By David M. Governo and Corey M. Dennis, CIPP/US

Privacy and data breach class actions are on the rise. In fact, just last month, three class actions were filed against MAPCO Express, a southern convenience store chain, based on a hacking incident involving the compromise of its customers’ credit and debit card information. Plaintiffs in such class actions typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor or other company handling their personal information—failed to adequately protect that information, used that information for unauthorized purposes, e.g., online “tracking” or behavioral advertising, or otherwise violated their privacy rights under state or federal statutes or common law.

In class-action lawsuits—including privacy and data breach class actions—plaintiffs are often unable to overcome the class-certification hurdle, which generally results in the failure of the case. For example, class certification was denied in a recent data breach class action in which the plaintiffs claimed that, following an incident in which millions of customers’ debit and credit card data was stolen from a grocery chain, they incurred mitigation damages, including fees for new credit/debit cards, identity theft insurance and credit monitoring. The court found that the plaintiffs met the class certification requirements under Fed. R. Civ. P. 23(a), i.e., numerosity, commonality, typicality and adequacy of representation—but failed to meet the predominance requirement of Fed. R. Civ. P. 23(b), which requires a showing that questions of law or fact common to class members predominate over questions affecting only individual members. Other obstacles for plaintiffs in such cases include establishing standing, injury and causation.

Impact of the U.S. Supreme Court’s Decision in Comcast

Earlier this year, the U.S. Supreme Court reversed class certification in Comcast Corp. v. Behrend, 133 S. Ct. 1426 (2013), an antitrust class action brought by cable television subscribers concluding that the plaintiffs failed to meet Fed. R. Civ. P. 23(b)’s predominance requirement. Although the plaintiffs proposed four theories of antitrust impact, the court only accepted the “overbuilder theory,” i.e., that Comcast’s activities reduced competition from companies building cable networks in the market area. The damages model offered by the plaintiff’s expert calculated damages for the entire class at $875,576,662 but did not isolate damages resulting from any particular theory. As a result, the court held that the plaintiffs’ proffered damages methodology was inconsistent with their theory of antitrust liability and inadequate to establish damages on a classwide basis, emphasizing that a “rigorous analysis” of the plaintiff’s damages model must be conducted.

The Comcast decision has established stricter class-certification standards, making certification more challenging going forward; as noted recently in Forrand v. Federal Express Corp., a plaintiff must now proffer a damages methodology “that can be applied classwide and that ties the plaintiff’s legal theory to the impact of the defendant’s allegedly illegal conduct.” However, some decisions have cast doubt on the case’s impact on the broader class-action landscape, particularly in cases involving less complex damages calculations or certification only as to liability classes. For example, In re Whirlpool Corp. Front-Loading Washer Products Liab. Litig. affirmed a liability class certification in product liability case, reasoning that Comcast only applies in cases involving liability and damages certification; Manno v. Healthcare Revenue Recovery Grp., LLC, certified a Telephone Consumer Protection Act (TCPA) class action and disagreed that Comcast “treads any new ground in class action law,” and Martins v. 3PD, Inc., certified a wage act class-action where damages calculation issues were neither “particularly complicated nor overwhelmingly numerous.”

ComScore—Largest Internet Privacy Class Action

More recently, a class was certified in Harris v. comScore, Inc.,  a privacy class action in which the plaintiffs claim that comScore, an online data research company, unlawfully collected data about their activities on the Internet, analyzed that data and sold it to third parties. The plaintiffs seek statutory damages for violations of several federal privacy statutes: the Stored Communications Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.

The comScore court concluded that a class action was the most efficient method for resolving the common issues and that “individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.” The court also reasoned that the U.S. Supreme Court’s “assumption, uncontested by the parties” in Comcast, that Fed. R. Civ. P. 23(b)(3) requires a classwide damages calculation methodology in antitrust cases, “even assuming it is applicable to privacy class actions in some way, is merely dicta and does not bind this court.” Last month, the U.S. Court of Appeals for the Seventh Circuit denied comScore’s appeal of the class-certification ruling, allowing the case to proceed. The comScore class is likely to include millions of individuals, making it one of the largest class actions ever certified.

The emerging trend of privacy and data breach class actions has not been limited to the U.S.; in fact, several such class actions were recently filed in Canada. In June, the Quebec Superior Court granted authorization for a class action in which the plaintiffs claim that Apple violated their privacy rights by transmitting or allowing iPhone and iPad devices to transmit private data to advertisers.

The potential liability resulting from privacy and data breach class actions is so substantial that privacy may be the “next frontier in consumer class actions.” With so much at stake, class certification will undoubtedly be not only an important issue but also a critical battleground in future cases.

David M. Governo is the founding partner of Governo Law Firm, LLC, in Boston, MA. For over three decades, he has defended companies in complex litigation and counseled companies on a range of risk management and compliance issues. He has attained Martindale-Hubbell’s highest “AV” rating, is an active member of the Federation of Defense and Corporate Counsel and has been voted a New England Super Lawyer for many years.

Corey M. Dennis, CIPP/US, is an associate at Governo Law Firm, LLC, where he defends companies in complex litigation and counsels companies on compliance with privacy and data security laws. He has written and spoken extensively on a variety of subjects, including privacy and data security law, social media, employment law, product liability and civil litigation.

Read more by David Governo and Corey Dennis:
Data breach litigation on the rise—Eleventh Circuit allows data breach putative class-action to proceed
Businesses nationwide continue to grapple with Massachusetts data privacy laws
FTC ramping up data privacy enforcement actions; Google fined $22.5 million


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»