funsec mailing list archives
Court Holds that Hannaford Data Breach Suit Cannot Proceed as Class Action
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 28 Mar 2013 20:00:15 -0400
http://www.ropesgray.com/files/Publication/e465ba36-8537-4a02-bfd0-60ddb04e1d07/Presentation/PublicationAttachment/a11523db-b24c-4afa-9179-678e73c336d5/20130328_Privacy_Alert.pdf On March 20, 2013, the United States District Court for the District of Maine denied a motion brought by plaintiffs in In re Hannaford Brothers Company Data Security Breach Litigation that would have allowed the suit to proceed as a class action. The decision, which concluded that plaintiffs had failed to meet the predominance requirement of Federal Rule of Civil Procedure 23(b)(3), demonstrates the difficulty of certifying a class in the data breach context, where claims often turn on individual issues of causation and damages. Perhaps most significantly, the decision signals that in order for data breach plaintiffs to meet their burden as to predominance, they must first obtain a supporting opinion from an expert. The Hannaford case began in 2008, when a putative class of Hannaford customers filed suit against the company following Hannaford’s announcement that cyber criminals had stolen customer debit and credit card information from its network systems. Following rulings by the District Court, the United States Court of Appeals for the First Circuit, and the Supreme Court of Maine, the claims against Hannaford were pared down to negligence and breach of implied contract, and the proposed class was limited to customers who, as a result of the data breach, made out-of-pocket payments to cancel their cards or obtain identity theft protection products. ... The Hannaford decision has important implications for class actions, particularly those relating to data security. The variation in impact to members of a proposed class is not unique to the customers in Hannaford, but, in fact, can be found in almost every putative data breach class, where the existence of or details surrounding claimed instances of identity theft vary from person to person. Moreover, for plaintiffs’ attorneys seeking certification of data breach classes, the Hannaford decision prescribes a difficult path forward. Obtaining expert opinion testimony is often a challenging exercise, which plaintiffs will now be under greater pressure to undertake prior to obtaining any assurance from the court that a lump-sum-damages approach will be approved. Indeed, expending such costs at this early stage could prove risky, as there is no guarantee that the motion for certification will ultimately be approved. This is particularly true in light of other data breach decisions, such as the District of Massachusetts’ decision in In re TJX Companies Retail Security Breach Litigation, in which courts have held that individual differences as to causation or reliance precluded certification. Under Hannaford, however, plaintiffs in data breach cases will have no other choice – if they want their suits to proceed as class actions, they will have to obtain an expert opinion prior to certification. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Court Holds that Hannaford Data Breach Suit Cannot Proceed as Class Action Jeffrey Walton (Mar 28)