First Circuit Restricts Class Certification of Classes Containing Uninjured PersonsIn recent years, courts have reached divergent conclusions about the circumstances in which a damages class containing uninjured persons can be certified. Although there is some room to debate what constitutes injury, it is well established that individual litigants who have not suffered any injury at all should not recover; after all, injury in fact is a bedrock element of standing, and it is well-settled that the purely procedural class action device cannot be used to expand existing substantive rights or create new substantive rights that did not otherwise exist. However, in class cases, there is considerable dispute among circuit courts as to when courts should deal with the presence of uninjured persons in the putative class, and how uninjured persons should factor into the class certification decision.

On the one hand, the Seventh and Ninth Circuits have held that the presence of some—but not “a great many”—uninjured persons in the putative class is not a bar to class certification. Instead, these courts have sanctioned the use of the post-judgment claims administration process to identify and remove uninjured class members. Neither court has yet attempted to explain exactly how many uninjured members constitute “a great many,” nor have they provided much clarity on exactly how to sort it all out at the end.

On the other hand, the majority of courts to consider the issue, including the Second, Fifth, Eighth, and D.C. Circuits, have broadly held that “no class may be certified that contains members lacking Article III standing,” and required that classes “be defined in such a way that anyone within it would have standing.” These courts have placed the burden squarely on plaintiffs to show that “they can prove, through common evidence, that all class members were in fact injured” by the alleged misconduct.

Previously, the First Circuit had attempted to carve out somewhat of a middle ground. In In re Nexium Antitrust Litigation, the court acknowledged that each absent class member must have suffered an injury in fact to recover, but nevertheless affirmed certification of a class that “probably” contained “a de minimis number of uninjured parties.” The court reasoned that defendants’ mere speculation that a few members of the class may have been uninjured was insufficient to rebut the plaintiffs’ showing that for the vast majority of class members, injury in fact could be proven by class-wide proof. The defendants also failed to show that it would be difficult to identify the handful of hypothetically uninjured persons.

Last month, however, the First Circuit came more in line with the majority view. In In re Asacol Antitrust Litigation, the court reversed certification of a consumer class that included a significant number (approximately 10 percent) of uninjured persons. In Asacol, the defendant manufacturer of a drug used to treat ulcerative colitis was accused of violating the Sherman Act by pulling Asacol from the market shortly before the drug’s patent was set to expire and replacing it with two similar, patent-protected drugs. The theory of liability was that by prematurely pulling Asacol from the market, the defendant had precluded entry of lower-cost, generic alternatives in the treatment of ulcerative colitis. The plaintiff class in Asacol comprised consumers who had purchased Asacol before it was taken off the market and who then had purchased at least one of the two replacement drugs after Asacol was taken off the market.

At the class certification stage, the evidence showed that approximately 10 percent of the putative class members would not have switched from Asacol to a generic even if the defendant had not adopted its allegedly anticompetitive strategy and generic versions of Asacol had been available. The district court concluded that persons who would not have switched to a generic did not suffer any injury from the alleged anticompetitive conduct. Yet, the district court certified a class containing those uninjured persons anyway, reasoning that the uninjured class members could be removed post-judgment during the claims administration process and that the total amount of the damages award could be reduced to account for the removal of uninjured class members.

In reversing certification, the First Circuit rejected the district court’s position that it would be appropriate to remove uninjured class members post-judgment during the claims administration process. As the court explained, to move the adjudication of injury-in-fact to the claims administration process would deprive the defendant of its fundamental Seventh Amendment right to a trial by jury on all of the elements of the plaintiffs’ causes of action. Moreover, the defendant had introduced substantial evidence showing that identifying the uninjured class members would require precisely the sort of individualized inquiries antithetical to both the predominance and superiority requirements of Rule 23(b)(3). As a result, the court reasoned that class certification would be inappropriate. The court distinguished its Nexium decision for two reasons: (1) unlike in Nexium, in Asacol a more than “de minimis” number of class members were uninjured; and (2) unlike in Nexium, in Asacol the defendant came forward with substantial evidence both of the number of uninjured persons and the difficulty of proving injury on a class-wide basis – and made clear that it intended to present that evidence at trial.

There are several important takeaways for class action defendants in courts that follow the Asacol rationale:

1. Asacol’s impact will likely be broader than antitrust cases. Although there is some language in the Asacol opinion that purports to limit its holding to antitrust or similar claims, in which “injury in fact” is an affirmative element of the cause of action, Asacol will likely have a much broader application. That is because Article III itself requires that every federal plaintiff have suffered an “injury in fact” to have standing to recover in federal court, and it is unlikely that the current Supreme Court will allow Rule 23 to serve as an end-run on that constitutional requirement.

2. Defendants should introduce evidence at class certification concerning the number of uninjured class members and the difficulty of identifying them. Asacol reinforces the importance to class action defendants to introduce substantial evidence at the class certification stage of the number of uninjured absent class members and the difficulties in proving injury on a class-wide basis. Although plaintiffs bear the burden of proving that the requirements of Rule 23 have been met, as a practical matter, defendants will likely have to level a genuine challenge to allegations of injury in fact and to the plaintiffs’ ability to prove injury on a class-wide basis to defeat class certification because of the presence of uninjured class members. Speculation or unsubstantiated theories that the class may contain uninjured persons probably won’t cut it. Expert testimony will often be required to meet this practical burden.

3. Consider challenging certification even where the number of uninjured class members seems de minimis. One of the stated bases for the court’s decision in Asacol was the fact that the number of uninjured class members was not de minimis. As the court explained, it would have had far fewer concerns if the class had contained just a few uninjured members who could have easily been “picked off” by the defendant “in a manageable, individualized process at or before trial.” This seems to us to be a point of internal inconsistency in the court’s rationale. The Seventh Amendment does not have a “de minimis number of litigants” exception, yet the First Circuit’s approach arguably still seems to.

Assuming the de minimis exception continues to survive to some degree, this does not necessarily mean that defendants should not challenge certification where it appears that only a de minimis number of class members were uninjured. Most importantly, to the extent a court adopts a procedure that contemplates identifying and removing the de minimis number of uninjured class members post-judgment, we believe, as the First Circuit seemed to also conclude, that such a procedure would violate the Seventh Amendment, the Rules Enabling Act, and Article III, none of which have a de minimis exception. We think it likely that the Supreme Court will soon make that clear, perhaps even in a petition for certiorari in this very case should one be filed.  Therefore, we recommend persistently raising and preserving the argument that certification of a damages class is inappropriate unless each and every class member has suffered injury. Unless a class defendant makes that argument, it may be deemed to have forfeited its Seventh Amendment rights, given that those rights can always be waived.

In addition, even if the court attempts to mitigate Seventh Amendment concerns by adopting a process that would allow the jury to identify the uninjured persons at trial, that still does not necessarily mean that class certification would be appropriate. On the contrary, if the process by which uninjured persons are identified would require highly individualized—and likely unmanageable—factual inquiries, then Rule 23(b)(3)’s predominance and superiority requirements might be defeated. That arguably was the case in Asacol, where injury turned on an individualized, subjective inquiry of each putative class member’s purchasing decisions.

Irrevocable Consent Comes to the Eleventh Circuit: Two District Courts Apply Reyes to Boot TCPA CasesA critical question in Telephone Consumer Protection Act (TCPA) cases is whether the plaintiff gave consent to receive communications from the defendant, and whether that consent had been revoked by the time of the communication. Given the problems with the TCPA in general, you would probably not be surprised to learn that the TCPA does not specify how a person can revoke consent. The TCPA lawsuit industry wants a world where a person can give formal consent to receive communications and then revoke it on a whim. This “anything goes” revocation standard can expose companies to sudden and sizable liability.

Thankfully, the Second Circuit held in Reyes v. Lincoln Automotive Financial Services that a person who gives consent as part of a bargained-for exchange cannot unilaterally revoke it. Where a consumer consented as part of the consideration for the contract, the company can continue to rely on that consent.

Irrevocable consent under Reyes is anathema to TCPA cases because most companies are––or soon will be––including appropriate consent language in their agreements with their customers.

The big question facing companies now is whether Reyes will expand beyond the Second Circuit. While some early trends were bad, we are happy to report that two district courts in the Eleventh Circuit have relied on Reyes to grant summary judgment in TCPA cases.

The first of these two cases is Few v. Receivable Performance Management, in which the Northern District of Alabama granted summary judgment in a single-plaintiff case. In Ms. Few contract with her satellite TV provider, she agreed that the provider and any debt collector acting on the provider’s behalf could contact Ms. Few at a particular phone number. A debt collector then called Ms. Few to recover an alleged debt, and Ms. Few said that she did not wish to receive calls. The debt collector nevertheless called or texted more than 180 times.

No dice, ruled the district court. In the absence of controlling Eleventh Circuit precedent, the court found Reyes persuasive and applied the bargained-for exchange rule: “because she offered that consent as part of a bargained-for exchange and not merely gratuitously, she was unable to unilaterally revoke that consent.”

The Middle District of Florida––a notoriously dangerous TCPA jurisdiction for defendants––reached a similar result in Medley v. Dish Network, LLC. The plaintiff, Ms. Medley, complained that her lawyer had effectively revoked her consent to be contacted by Dish, which responded with a Reyes argument. The court agreed with Dish, and cited the Northern District of Alabama’s Few case with approval. It also helpfully distinguished several cases that had permitted unilateral consent revocation.

These cases are good news for companies facing TCPA liability in the Eleventh Circuit. While the appeals court has recognized federal common law governs issues of giving and revoking consent, it has not yet addressed Reyes and the effect of a bargained-for exchange. It is hoped that Few and Medley will lead a trend toward further adoption of Reyes.

The takeaway in litigation is to press the Reyes issue. Some courts have reached unfavorable conclusions when addressing consent and revocation in the abstract, but courts have been more receptive to defendants that can point to the particular inequity of a plaintiff getting the benefits of consent in a contract and then repudiating the contract to obtain a TCPA windfall.

Specific to the class-action context, the adoption of Reyes affords multiple chances to defeat class claims. Early summary judgment practice on consent and revocation can put putative class representatives on the defensive, and potentially complicate plaintiff’s efforts to show adequacy, commonality and typicality. Putative class representatives may also have to resort to individualized facts to show why they should be allowed to back out of the deal that included their consent, potentially putting plaintiffs on the horns of a dilemma: Save the class and risk losing the whole case, or save the case and risk losing the class-action payday.

We’ll close with a practical point: Companies should be studying their consumer-facing agreements to determine whether a consumer’s consent to receive telephone communications is––or can be reconfigured to be––part of a bargained-for exchange. Companies can help manage their TCPA liability by crafting their customer agreements appropriately as to arbitration (including a non-severable class action waiver), indemnity, and the bargained-for nature of consent. These preventive measures, deployed effectively, can both dissuade the prowling packs of TCPA lawyers from bringing a claim in the first place, and also strengthen the company’s defense if litigation is filed.

Defeating Class Certification in Consumer Data Breach Class Actions Begins with Understanding How They OccurConsumer data breach class actions, for all of their popularity on dockets and especially in headlines, can make difficult cases for plaintiffs. Issues like standing and damages often keep these cases from getting off the ground (as we have discussed previously), but we see far larger predominance problems looming for plaintiffs—chiefly in the area of causation. Companies in 2018 know how difficult a data breach can be to prevent, detect, and fix. These same difficulties can also flummox plaintiffs trying to sue companies in the wake of a data breach.

Consumer data breach cases, particularly those resulting from large breaches, involve a complex chain of independent actors. Take a payment card attack such as the one that occurred at Target in 2013. Through a virus sent by email to a vendor that had access to Target’s store-level computer network, hackers installed a program on virtually all of Target’s point-of-sale consoles that customers use to swipe their payment cards. That program copied information from the card—things such as the card number, expiration date, and CCV codes––and stored it on Target’s network. Then, the program sent the copied data through a chain of servers in different jurisdictions to the hackers. The hackers (or others who had purchased information from the hackers) were then able to sell the payment card data on the so-called “dark web.” A prospective purchaser would buy card information and have it printed on a counterfeit card, which could then be used to make purchases. Thieves obtained stolen information on 40 million payment cards using this method without ever necessarily setting foot in a Target store.

But hackers can use several other methods as well. A local thief can install a “skimmer” device that copies data from payment cards. These devices are often installed on gas pumps or ATMs. A single rogue employee could copy information from a business’ customers’ cards, or the employee could steal information from the business records (paper or electronic). Hackers can also attack other parts of the payment card infrastructure, such as payment card processors or issuing banks. Online stores can be hacked directly, and hackers can also obtain payment card data by accessing a consumer’s computer and stealing information stored on it. The personal data stolen from Equifax would allow criminals to open fraudulent payment card accounts. If these weren’t enough, a deft pickpocket can still steal a physical card.

While these various kinds of attacks can be prevented or interrupted, most of these breaches and thefts remain secret until fraudulent cards appear on the market or a pattern of fraudulent charges begins. Once fraudulent cards or charges appear, banks, processors, or the card associations (such as Visa and MasterCard) can look for common characteristics in the fraudulent charges: Did the customers all shop at a particular merchant at a particular time? Was the customers’ data routed through a common processor that could have been hacked? Are the fraudulent cards being used in one geographical area, or are they dispersed throughout the country? Are the fraudulent cards being used exclusively online? The answers to these questions allow industry and government investigators to narrow the list of possible causes of the breach.

Further complicating matters, stolen information or cards can be sold and resold on the black market before appearing in commerce. While thieves usually try to move quickly before the cards are cancelled, some thieves are sophisticated enough to balance speed with avoiding detection—they know a spike in fraud might trigger an investigation.

At first blush, the investigation of a data breach sounds much like how the CDC might go about tracking a salmonella outbreak to a particular food item. This analogy is attractive, but ultimately unsatisfactory for a few reasons:

  • For one thing, there are too many overlapping breaches to draw neat causal lines. Because criminals prefer to remain anonymous, and companies suffering hacks are not anxious to publicize them, accurate records of data breaches are hard to obtain. But one estimate we reviewed suggested that there were nearly 180 million records at risk in known data breaches in 2017 alone. In other words, we know thieves stole more than one record for every two people in the United States in a single year. And that number does not include the three billion records stolen from Yahoo! across several years, or the nearly limitless number of records made vulnerable through the Heartbleed bug. This constant flow of breaches and thefts results in a constant flow of fraud. Large breaches cause fraud to spike, but accurately tying a particular instance of fraud to a particular breach is very difficult.
  • While a patient suffering a medical condition will seek help, a data breach victim might not even know he or she has been affected. A payment card breach can lie dormant for a long time. Not only do thieves strategically time their use of stolen payment card information, they also use other personal information (such as Social Security numbers or access to an email account) to perpetrate fraud months or years later.
  • Unlike disease-causing germs, criminal hackers actively avoid detection. Intrusions, data exports, and data transfers are all done with maximum secrecy. Moreover, a computerized attack can come from anywhere in the word through a lengthy chain of anonymized servers in different jurisdictions.

The complexity of tying a particular breach to a particular instance of fraud has led leading security journalist Brian Krebs to write, “All that said, it’s really not worth it to spend time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.” Finding the actual perpetrators of a breach will often be impossible, and in the present technological and legal environment, plaintiffs almost universally resort to circumstantial proof.

A company that is a victim of a data breach should be aware of these complex problems in defending against class claims. Consider a traditional negligence claim, which requires the plaintiff to prove that a breach of duty proximately caused the plaintiff’s injury. Plaintiffs often assert that any fraud happening after a breach happened because of the breach, but that conclusion is not only a logical fallacy, it should be legally insufficient. And chances are that a particular card has been the subject of more than one breach.

The Eleventh Circuit hinted at how important information about other causes can be in a data breach case. In Resnik v. AvMed, Inc., the court reversed dismissal of a complaint alleging that the plaintiffs suffered identity theft after a laptop with their personal information was stolen. The plaintiffs in that case had extensively alleged that they took a wide range of preventative measures to keep their identities safe. These allegations were taken as true for purposes of the appeal and “[h]ad Plaintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss.” The Middle District of Alabama expanded on the Eleventh Circuit’s discussion in Smith v. Triad of Alabama, LLC, where (even though it certified a class), the court recognized that proving causation “may require a review of any prior thefts of each class member’s identity” and would involve member-by-member mini-trials.

As more data breach cases are filed—and especially as more of them get to the summary judgment and trial phases of litigation—plaintiffs’ theories will mature. In the meantime, however, companies should seek to understand the complex chain of events that occur before, during, and after a data breach. Not only will this information help companies secure their own systems against a breach, but it will also guide them in developing a strategy to oppose class certification. The plaintiff’s discovery efforts will be driven towards showing that the breach had a simple cause and had relatively uniform effects on a homogenous population of class members. To counter this narrative, companies must identify and discover variations within the plaintiff’s proposed class.  Instead of automatically adopting a passive, defensive posture, companies should consider being more aggressive in developing a counter-narrative. In appropriate circumstances, this could include investigation into preventive measures the named plaintiffs did or didn’t take with regard to their information or data, other data breaches occurring at roughly the same time as the subject breach, and whether plaintiffs’ or class members’ data might have been exposed to multiple unrelated breaches.

Such strategies may even prove helpful in those jurisdictions (such as the Seventh and Ninth Circuits) that have found standing in data breach cases where plaintiffs’ stolen information has not actually been used, but is alleged to create increased risk of identity theft alone (see our post on that subject). While pointing out factual complexities of the breach and other contemporaneous but unrelated breaches might not suffice to defeat Article III standing, such proof could well be beneficial in showing that common factual issues do not predominate and that individualized proof will be necessary. The proven prospect of thousands of mini-trials on causation and damage might give even a class-friendly judge pause.

Courts are still figuring out how consumer data breach cases fit into traditional tort categories. The theories asserted and damage items claimed in data breach cases are always changing, and that trend should continue. An effective defense strategy in this environment requires staying on top of the evolving ways in which criminals are stealing, selling, and using data.