DENIED! Court REJECTS Motion to Certify Class in Data Breach Alleging Disclosure of Employees’ Sensitive Tax Information
Monday, January 25, 2021
Court Rejects Class Certification in Data Breach
Print Mail Download i

Data breach litigations rarely make it to motions for class certification.  This trend makes each decision that does come out addressing class certification in the data breach context that much more interesting.  Well, last week a federal court denied a plaintiff’s motion to certify a class in the wake of an employer data breach that allegedly resulted in the disclosure of employees’ sensitive tax information and other data.  Read on below.

First, the (alleged) facts.  In McGlenn v. Driveline Retail Merch., Inc., 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021), a plaintiff filed suit against her employer after the employer was the victim of a phishing attack.  That attack resulted in the purported disclosure of current and former employees’ personal and tax information, including their names, addresses, zip codes, dates of birth, wages and withholding information, and Social Security numbers.  Following disclosure of the data breach, the employer offered employees 12 months of credit monitoring service (some accepted the services, while others did not).

Plaintiff subsequently filed a putative class action complaint, asserting various tort and state consumer protection claims under Illinois law.  She alleged generally that, as a result of the data breach, criminals could file fraudulent tax returns, file for unemployment benefits, and apply for a job using a false identity due to disclosure of the class members’ Social Security numbers.  And more specifically, Plaintiff alleged that: (1) following the breach someone used her personally identifiable information (“PII”) to open a new credit card account and (2) she spent time mitigating the issues arising out of the misuse of her personal information.  Besides seeking monetary damages, Plaintiff also sought an injunction directing her employer to adequately safeguard the personally identifiable information (“PII”) of employees by implementing improved security procedures and to provide enhanced disclosures regarding the data breach.

A short refresher on procedure:  To get certified, every federal class action must satisfy not only the four prerequisites of Federal Rule of Civil Procedure 23(a), but also one of the three scenarios set forth Rule 23(b).  In determining whether to certify a class, a district court first assesses whether the putative class meets Rule 23(a)’s prerequisites: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.  IF (and only if) the class meets all these requirements, the court will then assess whether one of the scenarios set forth in Rule 23(b) is satisfied.  Class certification matters as it raises the stakes in litigation and can lead to damages awards (or settlements) and big payouts for class counsel.

Back to the case at hand.  Plaintiffs in McGlenn sought class certification, primarily relying on Rule 23(b)(3).  Under this rule, a class seeking damages can be certified if (in addition to meeting the Rule 23(a) criteria), the plaintiffs establish both predominance (i.e., that questions common to class members predominate over questions affecting individual ones) and superiority (i.e., that the class action is the best way to litigate the case).  Plaintiffs sought to certify a class seeking injunctive relief (in the form of enhanced security measures) under Rule 23(b)(2).  This one provides that an injunction-only class may be certified if (in addition to meeting the Rule 23(a) thresholds), the defendant “acted or refused to act on grounds that apply generally to the class.

How did things shake out before the court?  Class certification was denied for several independent reasons:

  • Commonality Absent Under Rule 23(a): The court held that the Rule 23(a) requirements for class certification were absent, as Plaintiff could not show commonality under Rule 23(a). This was because, the court explained, “[w]hile the Court recognizes that Plaintiff has proven certain issues are common to the proposed class, such as liability, the issues of causation and injury require individual inquiry.”  Id. at *15.
  • Certification Under Rule 23(b)(2) Inappropriate: The court also found that certification of the proposed injunctive class was not supported by Rule 23(b)(2).  This was because, consistent with Seventh Circuit precedent, Plaintiff could not show that “a mandatory injunction would remedy the alleged harm.”  Because the PII of the putative class had already been disclosed, enhanced security measures and training would do nothing to remedy the damages claimed by the class.
  • Certification Under Rule 23(b)(3) Also Unsupported: Finally, the court also found class certification inappropriate under Rule 23(b)(3).  Plaintiff argued that “each putative class member suffered damage and injury as a result of the [data breach] and ‘each suffered the same general type of damages – loss of value of PII, out of pocket monetary expenses, and other foreseeable losses stemming from identify theft.’”  Plaintiff asserted that this could be shown on a class-wide basis through the use of expert testimony.  The court disagreed.  Plaintiffs’ expert did not “present testimony that the putative class members sustained bank charges or service reinstatement fees as a result of the [data breach], suffered negative credit ratings, were denied a loan, sought public assistance, were the victims of medical identity thefts, or had their Social Security numbers used to file a fraudulent tax return.”

The court expressed doubt whether Plaintiff and other class members have actually suffered any injury that was compensable (as most merely claimed they were at risk of suffering speculative future harm).  And as a more fundamental matter, the court also noted reservations that defendant (as an employer) owed the putative class members any duty at all to protect their PII (the Seventh Circuit has held that Illinois has not created a common law duty between an employer and an employee to safeguard personal information beyond providing notice of a disclosure).

So there you have it.  Another day, another development in the ever-changing landscape of data privacy litigation.  It’s a success for employers/companies defending class actions that implicate individual damages issues.  

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Bettors Beware: Read Sixth Circuit Before Wagering on the Kentucky Derby
by: Trane J. Robinson
The Price Cap on Russian Oil – Part 2: Updated OFAC Guidance
by: Richard J. Gibbon
Parties Beware—Noncompliance with Delaware ABC Statute Can Lead to Serious Consequences (US)
by: Michelle N. Saney
(UK) What Practical Changes Can IPs Expect from the Proposed Amendments to FCA Guidance?
by: Rachael Markham , John Alderton
Intelligent AI Guidance from the USPTO Identifies Potential Perils
by: Frank L. Bernstein , Malisheia O. Douglas
The Status of Non-Competes in Healthcare: How the FTC Rule and Other Recent Developments Affect Non-Competes for Doctors, Nurses, and Other Healthcare Practitioners
by: Paul Erian , William J. Kishman
EEOC Updates Workplace Harassment Guidelines Reinforcing Protections for LGBTQ+ Employees (US)
by: Ariel S. Cohen
Are the USPTO’s Proposed Terminal Disclaimer Fees the End of Continuing Applications?
by: Frank L. Bernstein
The USPTO Proposes Steep RCE Fees. Will Patent Prosecution and Appeal Strategies Change?
by: Frank L. Bernstein , Michael Adams
The Price Cap on Russian Oil – Part 1: Increased OFAC Enforcement
by: Richard J. Gibbon

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins