Two decisions issued in 2013 show that variation in the existence and extent of any damages suffered by the victims of a privacy breach can prevent class treatment, but statutory damages may be used to overcome this problem.
First, In March, the United States District Court for the District of Maine denied the plaintiffs’ motion to certify a class in In re Hannaford Brothers Company Data Security Breach Litigation, 293 F.R.D. 21. (D. Me. 2013). The court’s analysis was a victory for the class action defense bar because it turned on the issue of the plaintiff’s inability to prove total damages. Without a reliable method to demonstrate the damages of class members, the court held, plaintiffs could not meet the predominance requirement of Rule 23(b)(3).
Hannaford arose out of a criminal attack on the payment card system network at the Hannaford Bros. grocery chain, which potentially affected over 4 million credit and debit card numbers. Notably, at the time of its decision on certification, the court was adjudicating the case on remand from the First Circuit, which had affirmed the viability of the plaintiffs’ negligence and implied breach of contract claims because they had alleged damages as foreseeable costs, including fees for replacing cards and the cost of identity theft protection products, to mitigate harm arising from the data breach.
On remand, the plaintiffs filed their motion for class certification in line with the First Circuit decision by limiting the proposed class to “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” Nevertheless, the court held plaintiffs could not overcome the predominance requirement because they had not identified a purported expert with a method to show class-wide damages. The Hannaford court held that although plaintiffs had established commonality as to purported liability, without an expert to show lump-sum damages, they would be left with a series of mini-trials to determine individualized damages.
Conversely, in comScore v. Dunstan, No. 13-cv-8007 (7th Cir. Jun. 11, 2013), the Seventh Circuit upheld the certification of data privacy class action for alleged privacy violations under various federal statutes, including the Stored Communications Act (SCA) and the Electronic Communications Privacy Act (ECPA). According to the complaint, comScore, “an Internet research corporation that provides marketing data to a wide variety of clients, generally in the form of aggregated reports about online consumer behavior,” obtained information including “username and passwords,” “PDFs,” and “every file on the monitored consumer’s computer” through software distributed by either “paying affiliate partners to post comScore’s advertisements on their websites in an effort to solicit consumers to download comsScore’s Surveillance Software” or “paying developers to bundle the Surveillance Software with the third-party application provider’s software.” The expansive class included all individuals “who have had comsScore’s Surveillance Software installed on their computer(s).”
The Northern District of Illinois granted certification in April on the statutory claims, which carried with them statutory damages. The court found that the “plaintiffs raise[d] a variety of common questions that can be resolved on a classwide basis” under these statutes—which define statutory penalties per violation—and that it would be “far more efficient to resolve all of the common issues in a single proceeding, and then to hold individual hearings on damages if necessary, than it would be to litigate all of the common issues repeatedly in individual trials.”
Notably, in its appeal to the Seventh Circuit, comScore argued that “individualized issues inherent in cases of this type make them particularly unsuited to class treatment” because plaintiffs would not be able to prove that the entire class, which could potentially include “tens of millions of people,” had “even downloaded comScore’s software, a prerequisite to membership in the class.” The court rejected this argument and, without releasing a written opinion, denied leave to appeal certification of the 10-million member internet privacy class—“the largest privacy case ever certified on an adversarial basis.”
The key difference between Hannaford and comScore is that the damages in comScore were statutory in nature.
