In a recent cyber-liability matter, Christian & Small’s Richard E. Smith secured an order in our client’s favor that denied class certification of a nationwide class of some 2,500 banks. In his extensively written opinion, the judge in the case supported the denial based on the variations in state law involving individualized questions of law on the class’ negligence claims.
This putative class action case is about a harm that is becoming all too common in modern technological society: a data security breach. Our client, a retail chain selling general goods, found this out the hard way when hackers gained access to two servers carrying its customers’ payment information, potentially resulting in thousands of cases of identity theft. The Plaintiffs — the financial institutions who issued the credit and debit cards the hackers pilfered — numbered about 2,500 banks. Those banks sought certification as a nationwide class, claiming damages in the form of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs that they say stemmed from our client’s failure to maintain adequate cybersecurity.
Our firm served as co-defense counsel for the retail chain. Following discovery and depositions on the class certification issues, the Plaintiff banks moved for the Court to certify them as a nationwide class.
As part of our defense strategy, the retailer hired a cybersecurity firm to do a forensic investigation of the data breach and issue a report. The report confirmed that the malware could access payment data on the retailer’s servers from March 23 to April 24, 2015. Accordingly, the credit card issuers circulated what are known as compromised account management system (CAMS) alerts to any issuing bank whose customers used their cards at the retailer during that timeframe. Approximately 2,500 banks received the alerts.
The Plaintiffs sought certification of a class under 23(b)(3), which requires the court to find that “the questions of law or fact common to class members predominate over any questions affecting only individual members.” We argued on our retailer client’s behalf that common questions of law or tort did not predominate over questions affecting only individual members. Instead variations in the state laws of the 50 states and the District of Columbia led the court to conclude:
- The variations on the “economic loss rule” are too great for the court to proceed to trial with a damages class consisting of plaintiffs from all 50 states.
- The states apply materially different standards for determining whether Defendant owes each putative class member a duty of care.
The judge agreed, and on March 13, 2019, issued an order denying the Plaintiffs’ motion for class certification.