. A neutral could effectively manage the high volume of data as businesses and governments continue to gather more and more highly sensitive personal information, often without the individuals’ knowledge or consent. Valuable insights can be provided by a neutral about the significance of the information that may have been compromised and how it was used to harm individual plaintiffs.

Class Certification

Class action Fed. R. Civ. P. 23 requires that the plaintiff and putative class members meet the requirements of commonality, typicality, and predominance for the class to be certified. District courts will have to determine at—or before—certification which members have suffered a cognizable injury and which have not.

While causation can be a stand-alone basis to challenge a class action, it is frequently part of the commonality or predominance analysis. The question presented to the courts is whether the causation issue is different from one class member to the next, resulting in a series of mini-cases rather than a single issue of causation common to the class. When various legal issues are raised in class certification, a neutral can investigate and document evidence essential to a court certification decision, whereas a court, as a practical matter, may find it difficult or impractical to do so.

Assessing Causation and Establishing Injury and Harm

Key questions courts must address include: What was the cause of the data breach and who is responsible? Were the alleged damages caused by the breach? What is the harm to individual plaintiffs?

People—Process—Technology. Assessing the cause(s) of a data breach requires analysis of the interrelated software and hardware components, as well as the individuals responsible for the system and the processes that govern it.

A neutral can assist a court by making findings of fact where appropriate (subject to court review). A neutral with technology and security expertise would be able to evaluate the data breach—what were the vulnerabilities in the system that permitted the attacker to gain access to the data, what data were stolen, and what injury to the consumers resulted.

Plaintiffs may seek broad discovery of defendants’ electronic data and business records held by the company and third parties and stored on computer systems, websites, and mobile devices, as well as in the cloud. In light of the Supreme Court’s standard that each plaintiff must demonstrate harm from a data breach, a neutral can assist in the management of discovery of a defendant’s electronic files and other documents that could identify harm for individual plaintiffs resulting from a data breach. As technology issues in litigation increase, the use of a neutral to manage e-discovery disputes can be a substantial benefit for the courts.

Assessing Reasonable and Appropriate Security Requirements

The objectives of hackers and cybercriminals are to undermine the pillars of information security: breach the confidentiality of personal records, compromise the integrity of the data, and make critical information systems unavailable. Security violations are evident in many of the data breaches that put the most sensitive data of millions of individual victims at risk.

While cybersecurity challenges may seem daunting, existing standards, frameworks, and best practices provide a roadmap that business executives and government officials can follow to reduce the risks substantially. To protect confidential information, organizations must know what data they have, where they reside, their level of sensitivity, and how they are secured. Conducting a risk assessment is an essential first step in making these determinations.

Assessing risk requires organizations to identify their threats and vulnerabilities, the harm they may cause the organization, and the likelihood that adverse events arising from those threats and vulnerabilities may occur. Threats and risks exist with both physical and virtual assets, and because the two are becoming increasingly interconnected, all aspects of the cybersecurity threat must be addressed. The results of the risk assessment provide the basis for the selection of appropriate security controls to protect data and systems. Systems must be continuously monitored to address changes to the threat landscape and the IT infrastructure of the organization.

A neutral can assist the court by providing technical advice on how organizations can conduct risk assessments and remediate breaches when they occur, as well as the steps organizations should take to protect against breaches and prevent them from occurring again in the future.

Analyzing Approaches to Remediation and the Extent of Damages

Data breach cases involve complex remedial issues, in both correcting the problem and determining appropriate monetary relief. Neutrals can help the parties in settlement discussions brainstorm appropriate protections or formulas to use, claims-handling approaches, or remedial measures to attempt to undo the damage from a cyberattack.

A neutral can manage settlement discussions at any stage of the proceeding sought by the parties and, at the appropriate stage, determine damages for individual plaintiffs or pay claims. If a certain sum is set either by agreement of the parties or the court, a neutral can assist by determining the amount of damages of specific class members. A neutral could advise the court as to necessary remedies.

The implementation of relief may require monitoring over a significant period of time. Neutrals can be used to ensure the court’s orders are being implemented, such as appropriate information security remedial measures. A neutral could be employed to monitor compliance by the defendant with any orders, oversee claims administration, or provide a means by which individuals claiming to be victims of a data breach can be heard—a critical part of providing justice.

Court-appointed neutrals with deep technology and cybersecurity expertise are uniquely suited to help judges assess and manage complex technology issues that can arise in data breach litigation. The work of neutrals can help make these significant, multifaceted cases fairer, more efficient, less expensive, and easier for the courts to manage and decide. 

    Lucy L. Thomson

    Livingston PLLC

    Lucy L. Thomson, CISSP, CIPP/US, is the founding principal of Livingston PLLC in Washington, D.C., where she focuses her practice on cybersecurity, global data privacy, and compliance and risk management. She is also the chair of the American Bar Association (ABA) President’s Task Force on Law and Artificial Intelligence, past chair of the ABA Science & Technology Law Section, founding member of the ABA Cybersecurity Legal Task Force, and a member of the ABA House of Delegates since 2004. 

    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.