Defeating Class Certification in Consumer Data Breach Class Actions Begins with Understanding How They OccurConsumer data breach class actions, for all of their popularity on dockets and especially in headlines, can make difficult cases for plaintiffs. Issues like standing and damages often keep these cases from getting off the ground (as we have discussed previously), but we see far larger predominance problems looming for plaintiffs—chiefly in the area of causation. Companies in 2018 know how difficult a data breach can be to prevent, detect, and fix. These same difficulties can also flummox plaintiffs trying to sue companies in the wake of a data breach.

Consumer data breach cases, particularly those resulting from large breaches, involve a complex chain of independent actors. Take a payment card attack such as the one that occurred at Target in 2013. Through a virus sent by email to a vendor that had access to Target’s store-level computer network, hackers installed a program on virtually all of Target’s point-of-sale consoles that customers use to swipe their payment cards. That program copied information from the card—things such as the card number, expiration date, and CCV codes––and stored it on Target’s network. Then, the program sent the copied data through a chain of servers in different jurisdictions to the hackers. The hackers (or others who had purchased information from the hackers) were then able to sell the payment card data on the so-called “dark web.” A prospective purchaser would buy card information and have it printed on a counterfeit card, which could then be used to make purchases. Thieves obtained stolen information on 40 million payment cards using this method without ever necessarily setting foot in a Target store.

But hackers can use several other methods as well. A local thief can install a “skimmer” device that copies data from payment cards. These devices are often installed on gas pumps or ATMs. A single rogue employee could copy information from a business’ customers’ cards, or the employee could steal information from the business records (paper or electronic). Hackers can also attack other parts of the payment card infrastructure, such as payment card processors or issuing banks. Online stores can be hacked directly, and hackers can also obtain payment card data by accessing a consumer’s computer and stealing information stored on it. The personal data stolen from Equifax would allow criminals to open fraudulent payment card accounts. If these weren’t enough, a deft pickpocket can still steal a physical card.

While these various kinds of attacks can be prevented or interrupted, most of these breaches and thefts remain secret until fraudulent cards appear on the market or a pattern of fraudulent charges begins. Once fraudulent cards or charges appear, banks, processors, or the card associations (such as Visa and MasterCard) can look for common characteristics in the fraudulent charges: Did the customers all shop at a particular merchant at a particular time? Was the customers’ data routed through a common processor that could have been hacked? Are the fraudulent cards being used in one geographical area, or are they dispersed throughout the country? Are the fraudulent cards being used exclusively online? The answers to these questions allow industry and government investigators to narrow the list of possible causes of the breach.

Further complicating matters, stolen information or cards can be sold and resold on the black market before appearing in commerce. While thieves usually try to move quickly before the cards are cancelled, some thieves are sophisticated enough to balance speed with avoiding detection—they know a spike in fraud might trigger an investigation.

At first blush, the investigation of a data breach sounds much like how the CDC might go about tracking a salmonella outbreak to a particular food item. This analogy is attractive, but ultimately unsatisfactory for a few reasons:

  • For one thing, there are too many overlapping breaches to draw neat causal lines. Because criminals prefer to remain anonymous, and companies suffering hacks are not anxious to publicize them, accurate records of data breaches are hard to obtain. But one estimate we reviewed suggested that there were nearly 180 million records at risk in known data breaches in 2017 alone. In other words, we know thieves stole more than one record for every two people in the United States in a single year. And that number does not include the three billion records stolen from Yahoo! across several years, or the nearly limitless number of records made vulnerable through the Heartbleed bug. This constant flow of breaches and thefts results in a constant flow of fraud. Large breaches cause fraud to spike, but accurately tying a particular instance of fraud to a particular breach is very difficult.
  • While a patient suffering a medical condition will seek help, a data breach victim might not even know he or she has been affected. A payment card breach can lie dormant for a long time. Not only do thieves strategically time their use of stolen payment card information, they also use other personal information (such as Social Security numbers or access to an email account) to perpetrate fraud months or years later.
  • Unlike disease-causing germs, criminal hackers actively avoid detection. Intrusions, data exports, and data transfers are all done with maximum secrecy. Moreover, a computerized attack can come from anywhere in the word through a lengthy chain of anonymized servers in different jurisdictions.

The complexity of tying a particular breach to a particular instance of fraud has led leading security journalist Brian Krebs to write, “All that said, it’s really not worth it to spend time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.” Finding the actual perpetrators of a breach will often be impossible, and in the present technological and legal environment, plaintiffs almost universally resort to circumstantial proof.

A company that is a victim of a data breach should be aware of these complex problems in defending against class claims. Consider a traditional negligence claim, which requires the plaintiff to prove that a breach of duty proximately caused the plaintiff’s injury. Plaintiffs often assert that any fraud happening after a breach happened because of the breach, but that conclusion is not only a logical fallacy, it should be legally insufficient. And chances are that a particular card has been the subject of more than one breach.

The Eleventh Circuit hinted at how important information about other causes can be in a data breach case. In Resnik v. AvMed, Inc., the court reversed dismissal of a complaint alleging that the plaintiffs suffered identity theft after a laptop with their personal information was stolen. The plaintiffs in that case had extensively alleged that they took a wide range of preventative measures to keep their identities safe. These allegations were taken as true for purposes of the appeal and “[h]ad Plaintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss.” The Middle District of Alabama expanded on the Eleventh Circuit’s discussion in Smith v. Triad of Alabama, LLC, where (even though it certified a class), the court recognized that proving causation “may require a review of any prior thefts of each class member’s identity” and would involve member-by-member mini-trials.

As more data breach cases are filed—and especially as more of them get to the summary judgment and trial phases of litigation—plaintiffs’ theories will mature. In the meantime, however, companies should seek to understand the complex chain of events that occur before, during, and after a data breach. Not only will this information help companies secure their own systems against a breach, but it will also guide them in developing a strategy to oppose class certification. The plaintiff’s discovery efforts will be driven towards showing that the breach had a simple cause and had relatively uniform effects on a homogenous population of class members. To counter this narrative, companies must identify and discover variations within the plaintiff’s proposed class.  Instead of automatically adopting a passive, defensive posture, companies should consider being more aggressive in developing a counter-narrative. In appropriate circumstances, this could include investigation into preventive measures the named plaintiffs did or didn’t take with regard to their information or data, other data breaches occurring at roughly the same time as the subject breach, and whether plaintiffs’ or class members’ data might have been exposed to multiple unrelated breaches.

Such strategies may even prove helpful in those jurisdictions (such as the Seventh and Ninth Circuits) that have found standing in data breach cases where plaintiffs’ stolen information has not actually been used, but is alleged to create increased risk of identity theft alone (see our post on that subject). While pointing out factual complexities of the breach and other contemporaneous but unrelated breaches might not suffice to defeat Article III standing, such proof could well be beneficial in showing that common factual issues do not predominate and that individualized proof will be necessary. The proven prospect of thousands of mini-trials on causation and damage might give even a class-friendly judge pause.

Courts are still figuring out how consumer data breach cases fit into traditional tort categories. The theories asserted and damage items claimed in data breach cases are always changing, and that trend should continue. An effective defense strategy in this environment requires staying on top of the evolving ways in which criminals are stealing, selling, and using data.

The Impact of Disparate State Laws on Class Certification for Settlement Purposes: Ninth Circuit to Review Hyundai and Kia Fuel Economy Decision en BancThe Ninth Circuit has agreed to review a panel decision from the court which rejected a settlement in multidistrict litigation over the fuel efficiency of Hyundai Motor America Inc. and Kia Motors Corp. vehicles. The case and rehearing raise the issue of what weight, if any, is given to disparate state laws when reviewing proposed settlement agreements in a multidistrict case and to what extent courts and class counsel bear the burden of addressing that issue.

The Hyundai and Kia fuel economy litigation was assigned to the U.S. District Court for the Central District of California in 2013. The case involved 12 class actions pending in five federal districts, all involving the marketing, sale and advertising of the mileage estimates for certain Hyundai Motor America  and Kia Motors Corp. vehicles. In all, 56 actions were consolidated into the multidistrict litigation.

An earlier ruling had previously indicated the case was not appropriate for certification because of variances in state laws. Despite this earlier concern, a class was then certified for settlement purposes consisting of current and former owners of specified Hyundai and Kia vehicles registered in the United States. Subsequently, the district court granted final approval of a settlement and dismissed the case.

On appeal, objectors brought five consolidated appeals raising challenges to class certification, approval of the settlement as fair and adequate, and approval of attorneys’ fees as reasonable in proportion to the benefit conferred on the class. A panel of the Ninth Circuit vacated the district court’s order granting class certification in the nationwide class action settlement.

With respect to choice of law issues, the panel held that the district court abused its discretion in concluding that common questions predominated, and in certifying the settlement class under Fed. R. Civ. P. 23(b)(3). The panel noted that Rule 23(b)(3)’s predominance inquiry was far more demanding than Rule 23(a)’s commonality requirement. The panel further noted that where plaintiffs bring a nationwide class action under CAFA and invoke Rule 23(b)(3), a court must consider the impact of potentially varying state laws. Finally, in determining whether predominance was defeated by variations in state law, the panel proceeded through a framework outlined by previous opinions of the Ninth Circuit.

The panel majority quoted from Castano v. Am. Tobacco Co. and stated that, “a court must consider the impact of potentially varying state laws, because ‘[i]n a multi-state class action, variations in state law may swamp any common issues and defeat predominance.’” The panel also relied on Mazza v. Am. Honda Motor Co, under which a judge reviewing a proposed settlement should determine whether predominance is defeated by variations in state law. According to the panel decision, under the predominance inquiry “the class action proponent must establish that the forum state’s substantive law may be constitutionally applied to the claims of a nationwide class.” Once demonstrated, the court applies the forum state’s choice of law rules to determine whether the forum state’s law or the law of multiple states apply to the claims. There is no issue if the result is the application of only one state’s laws to the entire class, but, if class claims require adjudication under the laws of multiple states, then the court must determine whether common questions will predominate over individual issues and whether litigation of a nationwide class may be managed fairly and efficiently.

Applying the predominance inquiry to the case at hand, the panel first determined that California choice of law provisions could permissibly be applied and that this required the district court to apply the California governmental interest test. The court stated that it was undisputed that the district court did not conduct a choice of law analysis, and did not apply California law or the law of any particular state in deciding to certify the class for settlement.  The panel further opined that “factors such as whether the named plaintiffs were in favor of the settlement or whether other class members had an opportunity to opt out are irrelevant to the determination whether a class can be certified.” The court also reasoned that the error in the certification arose because of “the mistaken assumption that the standard for certification was lessened in the settlement context.”

In dissent, Judge Nguyen wrote that, contrary to Ninth Circuit case law and that of other circuits, the majority shifted the burden of proving whether foreign law governed from the foreign law proponent – here, the objectors – to the district court or class counsel, thereby creating a circuit split and violating the doctrine of Erie R.R. v. Tompkins.  Judge Nguyen opined that “[f]ar from imposing geographic limitations, the predominance inquiry under Rule 23(b)(3) simply tests whether questions common to the class are more prevalent or important than individual ones.” She reasoned that the district court permissibly determined that issues regarding fuel economy statements predominated other matters and warranted certification. Judge Nguyen also reasoned it was wrong to require the district court or class counsel to extensively canvass every state’s laws and determine that none other than California’s apply when the issue was not adequately raised by objectors. Judge Nguyen concluded by stating that under the majority’s framework, “no one will recover anything.”

The opinion has already begun to affect other settlements. Given the panel’s admonishments, district court judges have become more cautious in granting approval for settlement agreements, faced with the task of surveying state laws nationwide prior to doing so.  For example, in the U.S. District Court for the Northern District of California, Tesla’s settlement over allegedly faulty Autopilot and safety features is conditioned upon a state law analysis to be completed prior to the court considering final approval (Sheikh et al. v. Tesla Inc.). In another California case, Uber’s settlement concerning “safe ride fees” and employee screening has been paused until the Ninth Circuit’s en banc decision is rendered  (Byron McKnight et al. v. Uber Technologies Inc. et al.). Likewise, a settlement involving ADT security devices has been paused pending the Ninth Circuit’s en banc review (Edenborough v. ADT LLC).

Although certification was still possible if the case were remanded, both plaintiffs and class action defense attorneys filed briefs requesting the full Ninth Circuit to review the ruling arguing that the panel’s January ruling clashed with precedent, would impede nationwide settlements and class action litigation, and would burden trial courts. Others believe that it is impossible for a court to determine the fairness of a settlement without considering potentially meaningful differences in the chances of success of a claim under the laws of one state as opposed to another. Under this view, assessing the fairness of a settlement to all class members in a nationwide class action based on the weaknesses of the claim under the forum state’s law, without considering whether all class members face similar hurdles, would run roughshod over the rights of absent class members. After granting rehearing en banc, the Ninth Circuit has set oral arguments for the week of September 24 in Pasadena, California.

The Growing Split Over Issue Class Certification as an End Runaround Predominance of Common IssuesLast week the Sixth Circuit took a big step to extend its reputation as one of the most class-friendly circuits in the country. In Martin v. Behr Dayton Thermal Prods. LLC, Judge Jane Stranch, writing for a unanimous panel, concluded that although a toxic tort class action involving the “risk of vapor intrusion” into homes in a single neighborhood as a result of two separate plumes of groundwater contamination could not be certified as a class action in its entirety, some issues in the case still could be certified as “issue classes” under Rule 23(c)(4). The contamination did not affect drinking water, and the vapors were not shown to have invaded every home.

The trial court correctly concluded that certification of the pollution claims failed because individual issues predominated under Rule 23(b)(2), even for a liability only class, because of the individualized issues of injury in fact and causation. But remarkably, the trial court found that seven issues of law and fact could still be certified under Rule 23(c)(4):

Issue 1: Each Defendant’s role in creating the contamination within their respective Plumes, including their historical operations, disposal practices, and chemical usage;

Issue 2: Whether or not it was foreseeable to Chrysler and Aramark that their improper handling and disposal of TCE and/or PCE could cause the Behr-DTP and Aramark Plumes, respectively, and subsequent injuries;

Issue 3: Whether Chrysler, Behr, and/or Aramark engaged in abnormally dangerous activities for which they are strictly liable;

Issue 4: Whether contamination from the Chrysler-Behr Facility underlies the Chrysler-Behr and Chrysler-Behr-Aramark Class Areas;

Issue 5: Whether contamination from the Aramark Facility underlies the Chrysler-Behr-Aramark Class Area;

Issue 6: Whether Chrysler and/or Aramark’s contamination, and all three Defendants’ inaction, caused class members to incur the potential for vapor intrusion; and

Issue 7: Whether Defendants negligently failed to investigate and remediate the contamination at and flowing from their respective Facilities.

More remarkably still, the Sixth Circuit affirmed. Never mind that joinder of all class members was hardly impractical as is required by the numerosity provision of Rule 23(a), since all class members occupied homes in a single neighborhood and it was those homes that were the subject of the action. Never mind that some of these issues, such as issues 1, 4 and 5, facially reveal that they apply, if at all, to only one of the plumes or part of the neighborhood and therefore to only some of the class, and as a result make it fairly certain the others are not truly class-wide issues either. The goal was issue class certification, and issue class certification was the single-minded focus of the Sixth Circuit’s opinion.

This kind of adventuresome application of 23(c)(4) is the subject of a festering three-way circuit split. The Fifth Circuit in the famous case of Castano v. American Tobacco said that a “district court cannot manufacture predominance through nimble use of subdivision (c)(4),” and that common issues may be severed for class trial on common issues only if the entire cause of action is first certifiable under some provision of Rule 23(b), which for damages class actions generally means Rule 23(b)(3), inclusive of its predominance requirement. This view, supported by the Eleventh Circuit, fits nicely within the structure of Rule 23. Rule 23 states that a class action may be certified “only if” Rule 23(a)’s requirements of commonality of proof, numerosity and impracticability of joiner of class members, adequacy of representation, and typicality of claims are all met, “and” the proposed class claims then meet one of the three requirements of Rule 23(b), which, again, for damages class actions requires a showing that common issues predominate over individual ones. Rule 23(c), which talks about collateral and housekeeping matters such as the need for the judgement to identify class members and the need for notice and opt out in 23(b)(3) class actions, also goes on to say in 23(c)(4) that “[w]hen appropriate, an action may be brought or maintained as a class action with respect to particular issues.” But 23(c)(4) creates no new, alternative, or independent criteria for determining whether class certification can be granted. Those criteria are found exclusively in 23(a) and (b). Nothing in 23(c)(4) discusses any exception to the predominance requirement for damage causes of action.  The official commentary to 23(c)(4) likewise dovetails with this view, giving as its lone example the certification of a damages class action for purposes of determination of liability only, while leaving damages to individual litigation.

Interestingly, both the trial court and the Sixth Circuit agreed that a liability-only class could not be certified in Martin v. Behr precisely because the predominance requirement still applied and defeated class certification even as to the issue of liability. Despite this, they went on to conclude that once you carve liability down further into the discrete issues involved, some of those issues can then be certified because the predominance inquiry is then magically limited to the issue certified. Nowhere in the current language of Rule 23 will you find any textual support for that proposition.

In fact, this extraordinarily class-friendly approach creates a host of other inconsistencies with the language of Rule 23. For example, if injury in fact and causation are too individualized to certify a class for the pollution claim, then exactly whose claims are the plaintiffs’ claims typical of? How do we determine who actually is properly in the class to begin with if we are talking about an issue divorced from a ripe claim? Do ripeness and standing doctrines suddenly disappear too as long as you are certifying less than an entire claim? Is the court manufacturing a way to render an advisory opinion that Article III otherwise bars? If we are talking about issues and not claims, how do we determine if there is a right of opt out? Is there a requirement of notice to the class—mandatory for 23(b)(3) damage classes but not for 23(b)(2) injunctive relief classes?  Under the Sixth Circuit’s approach, a court has to make all this up as it goes along, because Rule 23(c)(4) contains none of the answers. Nor does it solve the problems inherent in having a few discrete factual issues decided by a class jury and everything else decided by different juries in individual follow-on cases, despite the facial prohibition of that in the Reexamination Clause of the Seventh Amendment’s right to jury trial. And how does a decision on issues divorced from claims allow a trial court to enter a judgment as contemplated by Rule 23, much less a final judgment subject to appeal? How would Rule 23(e)’s standards for approval of a class action settlement apply to attempted settlement of such an issue class?

Despite these and other problems, the Second, Fourth, Seventh, and Ninth Circuits have also adopted this “slice the case up until only common issues are left” approach to issue class certification. Two other circuits, the Third and the Eighth, apply a different but still fuzzy and free-ranging superiority-like analysis as a test for issue certification. But there is only one way that purported class adjudication of superficially-common but artificially-excised issues such as these can produce any meaningful degree of “efficiency”– by increasing the pressure on the defendant to settle. The purpose of Rule 23, however, is to provide an efficient alternative to individual litigation for the actual resolution of the overall claim, not to increase the already oppressive pressure on class defendants to settle because of the heavy defense costs and risk of adverse publicity that already come with defending class actions. This use of issue classes effectively means that pressure can be exerted even for otherwise uncertifiable claims simply by divorcing discrete, allegedly common issues from the claims to which they may relate.

It is time for the U.S. Supreme Court to resolve this split. Rule 23(c)(4) as presently worded is too thin a reed to support these kinds of make-it-up-as-you-go semi-certifications. The rule-makers also need to step up to the plate. The very purpose of the rules of civil procedure is to create uniform, easily understood rules that not only read the same way in every court, but are applied the same way in every court. The rule-makers’ oft-repeated approach of letting ambiguities “percolate” among the circuits before attempting to promulgate a clear rule is the exact opposite of what they should be doing. The Rules of Civil Procedure should never be so vague as to force or encourage courts to guess at what was intended, much less to make it up as they go along. At the very least, when a rule is finally promulgated, its text should not leave nearly this much to debate.