In this era where there appears to be a new data security incident announced each month, there is surprisingly little class certification jurisprudence for data security class actions. Indeed, to date we know of only four decisions that have addressed class certification of data privacy actions, excluding settlement certification, and only one of those addresses the release of employee data: Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2017 WL 1754772, at *7 (N.D. Ill., May 3, 2017); In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 484 (D. Minn., 2015); In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, 33 (D. Me., 2013); and In re TJX Companies Retail Sec. Breach Litig., 246 F.R.D. 389, 397-98 (D. Mass., 2007). With only one exception (Target), courts have refused to certify contested data privacy classes.
The theme of decisions denying class certification is that causation and damages in data security actions are individualized questions that defeat the commonality or predominance tests of Rule 23(a) and Rule 23(b)(3). For example, in Dolmage, the defendant insurance company’s vendor posted Social Security numbers and other personal information of thousands of the defendant’s employees online. Dolmage, 2017 WL 1754772 at *1-2. The court, however, refused to certify a class of the employees and explained why data security cases may be unsuitable for class resolution. Id. at *6-10.