Skeptical Courts Are Rejecting Privacy Class Actions

Of four major cases where a court has addressed the question of class certification, it refused to certify the class in three of them. “The theme of decisions denying class certification is that causation and damages in data security actions are individualized questions that defeat the commonality or predominance tests of Rule 23(a) and Rule 23(b)(3),” explains this post from BakerHostetler. The outlier among these four cases was Target, which was the defendant in two separate lawsuits. In one of them the plaintiffs were consumers, in the other they were credit card issuers. In the latter, the class was certified because the financial institutions had reissued cards to nearly every person who was subject to an alert after the hack, and the court found both the “commonality” and the “predominance” standards for certification were met. However, in another case involving somewhat similar claims (In re TJX Companies Retail Security Breach Litigation), the court found that alleged injuries, and the corresponding demands on the financial institutions, varied considerably and thus the “predominance” standard for certification was not met. The authors of this post caution that, while it’s true courts now appear to be skeptical about certification in privacy class actions, the sample is small and the tale is yet to be told.