In the last two years, there has been a proliferation of class action lawsuits filed in response to high-profile data breaches compromising the personally identifiable information of customers of various companies. Major corporations including Target, Coca-Cola, and Michaels have all fallen victim to such suits. In many cases, a single data breach event has spawned dozens of class action lawsuits (for example, Target, at one point, faced over 100 such suits in a number of jurisdictions, which have since been consolidated in an MDL).
Although a number of class actions in the data-breach context have been filed, there have been relatively few class certification decisions at this point. However, as the pending cases make their way to the class certification stage, two recent decisions may prove useful for defendants in attempting to defeat class certification—principally, on the basis of Federal Rule of Civil Procedure 23(b)(3)’s “predominance” requirement. That is, In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21 (D. Me. 2013) and Comcast v. Behrend, 133 S.Ct. 1426 (2013), suggest that class certification may be difficult in certain types of data breach cases due to the existence of individualized damages issues, which may undercut the predominance of common questions necessary to pursue a class action.
To read the full alert, click here.