In recent years, plaintiff class actions lawyers have shifted their focus in cybersecurity cases from pleading federal claims to asserting claims under state law of residents of all 50 states. However, this potentially raises class certification issues that make these claims difficult for plaintiff to succeed on. How should one prosecute them? How should one defend them? How could one plead and prove that the plaintiffs were injured because of the breach? All these questions were debated strongly, litigated in various courts on a one-off basis, and were the result of several court opinions on their potential merits. The recoveries were slim. The plaintiffs’ chances for success? Mediocre at best even for the big ones.
Things have significantly changed over the years, especially for defendants. For instance, Statutory Article III standing, once a big issue, is now less of an issue in some courts. Cybersecurity class actions have now graduated elementary school, beginning November 2017 with one of the first national cybersecurity class actions brought by residents of all 50 states. “The complaint is an ambitious 322-page document that names plaintiffs from every state and the District of Columbia who claim to have been injured to varying degrees by the Equifax security breach.” See Tara Swaminatha, “Equifax now hit with a rare 50-state class-action lawsuit,” CSO Online (Nov. 22, 2017).
