By David M. Governo and Corey M. Dennis, CIPP/US
Privacy and data breach class actions are on the rise. In fact, just last month, three class actions were filed against MAPCO Express, a southern convenience store chain, based on a hacking incident involving the compromise of its customers’ credit and debit card information. Plaintiffs in such class actions typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor or other company handling their personal information—failed to adequately protect that information, used that information for unauthorized purposes, e.g., online “tracking” or behavioral advertising, or otherwise violated their privacy rights under state or federal statutes or common law.
In class-action lawsuits—including privacy and data breach class actions—plaintiffs are often unable to overcome the class-certification hurdle, which generally results in the failure of the case. For example, class certification was denied in a recent data breach class action in which the plaintiffs claimed that, following an incident in which millions of customers’ debit and credit card data was stolen from a grocery chain, they incurred mitigation damages, including fees for new credit/debit cards, identity theft insurance and credit monitoring. The court found that the plaintiffs met the class certification requirements under Fed. R. Civ. P. 23(a), i.e., numerosity, commonality, typicality and adequacy of representation—but failed to meet the predominance requirement of Fed. R. Civ. P. 23(b), which requires a showing that questions of law or fact common to class members predominate over questions affecting only individual members. Other obstacles for plaintiffs in such cases include establishing standing, injury and causation.
Impact of the U.S. Supreme Court’s Decision in Comcast
Earlier this year, the U.S. Supreme Court reversed class certification in Comcast Corp. v. Behrend, 133 S. Ct. 1426 (2013), an antitrust class action brought by cable television subscribers concluding that the plaintiffs failed to meet Fed. R. Civ. P. 23(b)’s predominance requirement. Although the plaintiffs proposed four theories of antitrust impact, the court only accepted the “overbuilder theory,” i.e., that Comcast’s activities reduced competition from companies building cable networks in the market area. The damages model offered by the plaintiff’s expert calculated damages for the entire class at $875,576,662 but did not isolate damages resulting from any particular theory. As a result, the court held that the plaintiffs’ proffered damages methodology was inconsistent with their theory of antitrust liability and inadequate to establish damages on a classwide basis, emphasizing that a “rigorous analysis” of the plaintiff’s damages model must be conducted.
The Comcast decision has established stricter class-certification standards, making certification more challenging going forward; as noted recently in Forrand v. Federal Express Corp., a plaintiff must now proffer a damages methodology “that can be applied classwide and that ties the plaintiff’s legal theory to the impact of the defendant’s allegedly illegal conduct.” However, some decisions have cast doubt on the case’s impact on the broader class-action landscape, particularly in cases involving less complex damages calculations or certification only as to liability classes. For example, In re Whirlpool Corp. Front-Loading Washer Products Liab. Litig. affirmed a liability class certification in product liability case, reasoning that Comcast only applies in cases involving liability and damages certification; Manno v. Healthcare Revenue Recovery Grp., LLC, certified a Telephone Consumer Protection Act (TCPA) class action and disagreed that Comcast “treads any new ground in class action law,” and Martins v. 3PD, Inc., certified a wage act class-action where damages calculation issues were neither “particularly complicated nor overwhelmingly numerous.”
ComScore—Largest Internet Privacy Class Action
More recently, a class was certified in Harris v. comScore, Inc., a privacy class action in which the plaintiffs claim that comScore, an online data research company, unlawfully collected data about their activities on the Internet, analyzed that data and sold it to third parties. The plaintiffs seek statutory damages for violations of several federal privacy statutes: the Stored Communications Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.
The comScore court concluded that a class action was the most efficient method for resolving the common issues and that “individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.” The court also reasoned that the U.S. Supreme Court’s “assumption, uncontested by the parties” in Comcast, that Fed. R. Civ. P. 23(b)(3) requires a classwide damages calculation methodology in antitrust cases, “even assuming it is applicable to privacy class actions in some way, is merely dicta and does not bind this court.” Last month, the U.S. Court of Appeals for the Seventh Circuit denied comScore’s appeal of the class-certification ruling, allowing the case to proceed. The comScore class is likely to include millions of individuals, making it one of the largest class actions ever certified.
The emerging trend of privacy and data breach class actions has not been limited to the U.S.; in fact, several such class actions were recently filed in Canada. In June, the Quebec Superior Court granted authorization for a class action in which the plaintiffs claim that Apple violated their privacy rights by transmitting or allowing iPhone and iPad devices to transmit private data to advertisers.
The potential liability resulting from privacy and data breach class actions is so substantial that privacy may be the “next frontier in consumer class actions.” With so much at stake, class certification will undoubtedly be not only an important issue but also a critical battleground in future cases.
David M. Governo is the founding partner of Governo Law Firm, LLC, in Boston, MA. For over three decades, he has defended companies in complex litigation and counseled companies on a range of risk management and compliance issues. He has attained Martindale-Hubbell’s highest “AV” rating, is an active member of the Federation of Defense and Corporate Counsel and has been voted a New England Super Lawyer for many years.
Corey M. Dennis, CIPP/US, is an associate at Governo Law Firm, LLC, where he defends companies in complex litigation and counsels companies on compliance with privacy and data security laws. He has written and spoken extensively on a variety of subjects, including privacy and data security law, social media, employment law, product liability and civil litigation.
Read more by David Governo and Corey Dennis:
Data breach litigation on the rise—Eleventh Circuit allows data breach putative class-action to proceed
Businesses nationwide continue to grapple with Massachusetts data privacy laws
FTC ramping up data privacy enforcement actions; Google fined $22.5 million