A trio of decisions illustrates the challenge of obtaining class certification in class actions based on data breaches. Relatively few courts have addressed the issue of class certification in data security and privacy lawsuits, but three of the courts to do so have refused to certify the classes. Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2017 U.S. Dist. LEXIS 67555, at *7 (N.D. Ill. May 3, 2017); In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, 33 (D. Me., 2013); and In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389, 397-98 (D. Mass., 2007). In denying certification, the courts reasoned that the data-breach actions involved individualized questions regarding causation or damages and therefore failed the commonality or predominance tests under Fed. R. Civ. P. 23(a) and 23(b)(3). The decisions illustrate how the inherent aspects of a data-breach make class certification challenging for plaintiffs that bring actions premised on a data breach.
In re TJX Cos. Retail Sec. Breach Litig. involved one of the largest retail security breaches in which criminals hacked the computer system of a retail company and compromised 45 million credit and debit accounts. The plaintiffs, an association of credit unions and banks that had issued the compromised cards to consumers, brought an action for negligent misrepresentation against Fifth Third Bank. The plaintiffs based their claims on the allegation that Fifth Third implicitly represented that it took the security measures required by industry practice to safeguard the stolen card information. In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83, 91-92 (D.Mass.2007)(prior proceeding containing factual overview of case). The plaintiffs’ attempt at certification failed, however, because the court found that common questions as to causation did not predominate over individual questions of causation. Indeed, Fifth Third’s alleged liability depended on whether the breach caused each particular plaintiff’s loss as opposed to whether the breach caused fraud-related losses generally. The court explained the various ways in which fraud losses can occur: “if a particular instance of fraud occurred because a thief stole a cardholder’s wallet and used the credit card therein, that fraud would be wholly divorced from [the theft of data].” In re TJX Companies Retail, 246 F.R.D. 389 at 398. Accordingly, similar to product liability actions, the case required individual inquiries into causation, which predominated over a common question of causation so as to preclude class certification under Fed. R. Civ. P 23(b)(3).
Dolmage v. Combined Ins. Co. of Am. involved a data breach that revealed the social security numbers of an insurance company’s customers and resulted in identity theft and identity fraud. The court found that the plaintiffs could not meet the requirement of commonality under Fed. R. Civ. P. 23(a) because the plaintiffs did not have the ability to calculate damages on a class-wide basis. Dolmage v. Combined Ins. Co. of Am., 2017 U.S. Dist. LEXIS 67555, at *7. The court pointed out the various degrees of harm or damages that the class may have incurred – the court explained the data breach at issue may have caused the actual theft of funds from some class members and that among such class members some may have obtained reimbursement from their bank while other class members may have encountered difficulty resolving problems associated with the identity fraud. Additionally, another set of class members may not have suffered identity theft at all but nonetheless incurred expenses taking steps to protect their identities. Id., at 25. Accordingly, the court found that the plaintiffs failed to establish the commonality requirement under Fed. R. Civ. P 23(a).
In Hannaford Bros., a grocery chain faced an onslaught of lawsuits after it suffered a data breach in which the breachers stole customers’ debit and credit card information. The defendant grocery store chain argued that plaintiffs needed to prove causation on an individual by individual basis under the facts because variations existed among customers as to whether the customers actually suffered fraudulent charges or otherwise incurred damages caused by the breach. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, at 33.
The plaintiffs asserted that they would establish the total damages caused to the class through statistical proof, which would distinguish the proportion of damages attributable to the breach from other, unrelated causes of damages. The plaintiffs argued that this statistical proof would form the basis of a lump sum damage request to the jury and that the distribution of the award is simply a matter of class administration. Id. at 32-33. Defendant’s counter argument regarding damages and causation echoed the Dolmage court’s rationale for denying certification. However, the Hannaford court punted on whether or not it agreed with the defendant’s arguments. Instead, the court denied certification because, bearing the burden of class certification, the plaintiffs had not yet presented expert testimony to support their statistical damage analysis, which other classes presented in prior cases that involved the lump sum procedure proposed by the plaintiffs in Hannaford Bros. Id., at 33.
Massive data breaches like those involved in the Hannaford, TJX Retail, and Dolmage cases necessarily involve varying degrees of resulting harm, and recovery for those damages will require that plaintiffs establish causation between the data breach and their damages. While the need for proof of individualized damages is not necessarily fatal to class certification, the need for an individualized causation assessment is fatal to class certification. The court’s reasoning in TJX Retail illustrates the most significant obstacle data breach actions will face – showing one set of common and compelling operative facts that will enable a court to dispose of the question of causation on a class wide basis. See Steering Comm. v. Exxon Mobil Corp., 461 F.3d 598, 602 (5th Cir. 2006). The purpose of the predominance test under Fed. R. Civ. P 23(b)(3) is to determine whether aggregating a common issue for determination on a class wide basis will advance the disposition of the litigation as a whole by disposing of the common issue. A class will fail the predominance test where the resolution of the common issue does not advance the litigation. McLaughlin v. Am. Tobacco Co., 522 F.3d 215, 234 (2d Cir. 2008).
Because of the nature of data breaches, it is difficult to present a set of facts where a finding of general causation would eliminate the need for individualized “mini-trials” on causation. In this regard, data breach actions are similar to product liability and mass tort cases. For example, courts have denied class certification to cigarette smokers for the same reason – -because liability is not established by showing cigarettes generally cause disease, but is instead dependent upon whether cigarettes caused each individual plaintiff’s disease. Smith v. Brown & Williamson Tobacco Corp., 174 F.R.D. 90, 96 (W.D. Mo. 1997). Courts have also applied the same logic to deny certification in product liability and mass tort actions. See In re Vioxx Prods. Liab. Litig., 239 F.R.D. 450, 462 (E.D. La. 2006); In re Joint E. & S. Dist. Asbestos Litigation, 129 B.R. 710, 746 (E.D.N.Y.1991). Indeed, because the risk of theft, fraud, or misappropriation are frequently present in connection with electronic payment systems and occur in many different ways unconnected to a massive data breach, efforts to show cause on a class-wide basis are likely to continue to falter, and the need for individualized causation assessments will continue to make class certification challenging for future plaintiffs.