This article was originally published in Law360.
Data breach lawsuits are challenging cases for plaintiffs. Assuming they are able to survive a motion to dismiss on grounds of Article III standing in the first instance,[1] plaintiffs next bear the high burden of achieving class certification, which requires proof by a preponderance of evidence that questions of law or fact common to class members predominate over any questions affecting only individual members.
Predominance problems loom large for plaintiffs at class certification, particularly with respect to damages and causation.
In recent years, litigation over data breach incidents has increased substantially. Although most cases have either been dismissed or settled before reaching the class certification stage, numerous federal district courts have had occasion to decide contested motions for class certification.[2]
However, while there are a number of federal appellate court decisions addressing standing in the data breach context, to date none have addressed class certification outside of the settlement context.[3]
The importance and significant uncertainty of issues surrounding class certification in data breach litigation are reflected in two federal district court decisions from earlier this year that reached opposite conclusions on key issues, despite similar facts: McGlenn v. Driveline Retail Merchandising Inc.[4] and In re: Brinker Data Incident Litigation.[5]
This article identifies critical differences between those courts' handling of the predominance requirement, particularly as it relates to expert testimony concerning methodologies for estimating classwide damages. We conclude that, among other things, whether and how a court credits such expert testimony may be a critical driver behind class certification decisions to come.
The McGlenn Decision
McGlenn was a putative class action filed in the U.S. District Court for the Central District of Illinois by an employee against her employer, the victim of a phishing attack that resulted in the disclosure of substantial personally identifiable information, or PII.
On Jan. 19, the court denied the plaintiff's motion to certify a class under Rule 23(b)(3). The court acknowledged that issues as to liability were common to the proposed class;[6] however, it ultimately determined that individualized issues involving damages and causation predominated over common issues,[7] thereby precluding class certification.
Although the plaintiff's damages expert proposed a method for calculating classwide damages, the court noted his failure to present testimony that putative class members had suffered actual injury or to opine on each class member's risk of future harm.[8] The court even cited the expert's own acknowledgement that "a substantial number of victims of any data breach run no imminent threat of identity theft."[9]
On the issue of causation, the court likewise took its cue from the plaintiff's own expert, who had opined that putative class members' PII likely had been exposed in other data breaches during the two to four years prior to the relevant data breach.[10]
The Brinker Decision
Three months after McGlenn was decided, on April 14, the U.S. District Court for the Middle District of Florida reached the opposite result in Brinker, certifying in part a class of consumers in a data breach lawsuit against the parent company of Chili's.
Brinker involved the theft by hackers of customers' payment card data and PII. The focus of the Brinker decision was on the common issues relating to liability, which the court deemed capable of classwide resolution.[11]
Unlike the McGlenn court, the Brinker court credited the testimony of the plaintiffs' damages expert, who posited a method for calculating damages on a classwide basis in the data breach context.[12]
Significantly, the court determined that at this stage of the case, individual issues of damages and causation did not predominate because they could be left to later proceedings.[13]
Different Approaches to Deciding Predominance
The McGlenn and Brinker decisions illustrate two opposite frameworks for deciding class certification in data breach litigation.
The court in McGlenn focused on the individualized inquiries that necessarily would be involved in determining damages and causation, denying class certification on the basis that common questions relative to those issues did not predominate over questions affecting individual members.
The Brinker court, on the other hand, emphasized the common issue of liability among putative class members — namely, whether the company had a duty to safeguard their data, and whether the company had breached that duty.
Indeed, the Brinker court's focus on liability was practically to the exclusion of an analysis of whether common damages issues predominated, which the court punted until a later time, reasoning:
[I]f it becomes obvious at any time that the calculation of damages (including accounting for multiple data breaches) will be overly burdensome or individualized, the Court has the option to decertify the class.[14]
While both courts considered expert testimony on the issue of damages, each did so within the context of that court's issue of primary focus at class certification.
In Brinker, where the court's emphasis was on common issues of liability among putative class members, it was deemed sufficient at the class certification stage that the plaintiffs' damages expert had proposed an averages method of addressing causation and damages. Under this method, damages — for lost opportunities to accrue rewards points, the value of cardholder time, and out-of-pocket damages — would be estimated for each class member, irrespective of whether that particular individual had suffered any such damages.[15]
According to the court, at the motion for class certification stage, the expert's methodology was "sufficiently supported by data, reliable, and reliably applied."[16]
On the other hand, the McGlenn court, with its emphasis primarily on damages and causation, arguably held expert testimony on those issues to a stricter standard. That court noted the expert's failure to present evidence that a substantial number of the class members have suffered actual injury, including in the form of bank charges, negative credit ratings, identity theft or fraud.[17]
In this regard, the McGlenn court effectively rejected the expert's testimony about how damages — in the form of "loss of value of PII, out of pocket monetary expenses, and other foreseeable losses stemming from identity theft" — could be calculated on a classwide basis in the data breach context.[18]
Expectations
Notwithstanding the divergent approaches taken by the McGlenn and Brinker courts at class certification, some future developments in this space may be inferred from the decisions.
1. Classwide Damages
First, these cases highlight a critical issue confronting plaintiffs in data breach class action litigation: How can they prove classwide damages when it is unlikely that a substantial number of individuals were injured by the data breach?
In both cases, the plaintiffs' reliance on expert testimony regarding damages was practically foretold by prior case law, in which class certification was denied on account of a lack of expert testimony to overcome predominance issues surrounding damages and causation.[19]
If these decisions are any indication, plaintiffs in data breach lawsuits are unlikely to seek class certification without expensive expert testimony on still-novel damages methodologies. What stock a particular court will put in such testimony remains highly uncertain, but plaintiffs' success at class certification may depend largely on whether and how a court credits it.
Notably, on Sept. 16, the defendant in Brinker filed an interlocutory appeal of the class certification decision to the U.S. Court of Appeals for the Eleventh Circuit.[20] Assuming that the matter is not settled before a decision on the appeal is issued, this will be the first federal appellate court to weigh in on a contested motion for class certification in the data breach context. Briefing on the appeal is set to commence this month.
2. Personally Identifiable Information
Second, particularly where data breach incidents have become more prevalent in recent years, any damages potentially associated with the disclosure of putative class members' PII may not be proximately tied to the incident at issue in the instant litigation.
Under the reasoning of McGlenn, in that event, inquiries as to proximate causation necessarily would be so individualized as to defeat the predominance requirement for class certification.
3. Inflection Point
Third, the rulings in McGlenn and Brinker highlight the importance of class certification as a critical inflection point in data breach lawsuits. The stakes are high at class certification. If the court denies a motion for class certification, the high-value case is effectively over.
On the other hand, if class certification is granted, there may not be another offramp for defendants before summary judgment and potentially trial.
4. Appellate Courts
Finally, the discussion in this article focused on two recent district court cases. Numerous other federal court decisions have addressed class certification in data breach cases.
Critically, though, no federal appellate court has yet grappled with a contested motion for class certification in a data breach case. That will change when the Eleventh Circuit renders a decision in the Brinker appeal.
And, as additional cases continue to be filed, and the ones that do not settle early work their way through the courts, more appellate courts will have to confront these important issues.
Until that time, class certification remains an uncertain, fraught and increasingly expensive endeavor for plaintiffs.
[1] See generally David H. Topol and Pamela L. Signorello, "McMorris Factors" Create Obstacles for Data Breach Plaintiffs, Law360 (Sept. 27, 2021).
[2] See, e.g., In re Sonic Corp. Customer Data Breach Litig. , No. 1:17-md-02807-JSG, 2020 U.S. Dist. LEXIS 204169 (N.D. Ohio Nov. 2, 2020); Fero v. Excellus Health Plan, Inc. , 502 F. Supp. 3d 724 (W.D.N.Y. 2020); Adkins v. Facebook, Inc. , No. C 18-cv-05982-WHA, 2019 U.S. Dist. LEXIS 206271 (N.D. Cal. Nov. 26, 2019); Southern Indep. Bank v. Fred's, Inc. , No. 2:15-CV-799-WKW, 2019 U.S. Dist. LEXIS 40036 (M.D. Ala. Mar. 13, 2019); Smith v. Triad of Ala., LLC , No. 1:14-CV-324-WKW, 2017 U.S. Dist. LEXIS 38574 (M.D. Ala. March 17, 2017); In re Hannaford Bros. Co. Customer Data Sec. Breach Litig. , 293 F.R.D. 21 (D. Me. 2013); Gardner v. Health Net, Inc. , No. CV 10-2140 PA (CWx), 2010 U.S. Dist. LEXIS 150911 (C.D. Cal. Sept. 13, 2010).
[3] See In re Target Corp. Customer Data Sec. Breach Litig. , 847 F.3d 608 (8th Cir. 2017); In re Target Corp. Customer Data Sec. Breach Litig. , 892 F.3d 968 (8th Cir. 2018).
[4] McGlenn v. Driveline Retail Merch., Inc. , No. 18-cv-2097, 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021).
[5] In re Brinker Data Incident Litig. , No. 3:18-cv-686-TJC-MCR, 2021 U.S. Dist. LEXIS 71965 (M.D. Fla. Apr. 14, 2021).
[6] 2021 U.S. Dist. LEXIS 9532, *15.
[7] Id. at **29-30.
[8] Id. at **25-26.
[9] Id. at *26.
[10] Id. at **26-28.
[11] 2021 U.S. Dist. LEXIS 71965, **25-26.
[12] Id. at **10-11.
[13] Id. at *37.
[14] See id. at **25-26 and *35 n.7.
[15] See id. at **10-11, 36.
[16] Id. at *12.
[17] See 2021 U.S. Dist. LEXIS 9532, *25.
[18] See id. at **24-25.
[19] See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig. , 293 F.R.D. 21, 33 (D. Me. 2013).
[20] See Steinmetz, et al. v. Brinker International, Inc., Appeal No. 21-13146-DD (11th Cir.).
Read more at: https://www.law360.com/articles/1435699?copied=1