A theory of harm frequently asserted in data breach class actions is that plaintiffs did not receive the “benefit of the bargain” with defendants. That is, plaintiffs claim that when they transferred sensitive information to defendants, they anticipated that the information would remain safe. When the data were exposed as part of a breach, that “bargain” was not upheld. For example, Anthem plaintiffs alleged that when purchasing health insurance, they suffered “loss of the benefit of the bargain with Defendants to provide adequate and reasonable data security” and instead received health insurance that was “less valuable than described in their contracts.”1 Similar theories have been alleged in a variety of data privacy class actions.2 For example, in retail breach cases: (i) P.F. * Partner in the Antitrust and Privacy & Data Security practices at Edgeworth Economics, L.L.C. I would like to thank Jesse David, Mike Will, and Adam Cooke for their helpful feedback. 1. Fourth Consolidated Amended Class Action Complaint at 120, 135, In re Anthem Data Breach Litig., No. 15-MD-02617-LHK (N.D. Cal. Feb. 24, 2017), ECF No. 714-3 [hereinafter Anthem Complaint] (emphasis added). 2. See, e.g., Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (alleging that portions of plaintiffs’ insurance premiums were consideration for an insurer’s promises to provide data 116 JOURNAL OF TECHNOLOGY LAW & POLICY [Vol. 23 Chang’s plaintiffs claimed damages on “the cost of their meals” because they “would not have dined at P.F. Chang’s had they known of its poor data security,”3 and (ii) Neiman Marcus plaintiffs argued they overpaid because “the store failed to invest in an adequate security system.”4 Methods to analyze benefit of the bargain harm in a class certification setting have continued to evolve. For example, while P.F. Chang’s and Neiman Marcus plaintiffs did not propose any specific analytical framework for assessing this theory, Anthem plaintiffs suggested that they would use a statistical technique called “conjoint analysis” to do so.5 II. ECONOMIC FRAMEWORK IN DATA BREACH CLASS ACTIONS AND POTENTIAL RELEVANCE OF “CONJOINT ANALYSIS” “The appropriateness of the class action mechanism for adjudicating a consumer data breach litigation rests crucially on the plaintiffs’ ability to present an analysis capable of determining whether all—or, in some cases, virtually all—class members could have suffered injury from the alleged data breach,” as well as the estimation of damages on a class-wide security); In re SuperValu, Inc., Customer Data Sec. Breach Litig., No. 14-MD-2586, 2016 WL 81792 (D. Minn. Jan. 7, 2016) (alleging a variety of standing theories, including lost benefit of bargain); In re LinkedIn User Privacy Litig., 309 F.R.D. 573 (N.D. Cal. 2015) (claiming plaintiff purchased her premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured in accordance with industry standards); Svenson v. Google Inc., No. 13-cv-04080- BLF, 2015 WL 1503429 (N.D. Cal. Apr. 1, 2015) (alleging to have signed a contract with Google indicating plaintiff was to receive a payment processing service that would facilitate her app purchase while keeping her private information confidential); In re Adobe Systems, Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (alleging plaintiffs personally spent more on the defendant’s products than they would have, had they known the defendant was not providing the reasonable security it represented it was providing.); In re Barnes & Noble Pin Pad Litig., No. 12- cv-8167, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) (asserting plaintiffs overpaid for the products and services purchased from Barnes & Noble because they were paying for the security measures Barnes & Noble was supposed to employ to protect credit and debit transaction information). 3. Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016). 4. Remijas v. Neiman Marcus Group, 794 F.3d 688, 694 (7th Cir. 2015). The way the specific “bargain” between plaintiffs and defendants is described varies from case to case. However, for consistency, this article refers to the feature at issue using Anthem plaintiffs’ terminology: that they understood their purchases to include a feature called “adequate and reasonable data security.” Anthem Complaint, supra note 1, at 120. 5. Notably, Anthem plaintiffs indicated that the conjoint analysis “could not be completed until after class certification” because “the parameters of the conjoint surveys would depend on the classes ultimately certified by the Court.” Plaintiffs’ Memorandum in Support of Preliminary Approval of Class Action Settlement at 4, 16, In re Anthem Data Breach Litig., No. 15-MD02617-LHK (N.D. Cal. June 23, 2017), ECF No. 869-5. 2018] BENEFIT OF THE BUT-FOR BARGAIN 117 basis.6 Moreover, because plaintiffs often allege multiple theories of economic harm,7 such an analysis should distinguish between the damages associated with the different theories.8 With respect to a benefit of the bargain theory, a consumer’s damages may be measurable as the difference between what the consumer actually paid for a product (i.e., in the “actual world”) and what the consumer would have paid (i.e., in the “but-for world”)9 for a product that did not allegedly misrepresent its level of “adequate and reasonable data security.” This difference is meant to represent the “benefit” a defendant allegedly failed to deliver to its customers. The actual price paid for a product may be observable from invoices, consumer receipts, or point-of-sale records. However, the question relevant to assessing impact and damages is: What price would the consumer have paid if the defendant appropriately described the bargain at the time of the transaction, i.e., that it did not include adequate and reasonable data security? Conjoint analysis—the technique suggested by Anthem plaintiffs to assess this question—is a “popular marketing research technique that marketers use to determine what features a new product should have and 6. David Cohen, Michael Kheyfets, Michelle Visser, & Adam Winship, A Rigorous Analysis of Class Certification Issues in Consumer Data Breach Litigation, 16 PRIVACY & SECURITY L. REP. 104, 107 (2017). 7. Id. 8. For example, in instances where plaintiffs have alleged they were harmed due to (i) fraudulent misuse of the stolen information, as well as (ii) not receiving the benefit of the bargain, their class certification and damages frameworks should be able to distinguish between the two. 9. As the Anthem plaintiffs described it, they suffered: [L]oss of the benefit of the bargain with Defendants to provide adequate and reasonable data security—i.e. the difference in value between what Plaintiffs should have received from Defendants when they enrolled in and/or purchased insurance from Defendants that Defendants represented, contractually and otherwise, would be protected by reasonable data security, and Defendants’ partial, defective, and deficient performance by failing to provide reasonable and adequate data security and failing to protect Plaintiffs’ Personal Information from theft.” Anthem Complaint, supra note 1, at 120–21 (emphasis added); see, e.g., Federal Judicial Center, Reference Manual on Scientific Evidence 432 (3d ed. 2011). Note that what the plaintiffs would have paid in the but-for world is not necessarily the same as what they would h 118 JOURNAL OF TECHNOLOGY LAW & POLICY [Vol. 23 how it should be priced.”10 In practice, it is implemented by first conducting a survey which asks respondents to choose among a series of hypothetical products with a variety of prices and features. Exhibit 1 illustrates a survey that breaks down a consumer’s choice of which TV to buy into “attributes” such as screen type, screen size, brand, and price. The consumer is also offered a choice of various combinations of attribute “levels.” By offering respondents different combinations of attributes (e.g., a 36" Plasma Sony TV for $499 vs. a 46" LED Philips TV for $899),11 a well-designed conjoint survey aims to gather information that can be used to study their preferences for individual attributes. EXHIBIT 1 12 Once choice data from these surveys are collected, the goal of the conjoint analysis is to statistically model the weight (called “utility” or “part-worth”) respondents place on a given feature—relative to the 10. Joseph Curry, Data Use: Understanding Conjoint Analysis in 15 Minutes, QUIRK’S MARKETING RES. REV. (1996), https://www.sawtoothsoftware.com/download/techpap/undca15. pdf [hereinafter Curry, Understanding Conjoint Analysis]. 11. In some conjoint surveys, the respondent may be asked to rank the choices from mostto least-preferred. In others, the respondent may be asked to make a single selection from the available choices. 12. Conjoint Analysis, DOBNEY, http://www.dobney.com/Conjoint/Conjoint_analysis.htm (last visited Sept. 25, 2018). 2018] BENEFIT OF THE BUT-FOR BARGAIN 119 products’ other features—when making their choices.13 Moreover, the respondents’ collective valuation (or “willingness to pay”) for a feature can be derived through a calculation involving the “utility” of that feature and the “utility” of price.14 Courts have accepted this technique in several patent infringement cases involving reasonable royalty damages, with the goal of using it to isolate the value of an allegedly infringing feature by (indirectly) comparing versions of a product with and without that feature.15 In these cases, experts have argued that such valuations would have been considered by the parties in a hypothetical negotiation for royalties.16 More recently, conjoint analysis has been offered in consumer product mislabeling class actions. In such cases, plaintiffs allege that a manufacturer of a consumer product made false or misleading claims, and aim to use conjoint analysis to estimate the value of the allegedly misrepresented feature (e.g., the value related to labeling a product as “All Natural,” as compared to one without that label).17 Whether courts will accept conjoint analysis to certify classes in data breach cases remains uncertain.18 This Article discusses several key features of conjoint analysis, as well as challenges for the use of such 13. Curry, Understanding Conjoint Analysis, supra note 10. 14. To use terminology from Anthem, the survey would seek to identify respondents’ perceived valuation of—or willingness to pay for—adequate and reasonable data security. Anthem Complaint, supra note 1, at 120. 15. See generally Apple, Inc. v. Samsung Elecs. Co., No. 11-CV-01846-LHK, 2013 U.S. Dist. LEXIS 149741 (N.D. Cal. Oct. 15, 2013); Microsoft Corp. v. Motorola, Inc., No. C10-1823- JLR, 2011 U.S. Dist. LEXIS 73827 (W.D. Wash. May 31, 2011). 16. See cases cited supra note 15. 17. See, e.g., Briseno v. ConAgra Foods, Inc., 844 F.3d 1121, 1123 (9th Cir. 2016) (arguing that the “100% Natural” label on the product was false or misleading because Wesson oils are made from bioengineered ingredients that plaintiffs contended were “not natural”); In re Dial Complete Mktg. & Sales Practices Litig., 312 F.R.D. 36, 47 (D.N.H. 2015) (alleging that a variety of statements appearing on Dial Complete’s product labels, including claims that it “Kills 99.99% of Germs,” is “#1 Doctor Recommended,” and “Kills more germs than any other liquid hand soap” were inaccurate and misleading); In re NJOY, Inc. Consumer Class Action Litig., No. CV 14-00428 MMM (RZx), 2014 U.S. Dist. LEXIS 199368, at *6 (C.D. Cal. Oct. 20, 2014) (alleging that NJOY’s failure to include certain harmful ingredients on the label was misleading because consumers would want to know that the product contained these ingredients before purchasing ecigarettes and that NJOY failed to warn of the harmful effects of inhaling such ingredients). 18. For example, plaintiffs in Anthem indicated that “the Benefit of the Bargain theory depended upon the results of a conjoint study that could not be completed until after class certification, and there was no guarantee that Plaintiffs would ultimately have found this type of damage at all.” Plaintiffs’ Memorandum in Support of Preliminary Approval of Class Action Settlement at 21, In re Anthem Data Breach Litig., No. 15-MD-02617-LHK (N.D. Cal. Feb. 24, 2017), ECF No. 869-5 (emphasis added). Plaintiffs also indicated that “it is possible that both the Benefit of the Bargain theory and the Loss of Value of PII theory could yield large numbers that would be unpalatable to a jury.” Id. 120 JOURNAL OF TECHNOLOGY LAW & POLICY [Vol. 23 analysis in the context of class certification issues in data breach litigation. Specifically, conjoint surveys may: (i) struggle to isolate the purported bargain at issue in a data breach case; (ii) aim to measure the customer’s willingness to pay for something rather than the price that prevails in the marketplace; and (iii) not yield results that represent all, or nearly all, members of a proposed class. III. “HOLD THE PICKLES, HOLD THE . . . ADEQUATE AND REASONABLE DATA SECURITY”: CAN CONJOINT ANALYSIS IDENTIFY THE “BARGAIN” ON THE RELEVANT FEATURE? Conjoint analysis does not study actual transactions where sensitive information is exchanged. Rather, it surveys individuals—who may or may not be party to a proposed class—on their preferences for certain products relative to others. At least some products in the respondent’s “choice set” are hypothetical in that they lack a feature that is actually offered in the real-world marketplace. There are two initial issues relating to hypothetical products that merit consideration. First, hypothetical products necessarily have hypothetical features—or actual features in hypothetical combinations—and prices that are set by the survey designer. Thus, the choices about what combinations of features are offered in the hypothetical products, as well as the price points for those products, necessarily influence the outcome of the survey. More importantly, however—and perhaps where analysis in data breach cases begins to depart from that in patent infringement and false claims cases— is that it may be difficult to assess how the notion of adequate and reasonable data security figures into consumers’ choices. For conjoint analysis to serve its purpose, the attributes among which respondents are choosing must be ones that affect the purchase process. For example, consumers may have a relatively clear perception of how much more they would be willing to pay for a mobile phone with a touchscreen than for one without, or a food product with an “All Natural” label than a similar product without the label. However, consumers may have more difficulty with an abstract concept like adequate and reasonable data security, particularly since that feature is not typically advertised or described by sellers of consumer products and services. A conjoint analysis seeking to assess a claim like the one in Anthem— i.e., that purchasers of health insurance were deprived of adequate data security—may face the issue in the real world that consumers do not explicitly consider data security. For example, one academic study identified ten “key drivers of consumer choice among health-care coverage alternatives” as: (i) carrier providing health care coverage; (ii) doctor quality; (iii) hospital choice; (iv) monthly premium; (v) physician network; (vi) cost per doctor visit; (vii) prescription coverage; (viii) 2018] BENEFIT OF THE BUT-FOR BARGAIN 121 wellness visits coverage; (ix) dental coverage; and (x) vision coverage.19 Even this list, which goes beyond the six-attribute “choice sets” generally prescribed by conjoint analysis practitioners,20 does not leave room to identify the feature at issue in a data breach litigation. It may be difficult to tease out respondents’ valuation of such a feature if, in a real-world setting, they would not consider purchasing the “but-for” version of the product. Moreover, unlike the binary choice between a product either having an “all-natural” label or not, “data security” may be open to the respondent’s interpretation, further compounding the problem. An issue with applying conjoint analysis to a “tough-to-value” feature arose in Sanchez-Knutson v. Ford Motor Co. 21 In that case, plaintiffs alleged that certain Ford Explorer vehicles were defective because they experienced exhaust odor under certain driving conditions.22 Plaintiffs’ expert opined that he could design a conjoint analysis that would enable him to “determine the difference in value . . . that customers place on a Ford Explorer with no exhaust leaking into the cabin compared to an otherwise identical Ford Explorer subject to the problems with exhaust.”23 The court took issue with this approach, stating “I don’t know how you do that analysis when no one’s gonna buy a car if it fills up with carbon monoxide when you drive it,” and indicating that if “you ask a bunch of people, how much would you pay for a Ford Explorer that has carbon monoxide in it . . . they’re all going to say nothing.”24 Asking survey respondents what they would be willing to pay for health insurance without adequate and reasonable data security may yield similar results. Plaintiffs’ expert in Anthem recognized that “a critical aspect of the survey will be to specify a set of levels for the data security attribute,” and hypothesized three formulations of the feature at issue25: 19. Roger Gates et al., Modeling Consumer Health Plan Choice Behavior to Improve Customer Value and Health Plan Market Share, 48 J. BUS. RES. 247, 250 tbl.1 (2000). 20. Paul E. Green & V. Srinivasan, Conjoint Analysis in Marketing: New Developments with Implications for Research and Practice, 54 J. MARKETING 3, 8–9 (1990). 21. Sanchez-Knutson v. Ford Motor Co., 52 F. Supp. 3d 1223 (2014). 22. Id. at 1225. 23. Defendant Ford Motor Company’s Motion In Limine to Exclude the Testimony of Steven Gaskin at 2, Sanchez-Knutson v. Ford Motor Co., No. 0:14-CV-61344-WPD (S.D. Fla. 2017), ECF No. 182. 24. Id. at 17. Notably, the Court in this case certified part of the proposed class, despite Plaintiffs having not actually executed the conjoint analysis at the time of the decision (“[T]he Court disagrees with Defendant that [plaintiffs’ expert], must have already performed his proposed conjoint analysis for the Court to consider the proffered methodology.”). Order Granting in Part and Denying in Part Plaintiff’s Renewed Motion for Class Certification at 14, SanchezKnutson v. Ford Motor Co., No. 0:14-CV-61344-WPD (S.D. Fla. 2017), ECF No. 148. 25. Expert Report of Peter E. Rossi, In re Anthem Data Breach Litig., No. 15-MD-02617- LHK (N.D. Cal. Feb. 24, 2017), ECF No. 720-30 [hereinafter Rossi Report]. 122 JOURNAL OF TECHNOLOGY LAW & POLICY [Vol. 23 Example 1: 1. Highest Level: Exceeds industry standards. 2. Intermediate Level: Meets industry standards. 3. Lowest Level: Falls short of industry standards in one or more important areas. Example 2: 1. Meets or exceeds industry average for 11 of 13 metrics used in standard security audits. 2. Meets or exceeds industry average for 8 of 13 metrics used in standard security audits. 3. Meets or exceeds industry average for 5 of 13 metrics used in standard security audits. Example 3: 1. All fundamental data security practices are adhered to. 2. One or more fundamental data security practices is (sic) not adhered to. Because Anthem plaintiffs did not ultimately conduct this survey, it remains unknown which, if any, of these formulations would yield meaningful information about the value of adequate and reasonable data security. However, even taken at face value, these questions would raise concerns about how seriously consumers—who may not be well-versed in evaluating data security when purchasing health insurance—would consider plans whose security “falls short of industry standards,” or does not adhere to “fundamental data security practices.”26 Thus, if a survey approach cannot offer a “but-for” product option that is plausible in the real world, it may not yield results that offer insight into the relevant question.