15 December 2014
Practice Groups:
Commercial Disputes
Cyber Law and
Cybersecurity
Class Action
Litigation Defense
Class Certification Trends in Consumer Data Breach
Litigation—Individualized Damages Theories May
Preclude Certification
By Nicholas Ranjan and James P. Angelo
In the last two years, there has been a proliferation of class action lawsuits filed in response
to high-profile data breaches compromising the personally identifiable information of
customers of various companies. Major corporations including Target, Coca-Cola, and
Michaels have all fallen victim to such suits. In many cases, a single data breach event has
spawned dozens of class action lawsuits (for example, Target, at one point, faced over 100
such suits in a number of jurisdictions, which have since been consolidated in an MDL).
Although a number of class actions in the data-breach context have been filed, there have
been relatively few class certification decisions at this point. However, as the pending cases
make their way to the class certification stage, two recent decisions may prove useful for
defendants in attempting to defeat class certification—principally, on the basis of Federal
Rule of Civil Procedure 23(b)(3)’s “predominance” requirement. That is, In re Hannaford
Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21 (D. Me. 2013) and Comcast v.
Behrend, 133 S.Ct. 1426 (2013), suggest that class certification may be difficult in certain
types of data breach cases due to the existence of individualized damages issues, which
may undercut the predominance of common questions necessary to pursue a class action.
Individualized Issues Pertaining to Damages in Data Breach Cases
Predominate over Common Questions
As with any other federal class action seeking monetary relief, to obtain class certification in
a data breach case, the named plaintiffs bear the burden of showing that the prerequisites of
Federal Rule of Civil Procedure 23(a)—numerosity, commonality, typicality, and adequacy—
are satisfied. Additionally, under Rule 23(b)(3), the representative plaintiffs must provide
evidentiary proof that “questions of law or fact common to class members predominate over
any questions affecting only individual members, and that a class actions is superior to other
available methods for fairly and efficiently adjudicating the controversy.”
Notably, in at least one recent data breach case that has reached the certification stage— In
re Hannaford Bros. Co. Customer Data Sec. Breach Litig.—the court denied class
certification because the plaintiffs failed to satisfy the “predominance” requirement of Rule
23(b)(3).
In Hannaford, customers of a grocery store filed suit after their credit and debit card
information was allegedly stolen. The plaintiffs moved to certify a class to pursue claims for
fees to obtain new cards, fees paid to expedite delivery of new cards, and fees paid for
identity theft insurance and credit monitoring. In declining to certify a class, the court noted
that, although questions relating to the company’s conduct were common to the class, the
actual effect the data breach had on “particular cardholders (for example, whether their
Class Certification Trends in Consumer Data Breach
Litigation—Individualized Damages Theories May Preclude
Certification
particular accounts suffered fraudulent charges or not) and the actual mitigating steps they
took and the costs they incurred” varied considerably. The court held that the plaintiffs’
failure to present any expert testimony demonstrating that the damages incurred by the
putative class could be calculated on a classwide basis was fatal to the certification question.
Without such proof, the court explained that proving damages would require a “trial involving
individual issues for each class member as to what happened to his/her data and account,
what he/she did about it, and why.”
The court’s decision in Hannaford presaged the United States Supreme Court’s decision in
Comcast Corp. v. Behrend, issued only one week later, which held that individualized
damages issues preclude class certification under Rule 23(b). In that case, the Court held
that an antitrust class should not have been certified because the plaintiffs’ damages model
fell “far short of establishing that damages [were] capable of measurement on a classwide
basis.” The Court explained that without a sound methodology for determining damages
across the class, the predominance requirement is not satisfied, as “[q]uestions of individual
damage calculations will inevitably overwhelm questions common to the class.” The Court
further held that courts must rigorously analyze any proposed method for measuring
damages to ensure the inferences it draws are just, reasonable, and not speculative; and
that courts cannot defer this examination on the ground that it pertains to the merits. The
plaintiffs’ model, which improperly “assumed the validity” of the plaintiffs’ theories, did not
meet this exacting standard. 1
The important takeaway from these decisions with respect to data breach actions is that,
even if the named plaintiff can establish he or she was injured by the breach (which is often
difficult in and of itself), individual variations in the damages suffered by the putative class
members may be enough to defeat certification. For example, determining whether and to
what extent a specific class member was injured by the breach would require an
investigation into:
• Whether that class member’s personal information was actually accessed;
• Whether the class member’s personal information was used to make fraudulent charges;
and
• Whether the class member took steps to prevent against fraud following the breach.
1
Indeed, in non-data breach cases, many defendants have been successful in defeating certification based on Comcast.
See, e.g., Lanovaz v. Twinings N. Am., Inc., No. 12-02646, 2014 WL 1652338, at *5 (N.D. Cal. Apr. 24, 2014) (denying
certification in false advertising case brought against a manufacturer of tea where plaintiff did “not present any damages
model capable of estimating the price premium attributable to Twinings’ [allegedly misleading] antioxidant labels”);
Turnbow v. Life Partners, Inc., No. 3:11-cv-1030, 2013 WL 3479884, at *17 (N.D. Tex. July 9, 2013) (plaintiffs would “have
to present evidence, policy by policy, to prove that a longer expectance would have resulted in lower purchase prices. …
The Court is unconvinced that Plaintiffs’ proposed damages calculus represents an accurate approximation of any single
class member’s contractual damages. Numerous factors that affect the amount of damages, if any, to any given class
member are not accounted for in [the expert’s] formula.”); Roach v. T.L. Canon Corp., No. 3:10-cv-0591, 2013 WL
1316452, at *3 (N.D.N.Y. Mar. 29, 2013) (denying certification in a wage and hour case where “a demanding and rigorous
analysis of the evidentiary proof on [plaintiffs’] claim does not yield a finding that damages are capable of measurement
on a classwide basis. Rather, Plaintiffs’ proof that some employees, on various occasions, were denied their 10-hour
spread payments indicates that damages in this putative class are in fact highly individualized.”). These decisions may
provide additional support for defeating class certification in data breach cases.
2
Class Certification Trends in Consumer Data Breach
Litigation—Individualized Damages Theories May Preclude
Certification
Additionally, in some data breach class actions, plaintiffs allege an injury of emotional
distress. This type of claim would potentially be even more susceptible to an argument that
individual inquiries predominate because it would require an examination into the mental
state of each class member.
Purely Statutory Damages Claims May Also Be Difficult to Pursue on a
Classwide Basis
In some data breach class actions, plaintiffs have brought causes of action under federal and
state statutes (such as unfair trade practices statutes), and have limited their requested
recovery to a statutory damage amount (e.g., $500 per violation). The facial appeal to such
cases is the ability to evade the predominance difficulties associated with cases like
Hannaford, where the type of damage claim is linked to the actual harm suffered by plaintiffs.
Nonetheless, depending on the statutes at issue, plaintiffs may still have a difficult time
certifying classes that seek purely statutory damages amounts. This is so because some
statutes require a showing of actual injury or loss by a plaintiff in order to trigger a claim for
even the statutory amount. See, e.g., In re Barnes & Noble, No. 12-8617 (N.D. Ill. Sept. 13,
2013) (holding in a data breach case that “Plaintiffs must plead an injury beyond a statutory
violation to meet the standing requirement of Article III.”). Thus, while seeking only statutory
damages may help eliminate issues about the amount of damages that can be awarded,
such a strategy would not eliminate all individualized issues, if the statutes at issue still
require a showing of particularized harm or loss, which may not be susceptible to classwide
proof.
While there is a dearth of case law in the data breach context at the class certification stage,
companies facing statutory claims should monitor how the law develops.
Conclusion
After Hannaford and Comcast, certification of a class in data breach actions is a significant
hurdle for plaintiffs. Because the calculation of damages will often present questions that
cannot be resolved by reference to a single body of common evidence, courts may find that
class certification is inappropriate. Companies facing class action exposure for data
breaches should monitor how other courts apply Hannaford and Comcast at the class
certification stage. They should also monitor how the law on certification develops with
respect to claims seeking only statutory damages.
Authors:
Nicholas Ranjan
nicholas.ranjan@klgates.com
+1.412.355.8618
James P. Angelo
james.angelo@klgates.com
+1.412.355.6230
3
Class Certification Trends in Consumer Data Breach
Litigation—Individualized Damages Theories May Preclude
Certification
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five
continents. The firm represents leading multinational corporations, growth and middle-market companies, capital
markets participants and entrepreneurs in every major industry group as well as public sector entities, educational
institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations,
practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2014 K&L Gates LLP. All Rights Reserved.
4