Court Holds that Hannaford Data Breach Suit Cannot Proceed as Class Action

[Jeffrey Walton <noloader () gmail com>]

http://www.ropesgray.com/files/Publication/e465ba36-8537-4a02-bfd0-60ddb04e1d07/Presentation/PublicationAttachment/a11523db-b24c-4afa-9179-678e73c336d5/20130328_Privacy_Alert.pdf

On March 20, 2013, the United States District Court for the District
of Maine denied a motion brought by plaintiffs in In re Hannaford
Brothers Company Data Security Breach Litigation that would have
allowed the suit to proceed as a class action. The decision, which
concluded that plaintiffs had failed to meet the predominance
requirement of Federal Rule of Civil Procedure 23(b)(3), demonstrates
the difficulty of certifying a class in the data breach context, where
claims often turn on individual issues of causation and damages.
Perhaps most significantly, the decision signals that in order for
data breach plaintiffs to meet their burden as to predominance, they
must first obtain a supporting opinion from an expert.

The Hannaford case began in 2008, when a putative class of Hannaford
customers filed suit against the company following Hannaford’s
announcement that cyber criminals had stolen customer debit and credit
card information from its network systems. Following rulings by the
District Court, the United States Court of Appeals for the First
Circuit, and the Supreme Court of Maine, the claims against Hannaford
were pared down to negligence and breach of implied contract, and the
proposed class was limited to customers who, as a result of the data
breach, made out-of-pocket payments to cancel their cards or obtain
identity theft protection products.
...
The Hannaford decision has important implications for class actions,
particularly those relating to data security. The variation in impact
to members of a proposed class is not unique to the customers in
Hannaford, but, in fact, can be found in almost every putative data
breach class, where the existence of or details surrounding claimed
instances of identity theft vary from person to person. Moreover, for
plaintiffs’ attorneys seeking certification of data breach classes,
the Hannaford decision prescribes a difficult path forward. Obtaining
expert opinion testimony is often a challenging exercise, which
plaintiffs will now be under greater pressure to undertake prior to
obtaining any assurance from the court that a lump-sum-damages
approach will be approved. Indeed, expending such costs at this early
stage could prove risky, as there is no guarantee that the motion for
certification will ultimately be approved. This is particularly true
in light of other data breach decisions, such as the District of
Massachusetts’ decision in In re TJX Companies Retail Security Breach
Litigation, in which courts have held that individual differences as
to causation or reliance precluded certification. Under Hannaford,
however, plaintiffs in data breach cases will have no other choice –
if they want their suits to proceed as class actions, they will have
to obtain an expert opinion prior to certification.
...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.