Class Certification Trends in Consumer Data Breach Litigation—Individualized Damages Theories May Preclude Certification

K&L Gates LLP
Contact

In the last two years, there has been a proliferation of class action lawsuits filed in response to high-profile data breaches compromising the personally identifiable information of customers of various companies. Major corporations including Target, Coca-Cola, and Michaels have all fallen victim to such suits. In many cases, a single data breach event has spawned dozens of class action lawsuits (for example, Target, at one point, faced over 100 such suits in a number of jurisdictions, which have since been consolidated in an MDL).

Although a number of class actions in the data-breach context have been filed, there have been relatively few class certification decisions at this point. However, as the pending cases make their way to the class certification stage, two recent decisions may prove useful for defendants in attempting to defeat class certification—principally, on the basis of Federal Rule of Civil Procedure 23(b)(3)’s “predominance” requirement. That is, In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21 (D. Me. 2013) and Comcast v. Behrend, 133 S.Ct. 1426 (2013), suggest that class certification may be difficult in certain types of data breach cases due to the existence of individualized damages issues, which may undercut the predominance of common questions necessary to pursue a class action.

Individualized Issues Pertaining to Damages in Data Breach Cases Predominate over Common Questions
As with any other federal class action seeking monetary relief, to obtain class certification in a data breach case, the named plaintiffs bear the burden of showing that the prerequisites of Federal Rule of Civil Procedure 23(a)—numerosity, commonality, typicality, and adequacy—are satisfied. Additionally, under Rule 23(b)(3), the representative plaintiffs must provide evidentiary proof that “questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class actions is superior to other available methods for fairly and efficiently adjudicating the controversy.”

Notably, in at least one recent data breach case that has reached the certification stage— In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.—the court denied class certification because the plaintiffs failed to satisfy the “predominance” requirement of Rule 23(b)(3).

In Hannaford, customers of a grocery store filed suit after their credit and debit card information was allegedly stolen. The plaintiffs moved to certify a class to pursue claims for fees to obtain new cards, fees paid to expedite delivery of new cards, and fees paid for identity theft insurance and credit monitoring. In declining to certify a class, the court noted that, although questions relating to the company’s conduct were common to the class, the actual effect the data breach had on “particular cardholders (for example, whether their particular accounts suffered fraudulent charges or not) and the actual mitigating steps they took and the costs they incurred” varied considerably. The court held that the plaintiffs’ failure to present any expert testimony demonstrating that the damages incurred by the putative class could be calculated on a classwide basis was fatal to the certification question. Without such proof, the court explained that proving damages would require a “trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”

The court’s decision in Hannaford presaged the United States Supreme Court’s decision in Comcast Corp. v. Behrend,issued only one week later, which held that individualized damages issues preclude class certification under Rule 23(b). In that case, the Court held that an antitrust class should not have been certified because the plaintiffs’ damages model fell “far short of establishing that damages [were] capable of measurement on a classwide basis.” The Court explained that without a sound methodology for determining damages across the class, the predominance requirement is not satisfied, as “[q]uestions of individual damage calculations will inevitably overwhelm questions common to the class.” The Court further held that courts must rigorously analyze any proposed method for measuring damages to ensure the inferences it draws are just, reasonable, and not speculative; and that courts cannot defer this examination on the ground that it pertains to the merits. The plaintiffs’ model, which improperly “assumed the validity” of the plaintiffs’ theories, did not meet this exacting standard.[1]

The important takeaway from these decisions with respect to data breach actions is that, even if the named plaintiff can establish he or she was injured by the breach (which is often difficult in and of itself), individual variations in the damages suffered by the putative class members may be enough to defeat certification. For example, determining whether and to what extent a specific class member was injured by the breach would require an investigation into:

  • Whether that class member’s personal information was actually accessed;
  • Whether the class member’s personal information was used to make fraudulent charges; and
  • Whether the class member took steps to prevent against fraud following the breach.

Additionally, in some data breach class actions, plaintiffs allege an injury of emotional distress. This type of claim would potentially be even more susceptible to an argument that individual inquiries predominate because it would require an examination into the mental state of each class member.

Purely Statutory Damages Claims May Also Be Difficult to Pursue on a Classwide Basis
In some data breach class actions, plaintiffs have brought causes of action under federal and state statutes (such as unfair trade practices statutes), and have limited their requested recovery to a statutory damage amount (e.g., $500 per violation). The facial appeal to such cases is the ability to evade the predominance difficulties associated with cases like Hannaford, where the type of damage claim is linked to the actual harm suffered by plaintiffs.

Nonetheless, depending on the statutes at issue, plaintiffs may still have a difficult time certifying classes that seek purely statutory damages amounts. This is so because some statutes require a showing of actual injury or loss by a plaintiff in order to trigger a claim for even the statutory amount. See, e.g., In re Barnes & Noble, No. 12-8617 (N.D. Ill. Sept. 13, 2013) (holding in a data breach case that “Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”). Thus, while seeking only statutory damages may help eliminate issues about the amount of damages that can be awarded, such a strategy would not eliminate all individualized issues, if the statutes at issue still require a showing of particularized harm or loss, which may not be susceptible to classwide proof.

While there is a dearth of case law in the data breach context at the class certification stage, companies facing statutory claims should monitor how the law develops.

Conclusion
After Hannaford and Comcast, certification of a class in data breach actions is a significant hurdle for plaintiffs. Because the calculation of damages will often present questions that cannot be resolved by reference to a single body of common evidence, courts may find that class certification is inappropriate. Companies facing class action exposure for data breaches should monitor how other courts apply Hannaford and Comcast at the class certification stage. They should also monitor how the law on certification develops with respect to claims seeking only statutory damages.

Notes:
[1] Indeed, in non-data breach cases, many defendants have been successful in defeating certification based on ComcastSee, e.g., Lanovaz v. Twinings N. Am., Inc., No. 12-02646, 2014 WL 1652338, at *5 (N.D. Cal. Apr. 24, 2014) (denying certification in false advertising case brought against a manufacturer of tea where plaintiff did “not present any damages model capable of estimating the price premium attributable to Twinings’ [allegedly misleading] antioxidant labels”); Turnbow v. Life Partners, Inc., No. 3:11-cv-1030, 2013 WL 3479884, at *17 (N.D. Tex. July 9, 2013) (plaintiffs would “have to present evidence, policy by policy, to prove that a longer expectance would have resulted in lower purchase prices.… The Court is unconvinced that Plaintiffs’ proposed damages calculus represents an accurate approximation of any single class member’s contractual damages.  Numerous factors that affect the amount of damages, if any, to any given class member are not accounted for in [the expert’s] formula.”); Roach v. T.L. Canon Corp., No. 3:10-cv-0591, 2013 WL 1316452, at *3 (N.D.N.Y. Mar. 29, 2013) (denying certification in a wage and hour case where “a demanding and rigorous analysis of the evidentiary proof on [plaintiffs’] claim does not yield a finding that damages are capable of measurement on a classwide basis. Rather, Plaintiffs’ proof that some employees, on various occasions, were denied their 10-hour spread payments indicates that damages in this putative class are in fact highly individualized.”). These decisions may provide additional support for defeating class certification in data breach cases.

 

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP
Contact
more
less

K&L Gates LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide