In an encouraging development for data breach defendants, the Superior Court of Pennsylvania recently affirmed a trial court decision rejecting class certification in a suit filed against two Medicare programs for losing a flash drive containing personal information of 286,000 subscribers. The appellate court found that since the Philadelphia Court of Common Pleas “carefully considered the numerosity, typicality, adequacy of representation, and fair and efficient method of adjudication requirements for class certification,” it had not abused its discretion by denying class certification in March 2015. More broadly, the decision (Baum v. Keystone Mercy Health Plan, et al., No. 1250 EDA 2015 (Pa. Super. April 26, 2016)) indicates a resistance to permitting class claims to move forward where members have not suffered an ascertainable loss and where individual issues predominate, which may be the case in many data breach suits.
In the opinion, the Superior Court took a close look at Pa.R.C.P. 1702, which defines Pennsylvania’s prerequisites to class certification. Ultimately, the Superior Court found that the claim, alleging deceptive conduct under the catch-all provision of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law, fell short on three of the five Rule 1702 factors.
At the trial court and on appeal, plaintiff, suing on behalf of his minor child, urged that class treatment was appropriate for the individuals whose information—including member identification numbers, social security numbers, and lab results—was contained on a flash drive that was misplaced and never recovered.
According to the Superior Court, it was proper for the trial court to conclude that the claims failed to meet the typicality requirement of Pa. R.C.P. 1702(3), where the information on the flash drive would not identify plaintiff’s daughter, because plaintiff couldn’t claim to represent class members who could be identified via the lost data. Additionally, the Superior Court noted that plaintiff did not suffer an ascertainable loss.
The Superior Court also approved of the trial court’s finding that in this context, individual issues would predominate over a common one, so plaintiff could not fairly and adequately assert and protect a class interest as required by Pa. R.C.P. 1702(4).
Finally, considering Pa. R.C.P. 1702(5), the Superior Court found that a class action would not be a fair and efficient means of resolving the suit, given that “individual concerns predominate over any common issues of liability” in the case.
Given the size of many putative data breach classes, the predominance of individual issues and presence of members without ascertainable losses are not uncommon occurrences. In Pennsylvania, the Baum decision provides valuable insight as to what litigants can expect in similar circumstances.