Class Certification Denied in Data Breach Case
By Henry R. Chalmers, Litigation News Associate Editor – June 18, 2013

The long-running data breach case, In re Hannaford Bros. Co. [PDF], is setting precedent yet again, this time on the issue of class certification. Having already established widely cited jurisprudence on addressing motions to dismiss data breach actions, the case recently moved on to the next stage of litigation when the U.S. District Court for the District of Maine denied certification to the proposed plaintiff class. In doing so, however, the district court left guideposts for future data breach plaintiffs to follow in trying to clear the class certification hurdle.

In re Hannaford Bros. Co.
The plaintiffs in In re Hannaford Bros. Co. are customers of the Hannaford Bros. grocery chain whose credit card data was stolen from Hannaford by sophisticated hackers. Many customers subsequently found fraudulent purchases on their credit cards, prompting the plaintiffs to file their class action lawsuit.

After surviving a motion to dismiss, with the help of the U.S. Court of Appeals for the First Circuit [PDF], the plaintiffs moved the district court to certify a class of all Hannaford customers who incurred out-of-pocket costs for securing replacement cards and purchasing credit-monitoring and identity-theft-insurance products in response to learning of the data intrusion.

In a detailed ruling, the district court addressed each of the criteria for certifying a class under Rule 23(a) and (b)(3) of the Federal Rules of Civil Procedure [PDF], ultimately finding all but one requirement satisfied and denying certification on that ground.

Rule 23(a)
As an initial matter, the district court found that the plaintiffs had met the requirements of Rule 23(a), which establishes criteria regarding numerosity, commonality, typicality, and adequacy that a putative class must satisfy before it can be certified. In doing so, the district court addressed various issues that have given other courts pause. For example, because the plaintiffs’ evidence showed that tens of thousands of Hannaford customers purchased identity theft protection in the wake of the data breach, the “numerosity” requirement seemed easily satisfied.

The district court expressed some concern, however, that despite the large number of arguably affected customers, the number of putative class members who ultimately may assert claims for reimbursement could be negligible. The court noted that in another recent case—In re Heartland Payment Sys., Inc. Customer Sec. Breach Litig.—of the 130 million potential class members, only 290 filed claims, and only 11 of those claims were deemed valid. And of the $1 million settlement fund created by Heartland, only $1,925 was ever paid to class members. Meanwhile, Heartland ended up spending more than $1.75 million in notice and administration costs.

In the end, however, the Hannaford court concluded that such crystal ball gazing was beyond its powers under Rule 23. From there, the district court easily found the remaining elements of Rule 23(a) were satisfied.

Rule 23(b)(3)
The plaintiffs’ motion ultimately faltered, however, when the district court considered Rule 23(b), which focuses on promoting economy and efficiency in the litigation. More specifically, the district court found that the plaintiffs failed to satisfy Rule 23(b)(3)’s “predominance” requirement. “That’s not surprising,” says Daniel R. Karon, Cleveland, chair of the ABA National Institute on Class Actions. “Nine times out of ten, ‘predominance’ is where class actions go to die.”

To establish their right to class certification under this requirement, the plaintiffs had to convince the district court that “questions of law or fact common to class members predominate over any questions affecting only individual members.”

Hannaford argued that the plaintiffs could not meet this burden because many class members may have incurred the alleged out-of-pocket expenses that were the heart of the lawsuit (replacing their credit cards or purchasing identity theft insurance) for reasons unrelated to the data breach. Thus, individualized questioning of each class member would be required to determine if that individual had made the personal decision to replace the card—not because of the breach at issue, but rather, for example, in response to a special offer from another card company or due to generalized fear of other unrelated data breaches. Since such an individualized assessment was needed, Hannaford argued, it negated the predominance requirement.

The plaintiffs assured the district court that they could find an expert who would testify by statistical probability what portion of the class’s replacement card fees and identity-theft-insurance premiums were due to the data breach. The plaintiffs would then use this evidence to ask the jury for a lump sum award of damages, to be apportioned among class members later through normal class administration.

The district court suggested it was open to the plaintiffs’ “lump sum” approach, but noted that plaintiffs in other cases following that methodology actually presented their experts at the class certification stage, where the experts testified to having reviewed the data and to being able “to testify what the total damages would be.” The Hannaford plaintiffs had not yet retained their experts, and the court found that “their lack of an expert opinion on their ability to prove total damages to the jury is fatal.”

“Without an expert, they cannot prove total damages, and the alternative (which even they do not advocate) is a trial involving individual issues for each class member as to what happened to his/her data and account, and what he/she did about it, and why.”

“The decision to deny class certification was correct,” says Robert J. Herrington, Los Angeles, cochair of the ABA Section of Litigation’s Class Actions and Derivative Suits Committee. “In many ways, the decision presaged the U.S. Supreme Court’s decision the following week in Comcast Corp. v. Behrend [PDF], requiring plaintiffs to submit actual evidence to show that damages can be proven based on common evidence.” “By requiring plaintiffs to submit expert testimony,” Herrington adds, “the Hannaford decision hopefully will eliminate many of the marginal cases that are filed based on a hope that the defendant will settle.”

Karon sees it differently, suggesting that “the claims administration process is perfectly well-suited for determining how much should be allocated to whom.” Besides, Karon notes, “the Hannaford decision actually includes helpful language and findings that plaintiffs can use to obtain class certification in future data breach cases.”

Unless the district court reconsiders its ruling, the case appears headed back to the First Circuit, whose ruling likely will again set standards—this time regarding class certification—that may influence data breach litigation and the timing for retention of experts across the country.

Keywords: data breach, class action, class certification, predominance, damages

 
Related Resources
Fraud-on-the-Market Theory Questioned
Law Firm's Advance Conflict Waiver Upheld