First Circuit Restricts Class Certification of Classes Containing Uninjured PersonsIn recent years, courts have reached divergent conclusions about the circumstances in which a damages class containing uninjured persons can be certified. Although there is some room to debate what constitutes injury, it is well established that individual litigants who have not suffered any injury at all should not recover; after all, injury in fact is a bedrock element of standing, and it is well-settled that the purely procedural class action device cannot be used to expand existing substantive rights or create new substantive rights that did not otherwise exist. However, in class cases, there is considerable dispute among circuit courts as to when courts should deal with the presence of uninjured persons in the putative class, and how uninjured persons should factor into the class certification decision.

On the one hand, the Seventh and Ninth Circuits have held that the presence of some—but not “a great many”—uninjured persons in the putative class is not a bar to class certification. Instead, these courts have sanctioned the use of the post-judgment claims administration process to identify and remove uninjured class members. Neither court has yet attempted to explain exactly how many uninjured members constitute “a great many,” nor have they provided much clarity on exactly how to sort it all out at the end.

On the other hand, the majority of courts to consider the issue, including the Second, Fifth, Eighth, and D.C. Circuits, have broadly held that “no class may be certified that contains members lacking Article III standing,” and required that classes “be defined in such a way that anyone within it would have standing.” These courts have placed the burden squarely on plaintiffs to show that “they can prove, through common evidence, that all class members were in fact injured” by the alleged misconduct.

Previously, the First Circuit had attempted to carve out somewhat of a middle ground. In In re Nexium Antitrust Litigation, the court acknowledged that each absent class member must have suffered an injury in fact to recover, but nevertheless affirmed certification of a class that “probably” contained “a de minimis number of uninjured parties.” The court reasoned that defendants’ mere speculation that a few members of the class may have been uninjured was insufficient to rebut the plaintiffs’ showing that for the vast majority of class members, injury in fact could be proven by class-wide proof. The defendants also failed to show that it would be difficult to identify the handful of hypothetically uninjured persons.

Last month, however, the First Circuit came more in line with the majority view. In In re Asacol Antitrust Litigation, the court reversed certification of a consumer class that included a significant number (approximately 10 percent) of uninjured persons. In Asacol, the defendant manufacturer of a drug used to treat ulcerative colitis was accused of violating the Sherman Act by pulling Asacol from the market shortly before the drug’s patent was set to expire and replacing it with two similar, patent-protected drugs. The theory of liability was that by prematurely pulling Asacol from the market, the defendant had precluded entry of lower-cost, generic alternatives in the treatment of ulcerative colitis. The plaintiff class in Asacol comprised consumers who had purchased Asacol before it was taken off the market and who then had purchased at least one of the two replacement drugs after Asacol was taken off the market.

At the class certification stage, the evidence showed that approximately 10 percent of the putative class members would not have switched from Asacol to a generic even if the defendant had not adopted its allegedly anticompetitive strategy and generic versions of Asacol had been available. The district court concluded that persons who would not have switched to a generic did not suffer any injury from the alleged anticompetitive conduct. Yet, the district court certified a class containing those uninjured persons anyway, reasoning that the uninjured class members could be removed post-judgment during the claims administration process and that the total amount of the damages award could be reduced to account for the removal of uninjured class members.

In reversing certification, the First Circuit rejected the district court’s position that it would be appropriate to remove uninjured class members post-judgment during the claims administration process. As the court explained, to move the adjudication of injury-in-fact to the claims administration process would deprive the defendant of its fundamental Seventh Amendment right to a trial by jury on all of the elements of the plaintiffs’ causes of action. Moreover, the defendant had introduced substantial evidence showing that identifying the uninjured class members would require precisely the sort of individualized inquiries antithetical to both the predominance and superiority requirements of Rule 23(b)(3). As a result, the court reasoned that class certification would be inappropriate. The court distinguished its Nexium decision for two reasons: (1) unlike in Nexium, in Asacol a more than “de minimis” number of class members were uninjured; and (2) unlike in Nexium, in Asacol the defendant came forward with substantial evidence both of the number of uninjured persons and the difficulty of proving injury on a class-wide basis – and made clear that it intended to present that evidence at trial.

There are several important takeaways for class action defendants in courts that follow the Asacol rationale:

1. Asacol’s impact will likely be broader than antitrust cases. Although there is some language in the Asacol opinion that purports to limit its holding to antitrust or similar claims, in which “injury in fact” is an affirmative element of the cause of action, Asacol will likely have a much broader application. That is because Article III itself requires that every federal plaintiff have suffered an “injury in fact” to have standing to recover in federal court, and it is unlikely that the current Supreme Court will allow Rule 23 to serve as an end-run on that constitutional requirement.

2. Defendants should introduce evidence at class certification concerning the number of uninjured class members and the difficulty of identifying them. Asacol reinforces the importance to class action defendants to introduce substantial evidence at the class certification stage of the number of uninjured absent class members and the difficulties in proving injury on a class-wide basis. Although plaintiffs bear the burden of proving that the requirements of Rule 23 have been met, as a practical matter, defendants will likely have to level a genuine challenge to allegations of injury in fact and to the plaintiffs’ ability to prove injury on a class-wide basis to defeat class certification because of the presence of uninjured class members. Speculation or unsubstantiated theories that the class may contain uninjured persons probably won’t cut it. Expert testimony will often be required to meet this practical burden.

3. Consider challenging certification even where the number of uninjured class members seems de minimis. One of the stated bases for the court’s decision in Asacol was the fact that the number of uninjured class members was not de minimis. As the court explained, it would have had far fewer concerns if the class had contained just a few uninjured members who could have easily been “picked off” by the defendant “in a manageable, individualized process at or before trial.” This seems to us to be a point of internal inconsistency in the court’s rationale. The Seventh Amendment does not have a “de minimis number of litigants” exception, yet the First Circuit’s approach arguably still seems to.

Assuming the de minimis exception continues to survive to some degree, this does not necessarily mean that defendants should not challenge certification where it appears that only a de minimis number of class members were uninjured. Most importantly, to the extent a court adopts a procedure that contemplates identifying and removing the de minimis number of uninjured class members post-judgment, we believe, as the First Circuit seemed to also conclude, that such a procedure would violate the Seventh Amendment, the Rules Enabling Act, and Article III, none of which have a de minimis exception. We think it likely that the Supreme Court will soon make that clear, perhaps even in a petition for certiorari in this very case should one be filed.  Therefore, we recommend persistently raising and preserving the argument that certification of a damages class is inappropriate unless each and every class member has suffered injury. Unless a class defendant makes that argument, it may be deemed to have forfeited its Seventh Amendment rights, given that those rights can always be waived.

In addition, even if the court attempts to mitigate Seventh Amendment concerns by adopting a process that would allow the jury to identify the uninjured persons at trial, that still does not necessarily mean that class certification would be appropriate. On the contrary, if the process by which uninjured persons are identified would require highly individualized—and likely unmanageable—factual inquiries, then Rule 23(b)(3)’s predominance and superiority requirements might be defeated. That arguably was the case in Asacol, where injury turned on an individualized, subjective inquiry of each putative class member’s purchasing decisions.

Spokeo v. Robins – which confirmed that a plaintiff’s allegation of a defendant’s statutory violation without accompanying concrete harm fails to satisfy Article III’s “case or controversy” requirement – has brought the issue of standing to the forefront in a variety of class action cases. Standing has become a frequent weapon in the defense’s arsenal, both as an initial hurdle for a class plaintiff to overcome, and as a basis for resisting class certification by demanding that each putative class member demonstrate actual, concrete injury. A recent decision by the Seventh Circuit, however, reminds us that there can be a downside to a successful standing challenge: the permanent loss of a federal forum for adjudication of the claim.

The Standing Trap: Will a Spokeo Challenge Lock a Class Action Defendant into a State Court Forum?Collier v. SP Plus Corporation involved a class action brought against the operator of public parking facilities, claiming that the receipts generated by the defendant contained the expiration dates of consumers’ credit and debit cards, in violation of the Fair and Accurate Credit Transaction Act (FACTA). Plaintiffs alleged willful violation of FACTA and sought statutory and actual damages. Their complaint, however, did not describe any concrete harm resulting from the alleged statutory violation. SP Plus removed the case to federal court, invoking the court’s federal question jurisdiction under FACTA, and then moved to dismiss under Fed. R. Civ. P. 12(b)(1), contending that plaintiffs lacked Article III standing because they alleged no injury in fact.  Plaintiffs responded by moving to remand the case to state court, contending that SP Plus had failed to establish subject matter jurisdiction. The district court denied the motion to remand, and granted plaintiffs leave to amend to make factual allegations in support of their request for actual damages. When plaintiffs did not amend their complaint, the trial court dismissed the case with prejudice. Plaintiffs appealed to the Seventh Circuit.

The appeals court reversed. The court agreed that plaintiffs’ complaint did not allege an actual injury sufficient to establish Article III standing under Spokeo. Nonetheless, relying on the mandatory language of 28 U.S.C. § 1447(c), the court held that remand to state court was the only permissible option upon a finding of lack of subject matter jurisdiction. The court also noted that even if a dismissal had been proper, it should have been one without prejudice, as a jurisdictional dismissal is not an adjudication on the merits. In a parting shot, the court expressed displeasure that the defendant had removed the case to federal court and then promptly attacked federal jurisdiction; SP Plus’s “dubious strategy has resulted in a significant waste of federal judicial resources, much of which was avoidable.”

There are several takeaways from this decision:

  • From the defense perspective, seeking a Rule 12(b)(1) jurisdictional dismissal in a case removed from state court is strategically risky. The weight of authority (which Collier reflects) and the language of 28 U.S.C. § 1447(c) instruct that a successful challenge to plaintiff’s standing will result in a remand to state court. And the benefit of a federal court’s ruling of “no Article III standing” is far from clear, unless the state court’s standing jurisprudence mirrors Article III. Even then, as a non-final (and, at best, appealable by permission only) ruling, it is difficult to imagine that a state court would consider the remand order to be preclusive. There is authority in some circuits that a district court can dismiss rather than remand to state court if remand would be futile, i.e., if it is clear that the state court would likewise dismiss for lack of standing. But making that showing is likely to be difficult, as many states’ standing rules differ from federal standards. And – as Collier also teaches – a jurisdictional dismissal by the federal court should be one without prejudice, leaving the plaintiff free to refile the case in state court anyway.
  • Of course, ignoring standing altogether does not eliminates the trap. The plaintiff himself can raise the issue in an effort to have the case remanded. And as the late, great Dan Meador taught many of us in his Federal Courts class, “even the janitor can raise subject matter jurisdiction.” But beyond those scenarios, the defendant is better served by saving its standing arguments for class certification, in particular the argument that each class member must show actual injury, thus defeating commonality, typicality and predominance. Not all courts have bought into the concept that every member of the class must have standing, but arguing these issues under the Rule 23 factors can create traction for the defense while minimizing the risk of remand.
  • Collier also serves as a reminder that federal jurisdictional statutes (including the Class Action Fairness Act) may be of limited utility to the defendant facing a class action involving statutory violations without actual injury. Federal district courts have a duty independent of any Congressional enactment to determine whether an action involves an actual “case or controversy” under Article III.
  • Defense counsel’s natural instinct in “touch foul” class actions is to argue early and often that “plaintiff hasn’t been hurt at all.” In class cases removed from state court, however, it may be wise to curb that instinct. Attacking standing can result in the defendant being left to the tender mercies of the state court where plaintiff’s counsel initially chose to bring the suit.

Two More Circuits Find Data Breach Standing without Proof that Plaintiffs’ Data Was MisusedData breaches have become commonplace. Despite the best efforts of many, identity thieves and hackers always seem to find a new vulnerability somewhere in the system of virtually every company that conducts business online. And, as the recent Facebook debacle reveals, sometimes data is even shared with legitimate third parties in ways customers neither realized nor anticipated.

The Battle for Standing

Standing is a hotly contested battleground when a data breach spawns class action litigation. After all, we regularly give our credit cards to waiters and store clerks; we regularly publicize our email addresses in all sorts of unsecure ways; and much of our other personal information is readily available in one public forum or another. In all likelihood, after years of recurring data breaches, each of us has probably had our personal information exposed in more than one of these privacy incidents. So, why should the compromise of personally identifiable information absent misuse of that data traceable to a specific breach confer standing on anyone to sue any particular data breach defendant?

Courts have struggled with this issue over the years. On the one hand, Article III requires concrete actual injury or at least impending actual injury in order for a plaintiff to have standing to invoke federal jurisdiction. On the other hand, though, there is a growing concern in America that those who collect customer data should pay a price for not properly safeguarding it.

These tensions are reflected in a wide variety of standing decisions in the data breach context.  Some courts (see decisions in Reilly v. Ceridian and Beck, et al. v. McDonald, et al.) have taken a dim view of the threat of future harm, i.e., an increased likelihood of future identity theft, as a proffered basis of Article III standing. Others (see decision in In re SuperValu, Inc. Customer Data Security Breach Litigation) have questioned the basis for standing where breaches only involve credit card information, but not enough information for bad actors to open new credit accounts. Still though, other courts have bent over backwards to find standing in the data breach context, arguing that time spent protecting oneself from a data breach (see Galaria/Hancox v. Nationwide Mut. Ins. Co.) or even the increased likelihood of data misuse (see Attias v. CareFirst, Inc.) is enough to confer Article III standing. Earlier this year, the Supreme Court declined to still the waters, denying CareFirst’s cert position challenging the D.C. Circuit’s conclusion that fear of future data misuse was enough to confer standing, despite clear circuit splits over that analysis.

So, the lower court disarray over standing continues to fester. In recent days, two more circuits have joined the side of class action plaintiffs in finding standing without data misuse.

The Ninth Circuit

The Ninth Circuit, in In re Zappos.com, found sufficient standing where plaintiffs’ allegations were based on an “increased risk of identity theft.” Early 2012, the servers of an online retailer were breached. During the breach, the personal information—names, account numbers, passwords, credit card information, etc.— of over 24 million customers was compromised. Several of the affected customers filed class actions, which were consolidated at the pretrial proceedings stage. Specifically, the plaintiffs involved with the recent ruling did not allege that they experienced any kind of financial loss from identity theft. Initially, the trial court dismissed the plaintiffs’ claim for lack of Article III standing. On appeal, the Ninth Circuit was tasked with deciding whether plaintiffs had standing based on the alleged risk of future harm.

Previously, the Ninth Circuit handled Article III standing of victims of data theft (see Krottner v. Starbucks Corp.). There, a laptop containing the personal information of almost 100,000 employees was stolen. Some of the affected employees sued, alleging that their harm was an “increased risk of future identity theft.” The Ninth Circuit held that the increased risk was enough to merit standing, finding that plaintiffs had “alleged a credible threat of real and immediate harm” due to the theft of the laptop containing their personally identifiable information.

In Zappos.com, the retailer asserted that the Supreme Court’s latest finding (see Clapper v. Amnesty International USA) meant that Krottner was inapplicable to the case at hand. The Clapper plaintiffs argued that for Article III standing, alleging that “there [was] an objectively reasonable likelihood that their communications [would] be acquired ‘at some point in the future.’” The Supreme Court ruled that “an objectively reasonable likelihood” of injury was insufficient where plaintiffs argument depended on a series of inferences that was “too speculative” to comprise a cognizable injury. In Krottner, unlike Clapper, no speculation was needed where the laptop thief already had all the information necessary to open accounts and cause financial harm to plaintiffs.

Accordingly, the Ninth Circuit, having decided that Krottner and Clapper were not irreconcilable, concluded that Krottner was applicable to the Zappos plaintiffs’ claims. The Zappos plaintiffs alleged both that the compromised information could be used to commit identity theft and that their credit card numbers had been breached, leading the Ninth Circuit to find that bad actors could immediately cause plaintiffs harm. The court also pointed to other plaintiffs within the case who had already suffered identity theft as a result of the breach. The court determined that the Zappos plaintiffs sufficiently alleged an injury in fact under Krottner.

The court assessed the remaining Article III requirements: whether the alleged risk of future harm is “fairly traceable” to the conduct challenged, and whether the injury will be redressed by the litigation. Relying on a case (see Remijas v. Neiman Marcus Group, LLC) where the Seventh Circuit ruled “[t]he fact that some other store might [also] have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue” and their injury was nonetheless “fairly traceable” to the defendant’s data breach, the Ninth Circuit determined that even if plaintiffs suffered identity theft caused by data stolen in other breaches, those compromised would not negate their standing to sue in the case at hand. Further, the court found that the risk of identity theft was redressable by relief that could be obtained through this litigation and compensation through damages. Consequently, the Ninth Circuit reversed the trial court’s judgment as to plaintiffs’ standing and remanded the case for further consideration.

The Seventh Circuit

Similarly, the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (see Dieffenbach v. Barnes & Noble, Inc.). The case was previously dismissed—three times— by the U.S. District Court for the Northern District of Illinois for lack of standing.

In 2012, “skimmers” breached the payment terminals in B&N stores, siphoning off customer information, e.g., names, payment card numbers, PINs, etc. Customer card information was stolen from terminals in over 60 B&N stores. Following the breach, plaintiffs filed a putative class action alleging (1) breach of implied contract (to secure payment card data); (2) violation of the Illinois Consumer Fraud & Deceptive Practices Act (ICFA); (3) violation of the California Security Breach Notification Act (DBNA); and (4) violation of the California Unfair Competition Act (UCA). In 2013, the district court first dismissed plaintiffs’ complaint without prejudice for lack of standing, ruling that plaintiffs failed to allege pecuniary harm.

In 2016, B&N submitted a motion to dismiss the amended complaint. Before the motion was submitted, however, the Seventh Circuit decided Remijas. Despite Remijas, the district court again dismissed the complaint, noting that while plaintiffs could merit standing based on the risk of future identity theft, plaintiffs still failed to allege “cognizable damages.” In 2017, the same district court, albeit a different judge, dismissed plaintiffs’ second amended complaint, finding that plaintiffs had not alleged any economic harm as a result of the breach.

The Seventh Circuit vacated the district court’s dismissal, finding that plaintiffs’ second amended complaint satisfied pleading standards relative to the injuries alleged from the breach. The court explained that alleging injury-in-fact for standing also meets the requirement of alleging a cognizable injury and entitlement to damages. Further, the court noted that “the federal rules [of civil procedure] do not require plaintiffs to identify items of loss (except for special damages).” Specifically, Federal Rule of Civil Procedure 8(a)(3) does not require plaintiffs to allege the details of their injury, and Rule 54(c) entitles plaintiffs to any legally available relief, regardless of whether the relief is pled in the complaint.

The court then looked to the injuries alleged by plaintiffs—loss of access to personal funds, time spent with law enforcement and banking representatives, deactivation of card, monthly charges for credit monitoring, etc.—determining that they were sufficient to meet the cognizable damages requirements under several of the plaintiffs’ claims.

Looking Forward

It appears that a new trend is emerging at least in some of the more class-friendly circuits: finding standing in data breach class actions despite the absence of actual financial harm suffered by the plaintiffs. Likely, courts are attempting to respond to the proliferation of larger, more costly data breaches, as well as to a paradigmatic shift in sensitivity and senses of ownership over individual data. Regardless of the reasoning, it is evident that more and more plaintiffs’ counsel in data breach suits will bring their actions in these more favorable venues so as to be more assured of surviving standing inquiries. Businesses need to consider how best to prepare themselves for more vigorous, involved litigation in the data breach context. This includes planning for data breach litigation long before the data breach hits. Businesses should start by identifying and retaining knowledgeable, reliable outside data breach counsel, working with counsel to identify and retain reliable outside data breach response vendors, and doing all of that in coordination with their cyber liability insurance carriers. Those who lack cyber liability coverage should look into the coverage currently available, as this is more of a buyer’s market than it once was. Data breaches are interdisciplinary; they require a comprehensive team of legal, forensic, technological, and marketing professionals to fully and accurately assess, respond to, and ultimately remediate the damage done. Businesses cannot afford to wait until after a breach has occurred to assemble their response teams. The cost of procrastination is simply too high.