Duane Morris Class Action Review - 2023 - Report - Page 132
The significant decisions in 2022 can be grouped in several categories, which are
discussed below, including: (i) rulings on discovery and procedural decisions involving
class action certification; (ii) preemptive motions to strike and dismiss class claims due
to defects on the face of the pleadings including challenges to a plaintiffs individual and
class standing; (iii) rulings denying class certification based predominance and
individualized inquiries relative to potential damages; and (iv) rulings granting class
certification. Plaintiffs won 50% of class action certification motions in data breach
cases (with three of six motions for class certification granted, and three of six denied).
A.
Discovery And Procedural Decisions
Although not dispositive motions, successful defenses to class certification can begin
with utilizing the gamut of discovery and procedural defenses to substantive proof.
Sometimes procedural defenses underlying the requirements of Rule 23 and discovery
posturing are powerful tools to derail class actions.
For example, in In Re Marriott International Customer Data Security Breach Litigation,
2022 U.S. Dist. LEXIS 80510 (D. Md. May 3, 2022), consumers brought a putative class
action against the defendants, a hotel and other entities, arising from data security
breaches. The defendants moved to exclude the models offered by the plaintiffs’ expert
for calculating class-wide damages for purposes of class certification. The court’s
holding here was two-fold. First, the court found that the methodology of plaintiffs’
expert for calculating class-wide overpayment damages for customers was reliable. In
so finding, the court concluded that the method of the plaintiffs’ expert in formulaically
estimating the amount of any change in market price for the value of the rooms that
Plaintiffs booked in a “but for” world in which consumers were aware that Marriott was
not protecting consumer PII appropriately was reliable as to the plaintiffs’ damages
theory for overpayment. Second, the court found that the model of the plaintiffs’ expert
for calculating class-wide market-value damages was unreliable. In so finding, the court
concluded that any damages stemming from the inherent value of the plaintiffs’ data
cannot be estimated formulaically for all the plaintiffs and the expert’s methodology for
attributing value to preserving the privacy of the plaintiffs’ personal information was
unreliable at this stage in the litigation. In conclusion, the court denied the defendants’
motion to exclude the opinions of the plaintiffs’ expert regarding the overpayment
damages model for purposes of ruling on the class certification motion and granted the
defendant’s motion to exclude the opinions of the plaintiffs’ expert regarding his market
value damages model.
In Tokarski, et al. v. Med-Data, Inc., 2022 U.S. Dist. LEXIS 47799 (W.D. Wash. Mar. 17,
2022), the plaintiffs, a group of customers of the defendant Med-Data, Inc., filed a data
breach class action due to a MedData employee uploading a substantial amount of raw
data, including names, social security numbers, and medical conditions and diagnoses
for patients who received care at providers contracted with MedData to GitHub, a
publicly available website. The public posting of this information contained personal
identifying information and sensitive health care information of over 135,000 patients
and was not removed by MedData for over a year. The court made an interim ruling as
to a motion to transfer and consolidate the various data breach lawsuits pending against
131
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
