For the most part, this blog has focused on tactics that defendants may use to oppose class certification. But another important part of class action defense is being alert to new trends in class-action practice. And, in the last few years, a new type of class action has arisen that is worth looking at more closely: the data-breach class action, which seeks to hold companies liable for revealing customer data once they’ve been hacked.
For example, take In re Hannaford Bros. Co. Customer Data Security Breach Litigation. The specific opinion affirmed a remand of a class action under CAFA’s home-state exception (a class of Florida citizens had sued a Florida corporation in Florida state court), but the underlying facts describe the archetypical data-breach class action. As the court described them:
Defendant Kash N’ Karry Food Stores, Inc. operates a chain of grocery stores in Florida. A computer hacker stole the credit card information of customers who had shopped at Kash N’ Karry’s stores between December 2007 and March 2008. Plaintiff Thomas Grimsdale, III regularly shopped at Kash N’ Karry’s stores in Tampa, Florida during this period and paid for his purchases using his bank debit card.
On April 4, 2008, Grimsdale sued Kash N’ Karry in Florida state court, alleging that Kash N’ Karry had failed to adopt adequate security measures to protect its customers’ credit card information. He sought to represent a class of approximately 1.6 million persons who had “used credit/debit cards at [Kash N’ Karry’s] stores between December 7, 2007 and March 10, 2008 and/or had their personal and sensitive Confidential Information stolen and/or compromised as a result of the [security] Breach.”
Information security is a growing concern among American businesses. And a number of plaintiffs’ firms have begun filing data-breach class actions. Data-breach class actions have qualities that are–at least superificially–appealing to the plaintiffs’ bar. Data breaches are often events that present small (or ambiguous) harms to a large number of potential class members. And if the security breach can be tied back to a single incident, then there may be common issues applicable to a class.
Does this mean that data-breach class actions unbeateable? Hardly. It is often difficult to prove any actual injury in a data-breach class action. And, if some class members’ data was actually used illegally (while the rest remained untouched), it will be difficult to certify a class without getting into the merits of all class members’ claims.
But, given the vulnerability of personal data, and the growth in filings of data-breach class actions, it is certainly worth defense counsel’s time to think through the issues presented by these kinds of cases.