Privacy and data breach class actions are on the rise. In fact, just last month, three class actions were filed against MAPCO Express, a southern convenience store chain, based on a hacking incident involving the compromise of its customers’ credit and debit card information. Plaintiffs in such class actions typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor, or other company handling their personal information—failed to adequately protect that information, used that information for unauthorized purposes, or otherwise violated their privacy rights under state or federal statutes or common law.
In class action lawsuits, including privacy and data breach class actions, plaintiffs are often unable to overcome the class certification hurdle, which generally results in the failure of the case. For example, class certification was denied in a recent data breach class action in which the plaintiffs claimed that, following an incident in which millions of customers’ debit and credit card data was stolen from a grocery chain, they incurred mitigation damages, including fees for new credit/debit cards, identity theft insurance, and credit monitoring. See In Re Hannaford Bros. Co. Customer Data Sec. Breach Litig., No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013). The court found that the plaintiffs met the class certification requirements under Fed. R. Civ. P. 23(a) - i.e., numerosity, commonality, typicality, and adequacy of representation—but failed to meet the predominance requirement of Fed. R. Civ. P. 23(b), which requires a showing that questions of law or fact common to class members predominate over questions affecting only individual members.
Similarly, earlier this year, the U.S. Supreme Court reversed class certification in an antitrust class action brought by cable television subscribers, concluding that the plaintiffs failed to meet Fed. R. Civ. P. 23(b)’s predominance requirement. See Comcast Corp. v. Behrend, 133 S. Ct. 1426 (2013). Explaining that a “rigorous analysis” of the plaintiff’s damages model must be conducted, the Court held that the plaintiffs’ proffered damages model was inconsistent with their theory of antitrust liability and inadequate to establish damages on a classwide basis.
The Comcast decision has tightened class certification standards, making certification more difficult going forward. See Forrand v. Fed. Exp. Corp., No. 08-1360 DSF PJWX, 2013 WL 1793951, at *3 (C.D. Cal. Apr. 25, 2013) (explaining that, under Comcast, a plaintiff must proffer a damages methodology “that can be applied classwide and that ties the plaintiff’s legal theory to the impact of the defendant’s allegedly illegal conduct”). However, some decisions have questioned its impact on the broader class action landscape, particularly in cases involving less complex damages calculations or certification only as to liability classes. See In re Whirlpool Corp. Front-Loading Washer Products Liab. Litig., No. 10-4188, --- F.3d ----, 2013 WL 3746205, *16-18 (6th Cir. July 18, 2013) (affirming liability class certification in product liability case, reasoning that Comcast only applies in cases involving liability and damages certification); Manno v. Healthcare Revenue Recovery Grp., LLC, 289 F.R.D. 674, 2013 WL 1283881, *18 (S.D. Fla. May 30, 2013) (certifying Telephone Consumer Protection Act (TCPA) class action, and disagreeing that Comcast “treads any new ground in class action law”); Martins v. 3PD, Inc., No. 11-11313-DPW, 2013 WL 1320454, at *8 n.3 (D. Mass. Mar. 28, 2013) (certifying wage act class action where damages calculation issues were neither “particularly complicated nor overwhelmingly numerous”).
More recently, for instance, a class was certified in Harris v. comScore, Inc., No. 11-C-5807, --- F.R.D. ----, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013), a privacy class action in which the plaintiffs claim that comScore, an online data research company, unlawfully collected data about their activities on the internet, analyzed that data, and sold it to third parties. The plaintiffs seek statutory damages for violations of several federal privacy statutes: the Stored Communications Act, the Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act.
The comScore court concluded that a class action was the most efficient method for resolving the common issues and that “individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.” The court also reasoned that the U.S. Supreme Court’s “assumption, uncontested by the parties,” in Comcast, that Fed. R. Civ. P. 23(b)(3) requires a classwide damages calculation methodology in antitrust cases, “even assuming it is applicable to privacy class actions in some way, is merely dicta and does not bind this court.” Last month, the U.S. Court of Appeals for the Seventh Circuit denied comScore’s appeal of the class certification ruling, allowing the case to proceed. See In re comScore, Inc., No. 13-8007 (7th Cir. June 11, 2013). The comScore class is likely to include millions of individuals, making it one of the largest class actions ever certified.
The emerging trend of privacy and data breach class actions has not been limited to the United States; in fact, several such class actions were recently filed in Canada. Last month, the Quebec Superior Court granted authorization for a class action in which the plaintiffs claim that Apple violated their privacy rights by transmitting or allowing iPhone and iPad devices to transmit private data to advertisers.
The potential liability resulting from privacy and data breach class actions is so substantial that privacy may be the “next frontier in consumer class actions.” With so much at stake, class certification will undoubtedly be not only an important issue, but also a critical battleground in future cases.