On May 3, Judge Grimm of the U.S. District Court for the District of Maryland issued a class certification decision in a consumer data breach multidistrict litigation case against an international hotel and resort management company, becoming one of the few district courts to certify Rule 23(b)(3) classes in this type of case. The litigation arises out of a data breach of one of the company’s guest reservation databases that allegedly exposed guests’ reservation details, contact information, and some payment information. The decision granted in part and denied in part the plaintiffs’ motion for class certification.

The court denied certification of a state data breach notification statute class because the asserted damages were not tied to the plaintiffs’ damages theory. It also denied certification of injunctive and declaratory relief classes because the plaintiffs failed to describe the contours of their requested relief and because the record showed that there was no continuing risk of future data breaches.

Along with the decision on class certification, the court also rejected the plaintiffs’ experts’ damages methodology supporting their “loss of market value of PII” theory. As a result, the court denied certification of damages classes premised on that theory. Thus, plaintiffs’ only remaining damages claims were based on overpayment for hotel stays, statutory damages, and nominal damages.

As to this remaining theory, the court certified multiple state-specific Rule 23(b)(3) damages classes for the plaintiffs’ contract and statutory claims, but substantially modified and narrowed the classes in a few important ways.

1. First, the court narrowed the damages classes to include only those class members who were members of the hotel’s “preferred guest” program, resulting in all class members having identical contractual relationships with the defendant. This was necessary because all of the representative plaintiffs were members of the “preferred guest” program, and the unique affirmative defenses applicable to them rendered them atypical of other class members.

2. Second, the court narrowed the classes to only those guests who bore the economic burden for a hotel stay since the plaintiffs’ damages theory relied in part on overpayment for each stay.

Regarding the implied Rule 23 element of ascertainability, the court found that the proposed classes were ascertainable because the single database that was exposed in the data breach contained the names and contact information for virtually all of the class members. The court concluded any gaps could be filled through objective, “mechanical” review of available additional records, the details of which were not set out in the order.

The court also certified Rule 23(c)(4) issues classes for the elements of duty and breach for the plaintiffs’ negligence claims. Importantly, though, the court based its decision that issues classes would materially advance the efficiency of the litigation largely on the fact that the court was already certifying 23(b)(3) damages classes that would require litigation of many of the same factual questions. At the same time, the court refused to certify an issues class on causation because significant individualized causation issues were raised by evidence that several plaintiffs’ information had already been exposed in prior data breaches.

Takeaways

As one of the few district court decisions to certify damages classes in a consumer data breach case, the opinion and its analysis of Rule 23 is noteworthy. The court’s recognition that unique affirmative defenses rendered the plaintiffs atypical of certain class members, its rejection of the plaintiffs’ loss of market value of PII damages methodology, and its recognition that the exposure of the class members’ data in prior data breaches raises significant individualized issues of causation are particularly notable, as these same issues often arise in analogous consumer data breach cases.

Under Rule 23(f), the defendants may petition the Fourth Circuit for permission to appeal this certification decision. Troutman Pepper will continue to monitor and report on developments in this case and consumer data breach cases generally.