Court Rejects Class Certification in Data Breach - Driveline Retail Merch., Inc.
Data breach litigations rarely make it to motions for class certification. This trend makes each decision that does come out addressing class certification in the data breach context that much more interesting. Well, last week a federal court denied a plaintiff’s motion to certify a class in the wake of an employer data breach that allegedly resulted in the disclosure of employees’ sensitive tax information and other data. Read on below.
First, the (alleged) facts. In McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021), a plaintiff filed suit against her employer after the employer was the victim of a phishing attack. That attack resulted in the purported disclosure of current and former employees’ personal and tax information, including their names, addresses, zip codes, dates of birth, wages and withholding information, and Social Security numbers. Following disclosure of the data breach, the employer offered employees 12 months of credit monitoring service (some accepted the services, while others did not).
Plaintiff subsequently filed a putative class action complaint, asserting various tort and state consumer protection claims under Illinois law. She alleged generally that, as a result of the data breach, criminals could file fraudulent tax returns, file for unemployment benefits, and apply for a job using a false identity due to disclosure of the class members’ Social Security numbers. And more specifically, Plaintiff alleged that: (1) following the breach someone used her personally identifiable information (“PII”) to open a new credit card account and (2) she spent time mitigating the issues arising out of the misuse of her personal information. Besides seeking monetary damages, Plaintiff also sought an injunction directing her employer to adequately safeguard the personally identifiable information (“PII”) of employees by implementing improved security procedures and to provide enhanced disclosures regarding the data breach.
A short refresher on procedure: To get certified, every federal class action must satisfy not only the four prerequisites of Federal Rule of Civil Procedure 23(a), but also one of the three scenarios set forth Rule 23(b). In determining whether to certify a class, a district court first assesses whether the putative class meets Rule 23(a)’s prerequisites: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation. IF (and only if) the class meets all these requirements, the court will then assess whether one of the scenarios set forth in Rule 23(b) is satisfied. Class certification matters as it raises the stakes in litigation and can lead to damages awards (or settlements) and big payouts for class counsel.
Back to the case at hand. Plaintiffs in McGlenn sought class certification, primarily relying on Rule 23(b)(3). Under this rule, a class seeking damages can be certified if (in addition to meeting the Rule 23(a) criteria), the plaintiffs establish both predominance (i.e., that questions common to class members predominate over questions affecting individual ones) and superiority (i.e., that the class action is the best way to litigate the case). Plaintiffs sought to certify a class seeking injunctive relief (in the form of enhanced security measures) under Rule 23(b)(2). This one provides that an injunction-only class may be certified if (in addition to meeting the Rule 23(a) thresholds), the defendant “acted or refused to act on grounds that apply generally to the class.”
How did things shake out before the court? Class certification was denied for several independent reasons:
Commonality Absent Under Rule 23(a): The court held that the Rule 23(a) requirements for class certification were absent, as Plaintiff could not show commonality under Rule 23(a). This was because, the court explained, “[w]hile the Court recognizes that Plaintiff has proven certain issues are common to the proposed class, such as liability, the issues of causation and injury require individual inquiry.” Id. at *15.
Certification Under Rule 23(b)(2) Inappropriate: The court also found that certification of the proposed injunctive class was not supported by Rule 23(b)(2). This was because, consistent with Seventh Circuit precedent, Plaintiff could not show that “a mandatory injunction would remedy the alleged harm.” Because the PII of the putative class had already been disclosed, enhanced security measures and training would do nothing to remedy the damages claimed by the class.
Certification Under Rule 23(b)(3) Also Unsupported: Finally, the court also found class certification inappropriate under Rule 23(b)(3). Plaintiff argued that “each putative class member suffered damage and injury as a result of the [data breach] and ‘each suffered the same general type of damages – loss of value of PII, out of pocket monetary expenses, and other foreseeable losses stemming from identify theft.’” Plaintiff asserted that this could be shown on a class-wide basis through the use of expert testimony. The court disagreed. Plaintiffs’ expert did not “present testimony that the putative class members sustained bank charges or service reinstatement fees as a result of the [data breach], suffered negative credit ratings, were denied a loan, sought public assistance, were the victims of medical identity thefts, or had their Social Security numbers used to file a fraudulent tax return.”
The court expressed doubt whether Plaintiff and other class members have actually suffered any injury that was compensable (as most merely claimed they were at risk of suffering speculative future harm). And as a more fundamental matter, the court also noted reservations that defendant (as an employer) owed the putative class members any duty at all to protect their PII (the Seventh Circuit has held that Illinois has not created a common law duty between an employer and an employee to safeguard personal information beyond providing notice of a disclosure).
So there you have it. Another day, another development in the ever-changing landscape of data privacy litigation. It’s a success for employers/companies defending class actions that implicate individual damages issues.
First, the (alleged) facts. In McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021), a plaintiff filed suit against her employer after the employer was the victim of a phishing attack. That attack resulted in the purported disclosure of current and former employees’ personal and tax information, including their names, addresses, zip codes, dates of birth, wages and withholding information, and Social Security numbers. Following disclosure of the data breach, the employer offered employees 12 months of credit monitoring service (some accepted the services, while others did not).
Plaintiff subsequently filed a putative class action complaint, asserting various tort and state consumer protection claims under Illinois law. She alleged generally that, as a result of the data breach, criminals could file fraudulent tax returns, file for unemployment benefits, and apply for a job using a false identity due to disclosure of the class members’ Social Security numbers. And more specifically, Plaintiff alleged that: (1) following the breach someone used her personally identifiable information (“PII”) to open a new credit card account and (2) she spent time mitigating the issues arising out of the misuse of her personal information. Besides seeking monetary damages, Plaintiff also sought an injunction directing her employer to adequately safeguard the personally identifiable information (“PII”) of employees by implementing improved security procedures and to provide enhanced disclosures regarding the data breach.
A short refresher on procedure: To get certified, every federal class action must satisfy not only the four prerequisites of Federal Rule of Civil Procedure 23(a), but also one of the three scenarios set forth Rule 23(b). In determining whether to certify a class, a district court first assesses whether the putative class meets Rule 23(a)’s prerequisites: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation. IF (and only if) the class meets all these requirements, the court will then assess whether one of the scenarios set forth in Rule 23(b) is satisfied. Class certification matters as it raises the stakes in litigation and can lead to damages awards (or settlements) and big payouts for class counsel.
Back to the case at hand. Plaintiffs in McGlenn sought class certification, primarily relying on Rule 23(b)(3). Under this rule, a class seeking damages can be certified if (in addition to meeting the Rule 23(a) criteria), the plaintiffs establish both predominance (i.e., that questions common to class members predominate over questions affecting individual ones) and superiority (i.e., that the class action is the best way to litigate the case). Plaintiffs sought to certify a class seeking injunctive relief (in the form of enhanced security measures) under Rule 23(b)(2). This one provides that an injunction-only class may be certified if (in addition to meeting the Rule 23(a) thresholds), the defendant “acted or refused to act on grounds that apply generally to the class.”
How did things shake out before the court? Class certification was denied for several independent reasons:
Commonality Absent Under Rule 23(a): The court held that the Rule 23(a) requirements for class certification were absent, as Plaintiff could not show commonality under Rule 23(a). This was because, the court explained, “[w]hile the Court recognizes that Plaintiff has proven certain issues are common to the proposed class, such as liability, the issues of causation and injury require individual inquiry.” Id. at *15.
Certification Under Rule 23(b)(2) Inappropriate: The court also found that certification of the proposed injunctive class was not supported by Rule 23(b)(2). This was because, consistent with Seventh Circuit precedent, Plaintiff could not show that “a mandatory injunction would remedy the alleged harm.” Because the PII of the putative class had already been disclosed, enhanced security measures and training would do nothing to remedy the damages claimed by the class.
Certification Under Rule 23(b)(3) Also Unsupported: Finally, the court also found class certification inappropriate under Rule 23(b)(3). Plaintiff argued that “each putative class member suffered damage and injury as a result of the [data breach] and ‘each suffered the same general type of damages – loss of value of PII, out of pocket monetary expenses, and other foreseeable losses stemming from identify theft.’” Plaintiff asserted that this could be shown on a class-wide basis through the use of expert testimony. The court disagreed. Plaintiffs’ expert did not “present testimony that the putative class members sustained bank charges or service reinstatement fees as a result of the [data breach], suffered negative credit ratings, were denied a loan, sought public assistance, were the victims of medical identity thefts, or had their Social Security numbers used to file a fraudulent tax return.”
The court expressed doubt whether Plaintiff and other class members have actually suffered any injury that was compensable (as most merely claimed they were at risk of suffering speculative future harm). And as a more fundamental matter, the court also noted reservations that defendant (as an employer) owed the putative class members any duty at all to protect their PII (the Seventh Circuit has held that Illinois has not created a common law duty between an employer and an employee to safeguard personal information beyond providing notice of a disclosure).
So there you have it. Another day, another development in the ever-changing landscape of data privacy litigation. It’s a success for employers/companies defending class actions that implicate individual damages issues.