In this era where there appears to be a new data security incident announced each month, there is surprisingly little class certification jurisprudence for data security class actions. Indeed, to date we know of only four decisions that have addressed class certification of data privacy actions, excluding settlement certification, and only one of those addresses the release of employee data: Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2017 WL 1754772, at *7 (N.D. Ill., May 3, 2017); In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 484 (D. Minn., 2015); In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, 33 (D. Me., 2013); and In re TJX Companies Retail Sec. Breach Litig., 246 F.R.D. 389, 397-98 (D. Mass., 2007). With only one exception (Target), courts have refused to certify contested data privacy classes.
The theme of decisions denying class certification is that causation and damages in data security actions are individualized questions that defeat the commonality or predominance tests of Rule 23(a) and Rule 23(b)(3). For example, in Dolmage, the defendant insurance company’s vendor posted Social Security numbers and other personal information of thousands of the defendant’s employees online. Dolmage, 2017 WL 1754772 at *1-2. The court, however, refused to certify a class of the employees and explained why data security cases may be unsuitable for class resolution. Id. at *6-10.
[Of the proposed data incident class members, some] may have become the victim of an actual theft of funds. A subset of these individuals may have been able to resolve the problems quickly or obtain reimbursement from banks and other third parties. Others may have spent months trying to resolve the identity fraud with little or no success, to the point that they “encounter[ed] employment and relationship issues.” Other class members may have not had their information stolen by an identity thief but nevertheless incurred minor expenses monitoring their credit or taking other steps to protect themselves. Another subset of class members may have had no out-of-pocket expenses at all, but suffered emotional distress worrying that they could become a victim of identity theft. Still others may have suffered no distress or inconvenience whatsoever.
Id. at *7 (internal citations omitted). Because of these disparities in class members’ damages, which required individual inquiries, the class failed to meet the commonality and predominance tests of Rule 23. See id. at *7-8. The court also held that the plaintiff’s claims were not typical because the plaintiff claimed actual identity theft damages, whereas “the vast majority of class members never reported becoming a victim of identity theft.” Id.
Similarly, in Hannaford Bros., the court denied class certification of a class of customers whose debit and credit card data was stolen. 293 F.R.D. at 23. Unlike Dolmage, the court held that the typicality and commonality requirements of Rule 23(a) were met. Class certification was denied, however, because common issues did not predominate over individual issues, as required by Rule 23(b)(3). Specifically, damages could not be established on a classwide basis. Id. at 33-34. Thus, the court would have to hold a “trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.” Id. at 33.
Causation also has proven to be difficult to resolve on a classwide basis in data security cases. In TJX, the court denied certification of a class of financial institutions that had issued credit and debit cards that were compromised in a security incident. 246 F.R.D. 389. The court explained, “if a particular instance of fraud occurred because a thief stole a cardholder’s wallet and used the credit card therein, that fraud would be wholly divorced from the [data incident].” Id. at 397-98. Accordingly, that court held that because causation cannot be established on a classwide basis, common questions do not predominate over individual questions. Id.
The one outlier, the class in Target, was certified because the court determined it was possible to prove a common injury and compute damages on a classwide basis. Target, 303 F.R.D. at 489-90. Target involved two putative classes related to the 2013 hacking of Target’s computer systems: (1) consumers whose financial information was stolen, and (2) financial institutions that had to reissue credit and debit cards and reimburse fraud claims. Id. at 484-85. The consumer class was settled fairly quickly, so only the financial institution class was contested. Id.
Target argued the financial institution plaintiffs’ injuries were risk of future harm, which were not cognizable or susceptible to classwide proof. Id. at 487. The court disagreed, and distinguished their injuries from the consumer class’s injuries. Id. The court noted that, unlike the consumer class, the financial institutions had reissued nearly every card that was subject to an alert after the Target hacking. Id. This was a common damage caused by the breach, and thus commonality and predominance were satisfied for the financial institution class. See id.; but see TJX, 246 F.R.D. at 399 (holding that predominance was not met for the putative class of financial institutions that had to reissue cards, monitor fraud and reimburse fraudulent charges where putative class members had different expenses, and there was no acceptable method for determining damages in the aggregate).
The bottom line:
While courts so far have been skeptical about granting class certification in data breach cases, the volume of cases reaching decision is small and, of course, there are serious consequences for employers beyond class litigation.