In an order surely to reverberate with both the plaintiffs’ and defense bar, on March 20, 2013, Judge D. Brock Hornby of the United States District Court for the District of Maine denied the plaintiffs’ motion to certify a class in In re Hannaford Brothers Company Data Security Breach Litigation

Hannaford was filed as a putative class action in 2008 and arises out of a cybersecurity incident wherein criminals infiltrated Hannaford’s network and stole customer debit and credit card information.  The District Court, after certifying questions to the Supreme Court of Maine, dismissed all seven claims alleged in the consolidated class action complaint either for failure to state a claim or for failure to allege injury sufficient to confer Article III standing.  The First Circuit reversed on two claims, however, finding that the plaintiffs had alleged sufficient injury to support their state law negligence and implied breach of contract claims because they had alleged damages in the form of foreseeable costs to mitigate any harm arising from the data breach, specifically fees for replacing cards and the cost of data theft protection products.

On remand, the plaintiffs filed their motion for class certification and tailored their putative class to fall within the scope of the First Circuit decision by limiting the proposed class to “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” 

The Court acknowledged the force in Hannaford’s argument that individual questions surrounding reliance and causation prevented a typicality finding under Rule 23(a) and further noted that the differing economic impact of the intrusion on various class members could create typicality issues.  However, extensively quoting the opinion, the Court stated that it would be “unfaithful to the First Circuit’s decision” to accept Hannaford’s arguments on a typicality analysis.  Ultimately, the Court found that each requirement of Rules 23(a) and (b) of the Federal Rules of Civil Procedure was satisfied except for Rule 23(b)’s predominance requirement. 

The Court focused its predominance analysis on damages.  The plaintiffs argued that individual issues as to damages did not create a predominance issue because they would be able to present statistical proof of the total damages to the class based on records that show cards replaced, fees charged, and the instances of purchase of insurance of credit monitoring services by class members.  Then, according to the plaintiffs, because of the nature of the records and the data, they would be able to show by statistical probability what portions of those alleged damages were attributable to the Hannaford intrusion.  With this evidence, plaintiffs intended to ask the jury for a lump sum damage award that would distributed in the class administration process.

The Court rejected the plaintiffs’ arguments that they could prove damages on a class-wide basis and distinguished the cases that support such a procedure by noting that generally in those cases actual expert testimony was presented at the certification stage that supported the expert’s ability to testify as to total damages.  The Court found that without an expert, the plaintiffs cannot prove total damages and declined “to take judicial notice that there will be such an expert.”

From the defense perspective, the order clearly supports the arguments that individual issues of reliance and damages present a barrier to class certification in data breach cases, while the plaintiffs’ bar may read Hannaford as providing a roadmap for overcoming at least the issue of individualized damages.  What is clear, however, is that courts are starting to require plaintiffs to nail down proof that their claims can be manageably tried on a class basis, particularly as it relates to damages issues, a conclusion supported by the U.S. Supreme Court’s recent decision in Comcast Corp. v. Behrend.  But it would not be wise to read Hannaford as providing a simple way to provide that proof.  As discussed here, Comcast left unanswered whether the Daubert standard for expert witnesses applies to expert testimony at the class certification stage, leaving significant room for doubt about the appropriate standards.