data-theft-securityLast month, a retailer confirmed a massive credit card records breach that can expose consumers to credit card frauds.   It is only one of many data breaches that occurred in 2013.  Numerous class actions involving data theft and security breach have been filed in the last several years. Many of the claimants faced early-stage dismissal because of issues with standing and class certification. In the few cases where plaintiffs avoided dismissal on standing grounds, the inability to attain certification of class members hindered efforts to maintain claims for damages associated with a data breach. As a result, data theft and security breach claimants are burdened with a dual impediment—that is, plaintiffs must first overcome standing issues, and then must effectively certify class members.

Standing is an essential component to any civil action, and therefore the ability to establish standing is crucial pleading-stage consideration, whether claims are asserted by individual plaintiffs, or through a class action. Pursuant to Article III of the U.S. Constitution, there are three essential elements to standing: (1) The plaintiff must demonstrate injury-in-fact; (2) The plaintiff must show that the injury in question is fairly traceable to the defendant’s challenged action; and (3) The injury alleged by the plaintiff must be one that could be redressed by a favorable judicial decision. Since data breach actions often involve claims for damages that are merely speculative in nature, the inability to demonstrate a cognizable injury has limited claimant’s class action efforts.

Standing requires the presence of cognizable injury; certification requires the presence of cognizable injury to the both the representatives and members of an adequately defined, and clearly ascertainable class.  Put simply, the general concept of ‘absence of present injury’ can support a class action dismissal at either stage of the case.

As stated in Simon v. Eastern Ky. Welfare Rights Org., 425 U.S. 26, 40 (1976), class representatives “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” In addition, establishing the presence of cognizable injury suffered by all class members must not involve individualized fact finding, nor address a central issue of liability. From the practitioner point of view, the interrelation between standing and certification issues associated with injury and damages, is implicative of the need for expert assessment.  For credit data breaches, an attorney might seek the expertise of a consumer credit expert witness and financial fraud expert to address damages.

Class certification demands that the action fall within one of the subsections of F.R.C.P. 23(b). The inability to establish predominance, pursuant to F.R.C.P. 23(b)(3), has by far been the most common reason asserted as grounds for denial of class certification in data and security breach class actions brought forth by consumers against retailers. While the ability to certify class members is never certain prior to a court’s ruling on the matter, case law does provide practitioners with one key guiding principal—expert testimony on the issue of class wide damages is essential. Further, the mere assertion that expert testimony can be provided or will be provided, at some point in the future, is insufficient to certify class members. This matter was discussed in the case of In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013), in which the court, in denying class certification, stated:

“Although the plaintiffs have told me they will find such an expert, they have not presented that expert or that expert’s opinion. Certainly I cannot take judicial notice that there will be such an expert. The plaintiffs bear the burden at class certification, General Telephone Co. of Southwest v. Falcon, 457 U.S. 147, 156 (1982), and I conclude that their lack of an expert opinion on their ability to prove total damages to the jury is fatal. Without an expert, they cannot prove total damages, and the alternative (which even they do not advocate) is a trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why. In the absence of expert opinion testimony, I conclude that the plaintiffs have not shown predominance.”

In addition to demonstrating the general need to present testimony from an expert to achieve certification, the Hannaford case also provides practitioners with valuable guidance as to precisely what type of testimony is sufficient to certify class members, in terms of methods and procedures of analysis and presentation of data. In noting that some circuits have either accepted or rejected a particular methodology, such as aggregate or statistical modeling, and others circuits have not yet addressed issues regarding an expert’s use of a specific methodology, the Hannaford case, along with the cases cited within Hannaford, provides a useful starting point for the assessment of certification issues in other data theft, security breach, and privacy class actions. In sum, while certification demands testimonial expertise, the presentation of such testimony is only valuable to the extent of its admissibility.

By: Alicia McKnight, J.D.