In re Hannaford Bros. Co. Customer Data Sec. Breach Litig.

Full title: IN RE HANNAFORD BROS. CO. CUSTOMER DATA SECURITY BREACH LITIGATION

Court: UNITED STATES DISTRICT COURT DISTRICT OF MAINE

Date published: Mar 20, 2013

No. 2:08-MD-1954-DBH (D. Me. Mar. 20, 2013)

Opinion

No. 2:08-MD-1954-DBH

03-20-2013

IN RE HANNAFORD BROS. CO. CUSTOMER DATA SECURITY BREACH LITIGATION

D. BROCK HORNBY

DECISION AND ORDER ON PLAINTIFFS' REVISED

AND SUPPLEMENTED MOTION FOR CLASS CERTIFICATION

Hannaford grocery stores suffered a massive technological intrusion at their retail points of sale during the period December 7, 2007 through March 10, 2008. Customers' debit and credit card data was stolen, and many lawsuits against Hannaford followed. After rulings by the Maine Supreme Judicial Court sitting as the Law Court and by the Court of Appeals for the First Circuit, the claims against Hannaford have been pared down to negligence and breach of implied contract, and the damages are limited to out-of-pocket expenditures customers made in reasonable attempts to mitigate against economic injury. Four named plaintiffs now have moved for certification of a Rule 23(b)(3) class to pursue claims for fees to obtain new cards; fees paid to expedite delivery of new cards; and fees paid for identity theft insurance and credit monitoring. The defendant Hannaford has objected. After oral argument on November 30, 2012, I find that the plaintiffs fail to meet the predominance requirement of Rule 23(b)(3) and DENY the motion for class certification.

PROCEDURAL HISTORY

The plaintiffs are grocery store customers of the defendant Hannaford.¹ They claim that a third party criminally breached Hannaford's information technology systems at the retail point of sale and gained access to the customers' confidential financial and personal information during a 3-month period as a result of negligence and breach of implied contract on Hannaford's part. They filed class action lawsuits in this District and in other Districts. The Judicial Panel on Multidistrict Litigation transferred all the lawsuits here.

1 Although the defendants also include Sweetbay supermarkets in Florida that are owned by Hannaford and independent stores where Hannaford provides electronic payment processing service, I refer only to Hannaford. Stipulation ¶ 3 (ECF No. 41) ("Without admitting any liability either to Plaintiffs or to any of the other Potential Defendants, Hannaford agrees that any judgment that could be entered in favor of Plaintiffs in this litigation against any of the potential Defendants (were they parties Defendant to the litigation) arising out of the asserted data theft identified above may be entered against Hannaford.").

The plaintiffs then filed a consolidated complaint that alleged seven claims against Hannaford. Hannaford moved under Rule 12(b)(6) to dismiss all claims for failure to state a cause of action.

I dismissed four of the plaintiffs' seven claims for failure to state a claim. I allowed three to proceed, but only as to a plaintiff who, as a result of the intrusion, had incurred fraudulent charges and had not been reimbursed. Otherwise, I ruled that the plaintiffs had suffered no injury cognizable under Maine law. Thereafter, the plaintiffs stipulated that in fact that particular plaintiff had received reimbursement. I then dismissed the consolidated class action complaint in its entirety either for failure to state a claim or for lack of cognizable injury, but I delayed entry of judgment while I certified to the Maine Supreme Judicial Court sitting as the Law Court the question:

(1) In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/ or implied contract?²

In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F.Supp.2d 198, 201 (D. Me. 2009).

2 I certified a second question, which the Law Court found unnecessary to answer in light of its answer to the first question.

The Law Court answered no, agreeing with me that time and effort alone do not constitute a cognizable harm under Maine Law. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 498 (Me. 2010). I then entered judgment in favor of Hannaford, dismissing all claims.

On appeal, the First Circuit upheld my dismissal of five claims. But on negligence and breach of implied contract—where I ruled that the plaintiffs had stated a claim, but had not alleged cognizable injury for which to obtain relief— the Circuit ruled that the plaintiffs had sufficiently alleged categories of damages that were not time and effort alone and that were reasonably foreseeable mitigation costs that constitute cognizable harm under Maine law. Those were the fees for replacing cards and the cost of data theft protection products. As a result, the First Circuit ruled, the plaintiffs could proceed on their negligence and breach of implied contract claims, and it vacated and remanded accordingly. Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011).

Upon remand, the plaintiffs filed this new motion for class certification under Rule 23(b)(3), recasting their proposed class in light of the law of the case. The proposed class now is:

All persons or entities anywhere in the United States who made purchases at stores owned or operated by Defendant or for which Defendant provided electronic payment processing services, during the period from December 7, 2007 through March 10, 2008, using debit or credit cards, and who made reasonable out of pocket expenditures in mitigation of the consequences to them of an electronic breach of Defendant's data security during this period consisting of 1) payment of fees to obtain prompt replacement of cancelled cards and 2) purchase of security products such as credit monitoring and identity theft insurance.

In other words, the proposed class now is limited to Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.

A NALYSIS

I proceed to assess whether the plaintiffs satisfy the Rule 23(a) and (b)(3) criteria:

A. Rule 23(a)

1. Numerosity

The proposed class consists of those customers who spent money to obtain prompt replacement of their cards and/or purchased credit monitoring and identity theft insurance. Is their number sufficient to satisfy the numerosity requirement?

The numerosity requirement is satisfied when "the class is so numerous that joinder of all members is impracticable." Fed. R. Civ. P. 23(a)(1). There is no strict numerical test; "[t]he numerosity requirement requires examination of the specific facts of each case and imposes no absolute limitations." Gen. Tel. Co. v. EEOC, 446 U.S. 318, 329-30 (1980). Although numbers alone are "not usually determinative," Andrews v. Bechtel Power Corp., 780 F.2d 124, 131 (1st Cir. 1985), the sheer number of potential litigants in a class can be the only factor needed to satisfy numerosity. In re Sonus Networks, Inc. Sec. Litig., 247 F.R.D. 244, 248 (D. Mass. 2007); Swack v. Credit Suisse First Boston, 230 F.R.D. 250, 258 (D. Mass. 2005); In re Relafen Antitrust Litig., 218 F.R.D. 337, 342 (D. Mass. 2003) (("forty individuals [are] generally found to establish numerosity"); 1 Herbert Newberg & Alba Conte, Newberg on Class Actions § 3.05, at 3-25 (3d ed. 1992) (generally impracticable to join 40 plaintiffs and therefore a class of 40 should normally satisfy the numerosity requirement). While the named plaintiffs need not plead or prove the exact number of class members, speculation is insufficient, and they must positively show the impracticability of joinder. 7A Charles Alan Wright & Arthur R. Miller, Mary Kay Kane, Federal Practice And Procedure § 1762 (3d Ed. 2001) (observing that the party seeking class certification "bear[s] the burden of showing impracticability and mere speculation as to the number of parties involved is not sufficient to satisfy Rule 23(a)(1)").

Here, the named plaintiffs rely on data from three representative card issuers that dealt with Hannaford customers, Discover, KeyBank and Bank of America. This data shows fees associated with card replacement, expedited replacement, and identity theft protection products during the year following the Hannaford data breach. The data from Bank of America shows that approximately 12,000 card holders whose data was "reportedly subject to a security breach at Hannaford" purchased identity theft protection in the year following the Hannaford data breach. Decl. of Lori Lamb ¶ 6 (ECF No. 161-4); Lamb Ex. A (ECF No. 141-5). The number of Bank of America cardholders who purchased identity theft protection doubled from December 2007 to January 2008 and then the number continued increasing until April 2009. In May 2009, the number of Bank of America cardholders who purchased new identity theft protection policies began to decline, but did not drop to prebreach numbers until November 2009. Lamb Ex. A (ECF No. 141-5). The data from Discover shows that approximately five thousand card holders whose Discover cards may have been compromised purchased identity theft protection products in the year following the Hannaford data breach. Murray Decl. (ECF No. 161-11); Murray Ex. B (ECF No. 161-13). The number of Discover cardholders who purchased new identity theft protection products increased after December 2007 and did not return to prebreach levels until July 2008. Murray Ex. B (ECF No. 161-13). The data from KeyBank shows that approximately 14,000 cardholders were charged replacement fees in the year following the Hannaford data breach.³ Decl. of David Sanderson (ECF No. 161-6); Sanderson Ex. A (ECF No. 161-7).

3 Approximately one-half of those charged had their replacement fees refunded and approximately one-third of those charged rush fees for replacement cards had the rush fees refunded. Sanderson Ex. A (ECF No. 161-7).

I conclude that this data satisfies the numerosity requirement, and that the numbers alone demonstrate impracticality of joinder. I recognize that correlation does not demonstrate causation, and that I cannot be confident that the Hannaford incident was the sole cause for all these expenses. But at this stage of class certification the challenge is to predict whether the class will be large. When assessing the size of the putative class, courts may "draw reasonable inferences from the facts presented to find the requisite numerosity." McCuin v. Secretary of Health and Human Services, 817 F.2d 161, 167 (1st Cir. 1987). Given the patterns shown here for these card issuers and the absence of alternative persuasive explanations for those patterns,⁴ I conclude that the number of Hannaford customers who incurred these fees as a result of the breach is sufficient to satisfy Rule 23(a)(1).

4 Hannaford argues that the increase in purchases of Discover theft protection products may be explained by Discover's sales push or marketing practices at the time. Although Discover Bank entered into a consent decree with the Federal Deposit Insurance Corporation relating in part to Discover's marketing practices during the time period relevant to this case and paid a fine in connection with that consent decree, Discover admitted no liability in connection with that case, In re Discover Bank, FDIC-11-548b, FDIC-11-551k, 2012-CFPB-05, Joint Consent Order (Sept. 24, 2012), and I have no way to assess its implications for the data the plaintiffs have presented here.

In opposing the numerosity finding, Hannaford points to In re Heartland Payment Sys., Inc. Customer Sec. Breach Litig., 851 F. Supp. 2d 1040, 1047 & n.2, 1050 (S.D. Tex. 2012). That was a case also involving a credit card data breach. There were 130 million potential class members in Heartland Payment. Yet after settlement, only 290 filed claims, and of those, only 11 claims were valid. Id. at 1050. Hannaford argues that there is no basis to assume that a larger number of class members will ultimately assert claims in this lawsuit than in Heartland Payment, and that in fact Hannaford already established a generous refund program following the data intrusion here.⁵ Hannaford points out that one former named plaintiff testified that she did not know whether KeyBank refunded the $5 fee it charged her for a replacement card, and that she had not checked on the refund because it was not worth her time to verify whether she received it. Dep. of Cyndi Cyr at 17-19 (ECF No. 164-27). Hannaford seems to characterize this projected lack of interest as inability to demonstrate impracticability of joinder because, Hannaford claims, few customers will want to be part of the class. Hannaford's Opp'n to Pls.' Mot. for Class Certification at 10 (ECF No. 164).

5 Apparently Hannaford, upon request, paid for card replacement fees and fees to expedite card delivery, but generally did not reimburse identity theft protection premiums or credit monitoring expenses. Aff. of Sheri Stevens at 2 (ECF No. 164-3).

I am certainly concerned that if this case proceeds as a class action, few class members will ultimately be interested in taking the time to file the paperwork necessary to obtain the very small amount of money that may be available if there is a recovery. I also note that the recovery of generous fees for plaintiffs' attorneys and large cy pres awards with little money going to actual class members call into question the integrity of the class action process for resolving lawsuits.⁶ Nevertheless, those are policy issues for Congress or for the Federal Rules drafters. There is no precedent for my deciding the numerosity issue based upon how many claimants care about recovery, or are likely to come forward to make a claim.⁷ This portion of the Rule is concerned only with whether the class as defined is composed of sufficient numbers to warrant class action treatment. My uneasiness based on the Heartland Payment outcome, and my concern here that this is a de minimis class action where virtually no one will bother to make a claim and that any recovery will serve solely the lawyers (and perhaps some modest measure of corporate deterrence) present questions for those who write the class action rules and for Congress, not for this individual judge applying the language of the Rule.

6 Of the $1 million settlement fund created by Heartland, only $1,925 was paid out to class members, and the remainder was distributed through cy pres. Heartland Payment, 851 F. Supp. 2d at 1067 & n.18, 1076-77, 1080. In sharp contrast, attorneys received $606,192.50 in fees, id. 1089, and Heartland paid $1,770,000 for notice and administration costs, id. at 1077-78, 1080. Such an outcome should give anyone pause.

7 Except to the extent that prediction of a significant number of opt-outs and the likelihood of collateral litigation as a result would affect the superiority analysis under Rule 23(b)(3).

2. Commonality

To meet the commonality requirement under Rule 23(a)(2), the named plaintiffs must show that "there are questions of law or fact common to the class." Fed. R. Civ. P. 23(a)(2). The claims of the class "must depend upon a common contention . . . that it is capable of classwide resolution-which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke." Wal-Mart Stores, Inc. v. Dukes, 131 S. Ct. 2541, 2551 (2011). "What matters to class certification . . . is not the raising of common questions—even in droves—but, rather the capacity of a classwide proceeding to generate common answers apt to drive the resolution of the litigation. Dissimilarities within the proposed class are what have the potential to impede the generation of common answers." Id. (internal quotations and citations omitted).

Whether Hannaford's conduct was negligent or a contractual breach and whether it caused a data security breach that resulted in theft of customers' data and reasonably prompted customers to take mitigation measures are questions that are common among all the class members. Answering these questions will resolve issues that are "central to the validity of each one of the claims in one stroke." While the losses of each class member may not be identical in amount or type, Hannaford's action or inaction that allegedly produced the loss is the same, and the economic injuries are similar. Thus, there are questions of law and fact common to the class, and the commonality requirement is satisfied.⁸

8 Hannaford cites to two cases involving Discover's sales and marketing practices covering the same time period as the data breach at issue here. One case involves a consent agreement with the State of Minnesota. Minnesota v. Discover Financial Servs., 27-cv-10-27510, Consent Judgment (Minn. Dist. Ct. Nov. 2, 2011). That case is not relevant because it applies to only Minnesota residents whereas this case involves no Minnesota residents. The other case is a class action also involving Discover's sales and marketing practices during the relevant time, but in that case there was a settlement where Discover admitted no liability. In re Discover Payment Protection Plan Mktg. & Sales Practice Litig., No. 1:10-cv-06994, Settlement Agreement (ECF No. 148-1) (N.D. Ill. October 13, 2011) and Final Order and Judgment (ECF No. 177) (N.D. Ill. May 10, 2012). Therefore, neither of these lawsuits detracts from commonality at this stage.

3. Typicality

Rule 23(a)(3) requires that "the claims or defenses of the representative parties [be] typical of the claims or defenses of the class." Fed. R. Civ. P. 23(a)(3). The typicality analysis is designed to ensure that class representatives, in pursuing their own interests, concurrently will advance those of the class. Class representatives' claims are "typical" when their claims "arise from the same event or practice or course of conduct that gives rise to the claims of other class members, and . . . are based on the same legal theory." Garcia-Rubiera v. Calderon, 570 F.3d 443, 460 (1st Cir. 2009) (quoting In re Am. Med. Sys., Inc., 75 F.3d 1069, 1082 (6th Cir. 1996) (further citation omitted)). The purpose of the typicality inquiry is to "align the interests of the class and the class representatives so that the latter will work to benefit the entire class through the pursuit of their own goals.'" In re Boston Scientific Corp. Sec. Litig., 604 F.Supp.2d 275, 282 (D. Mass. 2009) (quoting In re Prudential Ins. Co. Am. Sales Litig., 148 F.3d 283, 311 (3d Cir. 1998)).

As I said under commonality, the named plaintiffs here, like each member of the class, need to show that Hannaford was negligent or breached an implied contract, that Hannaford's conduct caused the data breach, that the data breach affected their debit or credit cards, and that they took reasonable mitigating efforts as a result. The named plaintiffs are entirely typical of the class in those respects. Two of the named plaintiffs incurred fees for card replacement; one incurred fees for prompt card replacement; and two incurred fees to purchase credit monitoring or identity theft insurance.

Where things differ is in the economic impact on various class members. Some Hannaford customers had fraudulent charges; others did not; some bought insurance or credit monitoring; others did not; some paid a fee for a new card; others did not; some paid for rush delivery; others did not. The class is limited to those who incurred one or another of these fees, but Hannaford asserts that the differences entail individual evidence of causation as to each class member's need to take mitigation efforts, that resolution of any named plaintiff's claim will leave unresolved the claims of any other putative class member, and that the named plaintiffs therefore cannot satisfy the typicality standard. Hannaford's Opp'n to Pls.' Mot. for Class Certification at 33 (ECF No. 164). For support Hannaford relies on In re TJX Cos. Retail Sec. Breach Litigation, 246 F.R.D. 389 (D. Mass. 2007), where the court denied class certification of a negligent misrepresentation claim by credit card issuers against data security companies. TJX held that where reliance is an element of a claim, a presumption of reliance is never appropriate because "[p]roving the element of reliance will necessarily involve individual questions of fact." 246 F.R.D. at 395. Hannaford argues that the same reasoning applies here to proof of expenditures made to mitigate damages, the premise of the class damages claim.

As an abstract proposition, there is some force to Hannaford's argument. But to accept it under the typicality analysis at this stage of the proceedings would be unfaithful to the First Circuit's decision that remanded the case to me. That court read the plaintiffs' complaint as establishing the following:

This case involves a large-scale criminal operation conducted over three months and the deliberate taking of credit and debit card information by sophisticated thieves intending to use the information to their financial advantage. Unlike the cases cited by Hannaford, this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft, and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers' accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.
Further, there is no suggestion there was any way to sort through to predict whose accounts would be used to ring up improper charges. By the time Hannaford acknowledged the breach, over 1,800 fraudulent charges had been identified and the plaintiffs could reasonably expect that many more fraudulent charges would follow. Hannaford did not notify its customers of exactly what data, or whose data, was stolen. It reasonably appeared that all Hannaford customers to have used credit or debit cards during the class period were at risk of unauthorized charges.
That many banks or issuers immediately issued new cards is evidence of the reasonableness of replacement of cards as mitigation. Those banks thought the cards would
be subject to unauthorized use, and cancelled those cards to mitigate their own losses in what was a commercially reasonable judgment. That other financial institutions did not replace cards immediately does not make it unreasonable for cardholders to take steps to protect themselves.
[For the negligence claim] It was foreseeable, on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data. It is true that the only plaintiffs to allege having to pay a replacement card fee, Cyndi Fear and Thomas Fear, do not allege that they experienced any unauthorized charges to their account, but the test for mitigation is not hindsight. Similarly, it was foreseeable that a customer who had experienced unauthorized charges to her account, such as plaintiff Lori Valburn, would reasonably purchase insurance to protect against the consequences of data misuse.
. . . .
[For the implied contract claim] Plaintiffs' claims for identity theft insurance and re-placement card fees involve actual financial losses from credit and debit card misuse. Under Maine contract law, these financial losses are recoverable as mitigation damages so long as they are reasonable.

Anderson, 659 F.3d at 164-65, 167.⁹ I read that language by the First Circuit as establishing that, on the facts that the plaintiffs asserted, a jury could find that every customer "knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach" was entitled to mitigate by replacing the card, and that every customer "who had experienced unauthorized charges to her account" was entitled to mitigate by purchasing insurance.¹⁰ That entitlement to mitigate under the circumstances alleged makes the named plaintiffs' claims of injury typical of the class. To be sure, the plaintiffs may be unsuccessful in proving at trial or on summary judgment all of the facts that they alleged, but that is the premise of the lawsuit before me after remand, and this First Circuit holding suffices for this trial judge's determination of typicality.

9 I believe the First Circuit's language also makes untenable Hannaford's assertion that such mitigation efforts "are not susceptible to proof by common evidence." Hannaford's Opp'n to Pls.' Mot. for Class Certification at 9 (ECF No. 164).

10 At oral argument, the plaintiffs' lawyer suggested that the mitigation costs were reasonable as a matter of law after the First Circuit's decision. I have not yet resolved that issue. I note also that the plaintiffs' proposed class goes beyond the First Circuit's statement that insurance protection was reasonable mitigation for a customer who suffered fraudulent charges on her account. The proposed class is not limited to those who suffered fraudulent charges before they purchased such products. But the First Circuit did not say that it was unreasonable to purchase the protective products before suffering a fraudulent charge, and at this stage I see no reason to reject this broadening of what is reasonable.

4. Adequacy

Adequacy of representation requires that "the representative parties will fairly and adequately protect the interests of the class." Fed. R. Civ. P. 23(a)(4). There are two elements to the adequacy inquiry. First, there must be an absence of potential conflict between the named plaintiffs and the potential class members, and, second, the lawyers chosen by the class representative must be "qualified, experienced, and able to vigorously conduct the proposed litigation." Andrews v. Bechtel Corp., 780 F.2d 124, 130 (1st Cir. 1985).

Specifically, of the four named plaintiffs one paid a fee for replacement of his Key Bank card and an additional fee to expedite delivery of his replacement card after his card was cancelled because of a fraudulent charge. Another was required to pay a fee to obtain a new card when she cancelled her Key Bank debit card in the wake of a fraudulent charge. The other two both purchased identity theft insurance products offered to them by Discover. One bought Discover's Identity Theft Protection ("ITP") product when he learned about the Hannaford data security breach. The other bought Discover's Wallet Protection product when she experienced fraudulent activity with her Discover card number. These named plaintiffs appear to have no interests antagonistic to the other class members.

Nevertheless, Hannaford asserts in general that the named plaintiffs are not adequate because they have chosen to participate in class litigation rather than apply to Hannaford for refund gift cards. This path, Hannaford claims, "needlessly reduces the recovery for the putative class [and] contravenes the representatives' duty to protect the class." Hannaford's Opp'n to Pls.' Mot. for Class Certification at 34. The Seventh Circuit seems to have accepted this argument. In re Aqua Dots Prods. Liability Litig., 654 F.3d 748, 752 (7th Cir. 2011). Hannaford has not referred to any other Circuit that has done so. Although reasonable people can certainly maintain that as a matter of policy other solutions are preferable to litigation, I do not see how that argument has a place in the class certification decision under the current Rule. A named plaintiff can represent a class only by filing a lawsuit; that is what the Federal Rules of Civil Procedure (and Rule 23 in particular) are for. Named plaintiffs are hardly adequate representatives of a class by not filing a lawsuit, because then they are not class representatives at all! Moreover, members of a class under 23(b)(3) who determine that their interests are better served otherwise (as by an individual lawsuit or by applying for a refund from Hannaford) are free to opt out of the class. Fed. R. Civ. P . 23(c)(3)(B). This "opt out" provision is designed to ensure that even in a class action that meets all the prerequisites of Rule 23, "the individual interest is respected." Advisory Committee Notes to the 1966 Amendments. So, regardless of whether Hannaford customers are better advised to apply directly to Hannaford to reimburse the fees they paid, I find that the named plaintiffs are adequate under the language of the Rule.

Regarding the second part, the plaintiffs want attorneys Peter Murray, Thomas Newman, Lewis Saul and Samuel Lanham as class counsel. I previously appointed Peter L. Murray of Murray, Plumb & Murray and Lewis J. Saul of Lewis Saul & Associates P.C. as interim lead counsel. Procedural Order at 5 (ECF No. 22). At the time that appointment was made I noted that "although they do not have previous experience with data theft cases, they do have substantial class action experience, . . . familiarity with Maine law [and] . . . experience litigating class actions in the District of Maine." I later appointed Samuel Lanham of Lanham Blackwell P.A., who has class action experience, as associate interim counsel. Tr. of Proceedings Jan. 3, 2012 at 2 (ECF No. 127). The plaintiffs have now asked that I appoint Thomas Newman, law partner of Peter Murray, as class counsel. Thomas Newman is a distinguished member of the bar of this court. Hannaford does not challenge the qualifications of class counsel. Attorneys Peter Murray, Thomas Newman, Lewis Saul and Samuel Lanham all qualify for appointment as class counsel.

Since the named plaintiffs meet both parts of the adequacy of representation test, Rule 23(a)(4) is satisfied.

B. Rule 23(b)(3)

Rule 23(b)(3) provides for class certification where "questions of law or fact common to class members predominate over any questions affecting only individual members, and . . . a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Rule 23(b)(3)(emphasis added). The objective behind both requirements is the promotion of economy and efficiency. See Rule 23(b)(3) Advisory Committee notes.

1. Predominance

Do "questions of law or fact common to class members predominate over any questions affecting only individual members" with respect to the class claims here?

The common questions of liability on the plaintiffs' negligence¹¹ and implied contract claims concern whether Hannaford breached a duty to securely maintain its customers' credit and debit card information and whether that breach caused the intrusion, affected the plaintiffs' electronic data and reasonably led them to take protective measures that cost money.¹²

11 Understandably, Hannaford has not asserted a comparative negligence defense against its customers, a defense that otherwise might increase individualized issues.

12 I have ruled previously that the parties are bound by their earlier stipulation that Maine law governs. Decision and Order Regarding Choice of Law (ECF No. 103). For negligence recovery, see McIlroy v. Gibson's Apple Orchard, 43 A.3d 948, 951 (Me. 2012) (Maine negligence action has four elements: a duty owed, a breach of that duty, an injury, and a finding that the breach of duty was a proximate cause of the injury.). For implied contract recovery, see Seashore Performing Arts Center, Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484 (Me. 1996) ("[A] contract includes not only the promises set forth in express words, but, in addition, all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and the circumstances under which it was made." (quoting Top of the Track Assocs. v. Lewiston Raceways, Inc., 654 A.2d 1293, 1295 (Me. 1995) and Niehoff v. Shankman & Associates Legal Center, 763 A.2d 121, 124 (Me. 2000) ("The same rules of causation generally apply whether the cause of action sounds in contract, negligence, or breach of fiduciary duty.")).

As I said earlier, where things differ is in the actual impact on particular cardholders (for example, whether their particular accounts suffered fraudulent charges or not) and the actual mitigating steps they took and the costs they incurred.

Here, the appellate caselaw does not give clear guidance. On the one hand, the First Circuit has said that variations in damages do not prevent class certification and has reversed a court that said they did. See Smilow v. Southwestern Bell Mobile Sys., Inc., 323 F.3d 32, 40 (1st Cir. 2003) ("The individuation of damages in consumer class actions is rarely determinative under Rule 23(b)(3). Where, as here, common questions predominate regarding liability, then courts generally find the predominance requirement to be satisfied even if individual damages issues remain.").¹³ Other circuits and authorities often say the same thing.¹⁴ On the other hand, if the issue is phrased as causation (of damages), the courts demand common proof. In re New Motor Vehicles, 522 F.3d 6, 25-26 (1st Cir. 2008).

13 In another case finding insufficient evidence of common proof of antitrust impact, the First Circuit cited Smilow and said: "Predominance is not defeated by individual damages questions as long as liability is still subject to common proof. This is because the class action can be limited to the question of liability, leaving damages for later individualized determinations." In re New Motor Vehicles, 522 F.3d 6, 28 (1st Cir. 2008) (internal citations omitted).

14 See, e.g., Ward v. Dixie Nat. Life Ins. Co., 595 F.3d 164 (4th Cir. 2010) (insured's class action, asserting breach-of-contract claims against insurers for alleged underpayments on supplemental cancer policies, satisfied the predominance requirement for class certification, despite the alleged need for individualized damage determinations for class members, since the damages calculation was not individualized in one important respect in that the identical formula could be used to calculate all class members' damages as equal to actual charges less amount paid); Yokoyama v. Midland Nat. Life Ins. Co., 594 F.3d 1087 (9th Cir. 2010) (individualized damages claims against a life-insurance company that allegedly engaged in deceptive practices in the sale of indexed annuity products did not defeat certification of the class action.); Beattie v. CenturyTel, Inc., 511 F.3d 554 (6th Cir. 2007) (common issues may predominate, as required for class certification, when liability can be determined on a class-wide basis, even when there are some individualized damage issues); Klay v. Humana, Inc., 382 F.3d 1241 (11th Cir. 2004) (in a fraud-based RICO action against HMOs alleging a nationwide conspiracy to underpay doctors, the fact that individualized determinations were necessary to determine the extent of damages allegedly suffered by each plaintiff was not sufficient to defeat class certification because common questions of law and fact predominated over individual issues). As recognized treatises say, "the action may be considered proper under Rule 23(b)(3) even though other important matters will have to be tried separately, such as damages or some affirmative defenses peculiar to some individual class members." 7A Federal Practice and Procedure § 1778; 6 Alba Conte & Herbert B. Newberg, Newberg on Class Actions § 18:27 (4th ed. 2002) ("A particularly significant aspect of the Rule 23(b)(3) approach is the recognition that individual damages questions do not preclude a Rule 23(b)(3) class action when the issue of liability is common to the class.").

Which label applies here, causation where common proof is required, or damages where individuation is allowed? Hannaford argues that causation is at issue, and that there can be a huge variation among customers in whether and how many fraudulent charges they suffered, the steps they took as a result, what alternative resources were available to them, etc.¹⁵ The plaintiffs, on the other hand, say that Hannaford caused the problem, and the only issue where there might be individualized proof is the amount of damage that each customer suffered. This labeling distinction is not a particularly useful method for deciding predominance. While the fact that damages may have to be ascertained on an individual basis is not, standing alone, sufficient to defeat class certification, it is nonetheless a factor that I consider in deciding whether, in the words of the Rule, the controversy can be fairly and efficiently adjudicated as a class action. McLaughlin v. American Tobacco Co., 522 F.3d 215, 231 (2d Cir. 2008). As a trial judge, in my assessment of predominance I turn instead to how the trial will work (or not work) if this lawsuit proceeds as a class action.

15 Hannaford's argument is that the plaintiffs have to prove causation as to each class member. Presumably this would require testimony such as: "I bought identify theft insurance because of the Hannaford announcement, not because of a marketing campaign by Discover, or for another issue in my life (a different card stolen, etc.)."; "I had my card replaced because of the Hannaford announcement, not because I lost it or it was stolen, and I was not reimbursed for the charge."; or "I needed rush delivery because I needed to use this card."

Here, the plaintiffs tell me that the trial will be straightforward; the issues of standard of care, breach, and what happened as a result of the intrusion are all the same. And they say that they will prove by statistical proof the total damages caused to the class. In that respect, they say that they have card issuers' records that isolate the category of customers who shopped at Hannaford. As I described under numerosity, they say that these records show cards replaced and fees charged, instances of rush delivery charges, and instances of the purchase of insurance or credit monitoring services.¹⁶ These are chronological, they say, and show a pattern of escalation around the time of the Hannaford incident and soon thereafter. In addition, they say, they have evidence of "industry and institutional averages and trends." Pls.' Reply Mem. in Support of Class Certification at 10 (ECF No. 168). The plaintiffs go on to say that they can find experts who will be able to testify by statistical probability what proportion of the fees incurred are attributable to the Hannaford intrusion, as distinguished from other causes (like card loss or theft, other things in the news, marketing of services, etc.). Id. at 5; Tr. of Oral Argument on November 30, 2012 at 11 (ECF No. 171). They say that with this evidence they will ask the jury for a lump sum damage award that reflects the total fees that Hannaford caused.¹⁷ Later, they say, it will be a matter of typical class administration to distribute the proceeds to those who claim a share and qualify.

16 At oral argument their lawyer told me that they limit their claims for insurance and credit monitoring to those that they purchased from their card-issuing institutions. Tr. of Oral Argument on November 30, 2012 at 12-13 (ECF No. 171). He also said that named plaintiff Valburn had such insurance through a homeowner's policy and their argument is that they can recover damages regardless of the availability of other sources of protection, and thus that Hannaford is not prevented from making its argument that other sources should diminish recovery. Tr. of Oral Argument on November 30, 2012 at 15. One named plaintiff, says Hannaford, paid for rush delivery merely as a "convenience," id. at 14. The plaintiffs respond that expedited delivery fees are standard as a matter of course in today's world, id. at 17, and can be determined as reasonable either as a matter of law or by the jury.

17 The classic case for the lump sum award is the divided Ninth Circuit decision, Hilao v. Estate of Marcos, 103 F.3d 767 (9th Cir. 1996). See also In re the Exxon Valdez, 270 F.3d 1215 (9th Cir. 2001) (recognizing that trial court had certified and tried a compensatory damages class for all commercial fishermen and Alaska Natives for damage to commercial fishing expectations caused by Exxon Valdez oil spill, but not commenting or ruling on the procedure). Other courts reject this as impermissible "fluid recovery." McLaughlin v. American Tobacco Co., 522 F.3d 215, 227 (2d Cir. 2008) (class could not be certified on the basis of expert analyses using advanced statistical methods because individualized proof on issues of reliance, injury and damages was required). See also In re Fibreboard Corp., 893 F.2d 706 (5th Cir. 1990) (rejecting class trial on causation and damages for 2,990 class members because such a trial "can be no more than the testimony of experts regarding their claims, as a group, compared to the claims actually tried to the jury. That procedure cannot focus upon such issues as individual causation, but ultimately must accept general causation as sufficient, contrary to Texas law"; "population-based probability estimates do not speak to a probability of causation in any one case; the estimate of relative risk is a property of the studied population, not of an individual's case."). The Third Circuit has avoided deciding whether "aggregation and statistical modeling" may be used to determine damages in a non-class action context where the plaintiffs were a number of union health and welfare funds and the damages were premised on the smoking-related costs that they incurred for fund participants. Steamfitters Local Union No. 420 Welfare Fund v. Philip Morris, Inc., 171 F.3d 912, 929-930 (3d Cir. 1999). The First Circuit, however, appears to recognize the aggregate award procedure. In re Pharm. Indus. Average Wholesale Price Litig., 582 F.3d 156, 197-98 (1st Cir. 2009) (quoting Newberg on Class Actions) ("[A]n aggregate monetary liability award for the class will be binding on the defendant without offending due process.") (approving an award of aggregate damages based on the opinion of plaintiffs' expert that a gap of greater than 30% between the actual cost of acquisition of a drug and the published Average Wholesale Price should trigger liability).

Hannaford, on the other hand, says that such a trial would violate the Rules Enabling Act, deprive it of its constitutional right to due process, and be fundamentally unfair. Hannaford's Opp'n to Pls.' Mot. for Class Certification at 13-14, 24. It insists on the right to be able to cross-examine each class member individually to ascertain whether he/she actually had fraudulent charges on his/her account,¹⁸ what really motivated his/her decision to incur certain fees, whether the decision was unreasonable under all the circumstances, and to determine for each class member what alternatives were available (AAA membership or credit union insurance that would provide coverage at no extra cost) to him/her, Hannaford's Opp'n to Pls.' Mot. for Class Certification at 9.¹⁹ Hannaford asserts that cardholders regularly replace their cards for reasons unrelated to the Hannaford intrusion, that there is always "fraud in the electronic payment system from known and unknown causes," id. at 20-21, that individual plaintiffs may have had other motivations for buying insurance products or replacing a card, id. at 21, and that consumers purchase theft protection products even in the absence of a criminal data intrusion on their accounts, id. at 21-22. Thus, these issues that will affect entitlement to recovery, Hannaford asserts, can only be determined on an individual cardholder basis.

18 In saying that insurance was a reasonable mitigating measure, the First Circuit referred to named plaintiff Valburn as having fraudulent charges on her account. It did not address whether theft protection products were reasonable for individuals who had not accrued any fraudulent account charges or for how long the purchase of a theft protection product would be reasonable. I conclude that the First Circuit's reasoning is broad enough to let a jury decide what is reasonable on that score.

19 Hannaford asserts that the replacement of cards and the purchase of the theft protection products by cardholders were emotional or panic responses and that these customers/ cardholders should not be permitted to recover. The plaintiffs respond that they are limiting themselves to the possibilities raised by the representative plaintiffs: (1) cardholders who called Hannaford, were told that Hannaford couldn't do anything for them and then called card issuer who recommended they purchase theft protection; or (2) cardholders who had fraudulent charges placed on their accounts and their card company recommended purchasing a theft protection product. Tr. of Oral Argument on Nov. 30, 2012 at 13-14 (ECF No. 171). At a trial, Hannaford could present evidence that there was little or no risk to the plaintiffs' financial information as a result of the breach and thus any actions that they took were unnecessary.

There are difficulties with both sides' arguments. Hannaford's position, construed broadly, would basically eliminate consumer class actions, if every consumer's damage must be assessed individually before the jury in a class action. But cases that support the plaintiffs' lump sum jury verdict procedure do not easily fit the record here. Generally in those cases, the plaintiffs already had an expert who had looked at the data and stated his/her ability to testify what the total damages would be.²⁰ That is missing in this case. Although the plaintiffs have told me they will find such an expert, they have not presented that expert or that expert's opinion. Certainly I cannot take judicial notice that there will be such an expert. The plaintiffs bear the burden at class certification, General Telephone Co. of Southwest v. Falcon, 457 U.S. 147, 156 (1982), and I conclude that their lack of an expert opinion on their ability to prove total damages to the jury is fatal. Without an expert, they cannot prove total damages, and the alternative (which even they do not advocate) is a trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.

20 See, e.g., In re Pharm. Industry Average Wholesale Price Litig., 582 F.3d 156, 197-98 (1st Cir. 2009) (approving an award of aggregate damages based on the opinion of plaintiffs' expert that a gap of greater than 30% between the actual cost of acquisition of a drug and the published Average Wholesale Price should trigger liability); Smilow v. Southwestern Bell Mobile Sys., Inc., 323 F.3d 32, 40-41 (1st Cir. 2003) (plaintiffs' expert asserted that "he could fashion a computer program that would extract from Cellular One's records (1) a list of customers who received incoming calls during the class period; (2) a list of customers who paid extra during the class period because they were billed for incoming calls; and (3) actual damages for each class member during the class period"); In re Neurontin Antitrust Litig., 2011 WL 286118, *9-*10 (D.N.J. January 25, 2011) (in support of class certification plaintiffs' expert relied on pricing and sales data from manufacturers and multiplied the total units that would have been generic by the differential between the actual and "but for" price to arrive at the total class overcharge damages).

In the absence of expert opinion testimony, I conclude that the plaintiffs have not shown predominance. Nevertheless, in the event that the Circuit disagrees, I proceed to the final factor.

2. Superiority

The Rule lists four nonexhaustive factors relevant to superiority:

(A) the class members' interest in individually controlling the prosecution or defense of separate actions;
(B) the extent and nature of any litigation concerning the controversy already begun by or against class members;
(C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; and
(D) the likely difficulties in managing a class action.

All four lead to the conclusion that a class action is the superior method for adjudicating this controversy. Given the size of the claims, individual class members have virtually no interest in individually controlling the prosecution of separate actions (A);²¹ all the litigation has been transferred here (B and C); if I am wrong in my predominance ruling such that the plaintiffs should be allowed to find their expert later and do find one who can testify about lump sum damages, the difficulties of managing the class action (D) are then manageable.

21 Courts have found that a class action is superior where potential damages may be too insignificant to provide class members with the incentive to pursue a claim individually. Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 617 (1997). The amount of damage for each individual cardholder here is small, making this case particularly well-suited for class treatment.

Trial then would focus on the data theft, Hannaford's responsibility to have avoided it, and perhaps the reasonableness of customer concern after learning of it. Individual damages will vary, but a lump sum verdict against Hannaford would establish the fund against which class members could make claims and prove their eligibility.

As I have said previously, Hannaford asserts that it created a refund program for fees related to credit card replacement arising out of the data theft. It argues that its program provides a superior method of recovery. Hannaford's Opp'n to Pls.' Mot. for Class Certification at 25. Hannaford representatives say that the refund program provides Hannaford gift cards to customers who paid fees associated with replacing their cards and with promptly obtaining a new card and does not require proof of causation or even loss. Stevens Aff. ¶¶ 6, 10 (ECF No. 164-3). The gift cards, Hannaford contends, afford class members a comparable or even better remedy than they could hope to achieve in court. Hannaford's Opp'n to Pls.' Mot. for Class Certification at 24. Hannaford relies on a handful of district court cases that conclude that where a defendant by "allow[ing] consumers to obtain refunds" is offering the very relief that plaintiffs seek, then "a class action is not superior." Webb v. Carter's Inc., 272 F.R.D. 489, 504-05 (C.D. Cal. 2011) ("Where the defendant 'is already offering the very relief that Plaintiffs seek' by 'allow[ing] consumers to obtain refunds,' then 'a class action is not superior.'"); In re ConAgra Peanut Butter Prods. Liab. Litig., 251 F.R.D. 689, 700-01 (N.D. Ga. 2008) (finding that class action did not meet superiority requirements because, in part, defendant had instituted a full refund program); In re Phenylpropanolamine (PPA) Prods. Liab. Litig., 214 F.R.D. 614, 622 (W.D. Wash. 2003) (finding that because defendants maintained an ongoing refund and product replacement program, it made little sense to certify a class "where a class mechanism is unnecessary to afford the class members redress"); Berley v. Dreyfus & Co., 43 F.R.D. 397, 398-99 (S.D.N.Y. 1967) (when defendant offered to refund the purchase price of the security, and most investors accepted the refund without further ado, court declined to certify their proposed class, since class certification in these circumstances "would needlessly replace a simple, amicable settlement procedure with complicated, protracted litigation").²²

22 Academic treatises reflect this caselaw. See Wright & Miller and McLaughlin. However, the treatises either fail to assess the persuasiveness of the holding (Joseph M. McLaughlin, McLaughlin on Class Actions: Law and Practice § 5:63 (9th ed. 2012) (citing the district court cases and also citing the In re Aqua Dots Prod. Liab. Litig., 654 F.3d 748 (7th Cir. 2011) as contrary) or seem ambivalent (Wright & Miller, 7AA Federal Practice and Procedure § 1779 (compare "Although it occasionally is suggested that in some contexts it is better to have no litigation than to have a class action, any legally cognizable and legitimately presented grievance placed before a court is entitled to be adjudicated. The only possible exceptions are those suits that clearly will not benefit anyone except the lawyers, or actions that seem to have been brought for improper motives." with "The court need not confine itself to other available 'judicial' methods of handling the controversy in deciding the superiority of the class action" and referring to refund programs.)).

Although I appreciate the policy preference of my colleagues in these cases and much as I too favor parties being able to resolve their controversies without expensive litigation, I observe that Rule 23(b)(3) does not address superiority as a matter of abstract economic choice analysis, but asks if a class action is "superior to other available methods for fairly and efficiently adjudicating the controversy"—i.e., other possible adjudication methods such as individual lawsuits or a consolidated lawsuit.²³ Indeed, all four enumerated factors in this portion of the Rule deal with adjudication. See also the language of the Advisory Committee note in the 1966 amendment that added this provision. Recently, the Seventh Circuit recognized this language in holding that a refund program cannot be considered a method of "adjudicating the controversy" under 23(b)(3). In re Aqua Dots Prods. Liability Litig., 654 F.3d at 752.²⁴ I agree, and I conclude that Hannaford may or may not have a good program to satisfy aggrieved customers, but that the Hannaford program is not relevant to my superiority determination under the class certification decision.

23 I recognize that the projected lack of customer interest in this lawsuit could count in favor of individual lawsuits (i.e., only those who care) or joinder, but the cost of bringing an individual lawsuit even with joinder means that it simply will not happen.

24 The Third Circuit had also expressed its reservations about testing superiority against methods other than adjudication. Amalgamated Workers Union v. Hess Oil Virgin Islands Corp., 478 F.2d 540, 543 (3d Cir. 1973). The Seventh Circuit did hold that the existence of the refund program could be used to justify a conclusion that the named plaintiffs would not fairly and adequately represent the class, but as I explain in text under the heading of Adequacy, the language of the Rule does not support that conclusion.

Finally, Hannaford asserts that the class cannot be "ascertained by objective criteria prior to litigation." Hannaford's Opp'n to Pls.' Mot. for Class Certification at 34 (citing Crosby v. Social Sec. Admin., 796 F.2d 576 (1st Cir. 1986)). In Crosby, the First Circuit rejected a class defined as "all claimants who have not had a hearing or decision on their [Social Security] disability claim 'within a reasonable time.'" Crosby. 796 F.2d at 579-80. Because the Supreme Court had held that determination of whether a reasonable time violation occurred "can be made only on a case-by-case basis," the First Circuit concluded that members of such a class could not be identified prior to individualized fact-finding and litigation, and thus could not qualify as a class. Id. at 780. That is not this case. Here, Hannaford customers during the data intrusion can be identified and those who made out-of-pocket expenditures as a result of the intrusion also can be identified. Whether their expenditures were reasonable is a typical damages issue that does not prevent class action treatment.²⁵ This class can be ascertained before individualized fact-finding and litigation.

25 This is also not a "fail safe class" like that proposed in Genenbacher v. CenturyTel Fiber Co. II, 244 F.R.D. 485 (C.D. Ill. 2007). In a "fail safe class" "the class definition precludes the possibility of an adverse judgment against class members; the class members either win or are not in the class." Id. at 488. In this case, Hannaford can win on liability (negligence or contract) and obtain a binding judgment against the class.
--------

Using representative plaintiffs, a jury can determine what was a reasonable amount of money to spend to get a card replaced or for the purchase of some form of theft protection policy. Regardless of the circumstances of the individual customers, if the jury determines that it was reasonable to cancel and replace the exposed cards, then the jury can also determine what costs associated with the replacement of the card are reasonable mitigation expenses. Likewise, a jury can determine based on the representative plaintiffs whether the credit security products offered by the victim's card-issuing financial institution were a reasonable outlay in mitigation of threatened harm.

CONCLUSION

Accordingly, the plaintiffs satisfy the criteria for a Rule 23(b)(3) class in all respects but one, predominance. Because they fail to satisfy predominance, their motion for class certification is DENIED.

SO ORDERED.

________________

D. BROCK HORNBY

UNITED STATES DISTRICT JUDGE