COURTS REACH DIFFERENT CONCLUSIONS IN DATA PRIVACY AND DATA BREACH CASES SEEKING CLASS CERTIFICATION

In a tale of two courts, two federal courts have recently gone in opposite directions on the issue of class certification in data privacy and data breach lawsuits.  In In Re Hannaford Bros. Co. Customer Data Security Breach Litigation[1], the court refused to certify a class to pursue claims arising out of a data breach of Hannaford Grocery Stores.  In 2007 and 2008, a breach at the retail points of sale at Hannaford had resulted in the theft of customer’s debit and credit card data.

Four named plaintiffs moved to certify a class of plaintiffs to pursue claims for fees to obtain new cards, fees paid to expedite delivery of new cards, and fees paid for identity theft insurance and credit monitoring.  The U.S. District Court in Maine refused to certify the class on the grounds that the plaintiffs had not shown that the issues common to the class members predominated over the questions affecting only individual members of the class.  The plaintiffs had not shown that card fees incurred by Hannaford customers were due to the data breach, rather than simple replacement of lost cards, responding to marketing, etc.  Therefore, the entitlement to recovery could only be determined on an individual cardholder basis.  Since inquiry of each individual cardholder would be necessary, it was not appropriate for the matter to proceed as a class action.

In the Northern District of Illinois, the District Court reached a different conclusion on a question of class certification in a data privacy case. Harris v. comScore[2], the plaintiff’s suit claimed that comScore improperly obtained and used their personal information from their computers after they downloaded and installed comScore software.

comScore collects data about the activities of consumers on the internet, analyzes the data, and sells it to clients.  The comScore software, if installed on a computer, constantly collects data about the activity on the computer.  comScore distributed their software to computer users through “bundlers”.  When computer users download a bundler software, they are offered the opportunity to download comScore software at the same time.

comScore provides a “downloading statement,” which tells the user how the software operates, the information that is collected, and how the information is used.  The suit alleged that comScore exceeded its representations as to the scope of information, which would be collected, and the selling of that information.

The court certified as a class, “All individuals who have had, at any time since 2005, downloaded and installed comScore tracking software onto their computers via one of comScore’s third party bundling partners”.  The court found that the questions and issues for the users as a class, predominated over the questions or issues for individual computer users.

The court refused, however, to certify as a class the claim of “unjust enrichment.”  Damages under a claim of unjust enrichment are generally determined by the law of the state in which the class member resides.  Since there are likely computer users, who would be included as class members, from each of the 50 states, the amount of damages would vary greatly, depending on the law in each state.  Therefore, a class action  would not be a superior method for  fairly and efficiently adjudicating the issue of unjust enrichment.

As litigation grows in the areas of data privacy and data breach, we can be sure to see more efforts to bring class action suits.  In many of these cases, the damages to individual cardholders or computer users are small.  It often does not pay for such individuals to bring a suit based upon their personal losses.  When grouped with thousands of similarly situated persons, however, the potential total damages makes the suit much more attractive for plaintiff class action lawyers.