CASE NO. 2:15-CV-799-WKW [WO] (M.D. Ala. Mar. 13, 2019)

From Casetext: Smarter Legal Research

S. Indep. Bank v. Fred's, Inc.

UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF ALABAMA NORTHERN DIVISION

Mar 13, 2019

CASE NO. 2:15-CV-799-WKW [WO] (M.D. Ala. Mar. 13, 2019)

Summary

In S. Indep. Bank, the court held that the plaintiffs "must prove through an extensive analysis... that there are no material variations among the law of the states for which certification is sought."

Summary of this case from In re Brinker Data Incident Litig.

See 1 Summary

Opinion

CASE NO. 2:15-CV-799-WKW [WO]

03-13-2019

SOUTHERN INDEPENDENT BANK, Plaintiff, v. FRED'S, INC., Defendant.

W. Keith Watkins UNITED STATES DISTRICT JUDGE

MEMORANDUM OPINION AND ORDER

This putative class action is about a harm that is becoming all too common in modern technological society: a data-security breach. Defendant Fred's, Inc. ("Fred's" or "Defendant"), a retail chain selling general goods, found this out the hard way when hackers gained access to two servers carrying its customers' payment information, potentially resulting in thousands of cases of identity theft. Those customers are not the plaintiffs here, though. The plaintiffs are those customers' banks — the banks who issued the credit and debit cards the hackers pilfered ("issuing banks") — about 2,500 banks. Those banks, which Plaintiff Southern Independent Bank ("SIB" or "Plaintiff") seeks to represent as a nationwide class, claim damages in the form of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs that they say stemmed from Fred's negligent failure to maintain adequate cybersecurity.

But this is no straightforward negligence claim. Four things make this negligence claim more complicated than normal. First, Alabama's choice-of-law rules mandate that the laws of each potential plaintiff's home state govern the negligence claim. With about 2,500 potential plaintiffs, the parties agree that the laws of all fifty-one United States jurisdictions (the fifty states plus the District of Columbia) are in play. Second, Plaintiffs do not claim any kind of property or personal injury damages, only economic losses, i.e., lost money. This would lead some state courts to bar Plaintiffs' negligence claim entirely. Third, there is no direct contractual relationship between Plaintiffs and Defendant, although the parties are connected indirectly through the network of contracts that makes up the payment industry. This nuance would lead some state courts to evaluate Plaintiffs' negligence claim under a slightly different rubric. Fourth, proving damages for a nationwide class of banks is not easy. There are questions as to whether some of SIB's customers had their cards stolen elsewhere. There are questions as to whether SIB incurred unreasonable costs in response to the Fred's breach. These questions apply to most, if not all, other banks in the putative class. As explained more fully below, these four considerations counsel against class action treatment of this case.

Before the court are Plaintiff's motion for class certification (Doc. # 41) and two Daubert motions (Docs. # 44, 46) to exclude expert testimony regarding issues raised by the motion for class certification. Those Daubert motions are: (1) Defendant's motion to exclude Plaintiff's expert Ian Ratner's testimony on the issues of causation and reasonableness of damages (Doc. # 44); and (2) Plaintiff's motion to exclude Defendant's expert Tony Emrick's testimony on the issue of the reasonableness of Plaintiff's incurred costs in the wake of the data breach (Doc. # 46). Related to the class-certification motion are Defendant's motion for leave to file an instanter sur-reply brief opposing certification (Doc. # 50), and Plaintiff's objection to that motion (Doc. # 57). For the following reasons, both Daubert motions will be denied; the motion for class certification will be denied; and Defendant's motion for leave to file a sur-reply will be granted. The court has considered both Defendant's sur-reply and Plaintiff's response in its review of the class-certification motion.

I. JURISDICTION AND VENUE

Subject-matter jurisdiction is proper under the Class Action Fairness Act, 28 U.S.C. § 1332(d). The putative class consists of over 100 members, the amount in controversy is over $5,000,000, and there is minimal diversity between the parties. The parties do not contest personal jurisdiction or venue.

II. BACKGROUND

A. The Parties

Plaintiff Southern Independent Bank is a community bank located in south Alabama. SIB issues debit cards to its customers. Defendant Fred's is a retail chain selling discount general merchandise and is located primarily in the Southeast. Fred's accepts debit and credit cards, including cards issued by SIB, as payment at its stores. When a card is swiped, that card information is transmitted from the store to Fred's servers at its headquarters in Memphis, then routed to Fred's acquiring bank, Bank of America Merchant Services. (Doc. # 41-41, at 21.) B. Overview of the Payment Card Industry

SIB and Fred's are part of "payment card networks," which Visa and MasterCard use to facilitate transactions between sellers and buyers. Financial institutions that make up these networks can be "issuing" or "acquiring" banks, or both. An issuing bank like SIB issues credit or debit cards to its customers with the Visa or MasterCard logo. The logo allows the holder to use the card at any merchant like Fred's where Visa or MasterCard is accepted. Acquiring banks are on the other side of the transaction. Acquiring banks get merchants into the payment networks. They contract with merchants so that the merchants may accept debit and credit cards as payment. Merchants do not have a direct relationship with Visa or MasterCard; they need an acquiring bank to sponsor them into the payment networks.

Both kinds of banks, issuing and acquiring, are bound by Visa and MasterCard's extensive rules by contract with the card brands. Among those rules is the payment card industry's data security standard ("PCI-DSS"). When a merchant like Fred's comes into the payment network through an acquiring bank, the contract between the merchant and the acquiring bank also binds the merchant to Visa and MasterCard's rules, including the PCI-DSS. (See Docs. # 45-1, 45-11, at 11-12.)

When a customer presents a card to make a purchase, the cashier swipes the card, and certain information is collected from the card and transmitted through the acquiring bank to the issuing bank. The issuing bank then approves or declines the transaction based on an automated series of rules, including whether the customer has enough money in his account or enough credit. If approved, the merchant is reimbursed for the charge by the acquiring bank. The acquiring bank receives a fee from the merchant for each transaction, called a "merchant discount." The issuing bank then reimburses the acquiring bank. In doing so, the issuing bank collects a portion of the merchant discount called an "interchange fee." Interchange fees are intended to compensate issuing banks for card processing costs and losses due to fraudulent charges. (See Doc. # 45-1, at 7, 9-10.)

Thus, payment card networks are built on a web of contractual arrangements, containing incentives and allocations of risk. Below is an illustration of how the parties to these networks are related, based on diagrams the United States District Court for the District of Colorado and the Seventh Circuit used in similar cases:

See SELCO Cmty. Credit Union v. Noodles & Co., 267 F. Supp. 3d 1288, 1293 (D. Colo. 2017); Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 808 (7th Cir. 2018).

Image materials not available for display. The vertical lines with arrows starting from Visa and MasterCard and moving downward represent the series of contractual relationships that parallel the two sides of the payment card networks. The horizontal line at the bottom connecting cardholders and merchants represents the connection between the two sides when cardholders transact with merchants. Finally, the diagonal line represents the relationship this lawsuit is about: the one between a merchant (Fred's) and an issuing bank (SIB). The Seventh Circuit explained that the theory of recovery represented by the diagonal line would be a "new form of liability . . . in addition to the remedies already provided by the contracts governing the card payment systems." Cmty. Bank of Trenton, 887 F.3d at 808. C. The Fred's Breach and Aftermath

On March 23, 2015, hackers, using malware installed on Fred's servers, gained access to those servers and began harvesting payment data from the cards that were used at Fred's. (Doc. # 45-11, at 49.) Their malware captured only the card number, not the cardholder's name, expiration date, or printed security code. (See Docs. # 45-11, at 49, 45-2, at 8-9.) Hackers had access to the servers until April 24, 2015 — a breach window of about a month. (Doc. # 45-11, at 49.) But Fred's did not find out about the breach until May 29, 2015. (See Doc. # 41-18.) Whether Fred's was in compliance with the PCI-DSS when the breach occurred is a disputed issue, but is not relevant for class-certification purposes.

Fred's hired cybersecurity firm Mandiant to do a forensic investigation of the data breach and issue a report, which was given to Visa and MasterCard. (Doc. # 41-19.) The report confirmed that the malware could access payment data on Fred's servers from March 23 to April 24, 2015. (See Doc. # 41-19.) Accordingly, Visa and MasterCard issued what are known as compromised account management system (CAMS) alerts to any issuing bank whose customers used their cards at Fred's during that timeframe. (Doc. # 45-1, 12-13.) CAMS alerts do not say whether fraudulent activity occurred on a card; they merely give notice that payment data has been exposed. (Doc. # 45-1, 12-13.) About 2,500 banks received CAMS alerts related to the Fred's breach. (See Doc. # 45-13.)

SIB was one of those banks. CAMS identified 402 SIB-issued payment cards that were exposed by the Fred's breach. (Doc. # 41-40, at 15.) Fifty of those cards suffered fraudulent charges. (Doc. # 41-40, at 15.) SIB responded by contacting all those cardholders by phone and asking whether they would like to receive a new card. (Doc. # 41-40, at 15.) SIB eventually reissued just over half of the cards. (Doc. # 45-5, at 4.) Whether these actions were reasonable, and thus whether SIB's claimed damages are appropriate, is hotly disputed, and is relevant both at the class-certification stage and at trial. D. This Lawsuit

SIB filed this class-action complaint on October 30, 2015, asserting two theories of recovery against Fred's: (1) negligence for maintaining inadequate data security; and (2) negligent misrepresentation for saying that it had adequate data security when in fact it did not. (See Doc. # 1.) Fred's estimates, without dispute, that the putative class consists of approximately 2,500 issuing banks who issued about 1 million cards that were used at Fred's during the breach window. (Doc. # 45, at 23.) SIB summarizes damages for all these banks as consisting of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs. (Doc. # 41, at 34.)

Fred's moved to dismiss both counts under Alabama law only. (See Doc. # 14.) The case was reassigned from a senior district judge of this court to a visiting judge assisting this district during a judicial emergency. (Doc. # 23.) That judge granted Fred's motion to dismiss as to the negligent misrepresentation claim but denied it as to the negligence claim, reasoning that SIB had made out a claim for negligence against Fred's under Alabama law. (See Doc. # 24.) Fred's sought reconsideration of the motion with respect to the surviving negligence claim or, in the alternative, for the court to certify the question to the Alabama Supreme Court. (See Doc. # 28.) That motion was denied after being fully briefed, (Doc. # 37), and the case proceeded to discovery in anticipation of the motion for class certification. After the parties briefed the pending motions, including the class-certification motion, the case was reassigned to the original senior district judge, (Doc. # 59), and then to the undersigned on August 17, 2018, (Doc. # 60).

III. STANDARD OF REVIEW

A. Rule 702 and Daubert Standard

The admissibility of expert testimony is governed by Federal Rule of Evidence 702 and Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1999), and its progeny. Rule 702 provides:

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) The expert's scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b) The testimony is based on sufficient facts or data;

(c) The testimony is the product of reliable principles and methods; and

(d) The expert has reliably applied the principles and methods to the facts of the case.

Fed. R. Evid. 702.

In Daubert, the Supreme Court emphasized that Rule 702 assigns the trial court a gatekeeping role to "ensure that any and all scientific testimony or evidence admitted is not only relevant, but reliable." 509 U.S. at 589, 597; see also Kumho Tire Co. v. Carmichael, 526 U.S. 137, 141 (1999) ("[T]he Federal Rules of Evidence 'assign to the trial judge the task of ensuring that an expert's testimony rests both on a reliable foundation and is relevant to the task at hand.'" (quoting Daubert, 509 U.S. at 596)). This gatekeeping responsibility is the same when the trial court is considering the admissibility of testimony based upon "'technical' and 'other specialized knowledge.'" Kumho Tire, 526 U.S. at 141 (quoting Fed. R. Evid. 702).

In light of Daubert's "gatekeeping requirement," the Eleventh Circuit requires district courts to engage in a "rigorous three-part inquiry" for assessing the admissibility of expert testimony under Rule 702:

Trial courts must consider whether: "(1) [T]he expert is qualified to testify competently regarding the matters he intends to address; (2) the methodology by which the expert reaches his conclusions is sufficiently reliable as determined by the sort of inquiry mandated in Daubert; and (3) the testimony assists the trier of fact, through the application of scientific, technical, or specialized expertise, to understand the evidence or to determine a fact in issue."

United States v. Frazier, 387 F.3d 1244, 1260 (11th Cir. 2004) (quoting City of Tuscaloosa v. Harcros Chems., Inc., 158 F.3d 548, 562 (11th Cir. 1999)). These requirements are known as the "qualifications," "reliability," and "helpfulness" prongs. See id. "The burden of establishing qualification, reliability, and helpfulness rests on the proponent of the expert opinion," id., and the proponent must meet its burden by a preponderance of the evidence. Boca Raton Cmty. Hosp., Inc. v. Tenet Health Care Corp., 582 F.3d 1227, 1232 (11th Cir. 2009); see also Allison v. McGhan Med. Corp., 184 F.3d 1300, 1306 (11th Cir. 1999) ("The burden of laying the proper foundation for the admission of expert testimony is on the party offering the expert, and the admissibility must be shown by a preponderance of the evidence." (citing Daubert, 509 U.S. at 592, n.10)).

As to qualifications, "experts may be qualified in various ways," including by scientific training, education, and experience. Frazier, 387 F.3d at 1260. "Whether a proposed expert's experience is sufficient to qualify the expert to offer an opinion on a particular subject depends on the nature and extent of that experience." United States v. Cunningham, 679 F.3d 335, 379 (6th Cir. 2012). "If the witness is relying solely or primarily on experience, then the witness must explain how that experience leads to the conclusion is reached, why that experience is a sufficient basis for the opinion, and how that experience is reliably applied to the facts." Fed. R. Evid. 702 advisory committee note (2000 amends.). Courts must also be mindful that "[e]xpertise in one field does not qualify a witness to testify about others." Lebron v. Sec'y of Fla. Dept. of Children & Families, 772 F.3d 1352, 1368 (11th Cir. 2014). But "so long as the expert is at least minimally qualified, gaps in his qualifications generally will not preclude admission of his testimony, as this relates more to witness credibility and thus the weight of the expert's testimony, than to its admissibility." Henderson v. Goodyear Dunlop Tires N. Am., Ltd., Nos. 3:11-CV-295-WKW, 3:12-CV-510-WKW, 2013 WL 5729377, at *6 (M.D. Ala. Oct. 22, 2013) (quoting Trilink Saw Chain, LLC v. Blount, Inc., 583 F. Supp. 2d 1293, 1304 (N.D. Ga. 2008)).

As to reliability, trial courts retain "considerable leeway in deciding in a particular case how to go about determining whether particular expert testimony is reliable." Kumho Tire, 526 U.S. at 152. The focus of reliability "must be solely on principles and methodology, not on the conclusions they generate." Daubert, 509 U.S. at 595. After all, "Daubert does not require certainty; it requires only reliability." Hendrix ex rel. G.P. v. Evenflo Co., 609 F.3d 1183, 1198 n.10 (11th Cir. 2010). But district courts may reject expert testimony that is based on sound methodology when "there is simply too great an analytical gap between the data and the opinion proffered." Gen. Elec. Co. v. Joiner, 522 U.S. 136, 146 (1997).

Finally, whether the expert testimony will assist the trier of fact in understanding the evidence or a fact in issue "goes primarily to relevance." Daubert, 509 U.S. at 591. "Expert testimony which does not relate to any issue in the case is not relevant and, ergo, non-helpful." Id. (citation and internal quotation marks omitted).

The court's gatekeeping role under Daubert "is not intended to supplant the adversary system or the role of the jury." Allison v. McGhan, 184 F.3d 1300, 1311 (11th Cir. 1999). "Once an expert opinion has satisfied Daubert, a court may not exclude the opinion simply because it believes that the opinion is not — in its view — particularly strong or persuasive. The weight to be given to admissible expert testimony is a matter for the jury." Seamon v. Remington Arms Co., LLC, 813 F.3d 983 (11th Cir. 2016). Where the basis of expert testimony satisfies Rule 702, "[v]igorous cross-examination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence." Daubert, 509 U.S. at 596. B. Rule 23 Standard

"The class action is 'an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only.'" Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1432 (2013) (quoting Califano v. Yamasaki, 442 U.S. 682, 700-01 (1979)). To avail himself of this exception, a plaintiff seeking class certification bears the burden of proving that he has satisfied the four Rule 23(a) prerequisites — often shorthanded as numerosity, commonality, typicality, and adequacy — and that the class action will meet one of the three requirements of 23(b). Fed. R. Civ. P. 23(a), (b); see Brown v. Electrolux Home Prods., Inc., 817 F.3d 1225, 1233 (11th Cir. 2016) ("All else being equal, the presumption is against class certification because class actions are an exception to our constitutional tradition of individual litigation."). The burden is one of proof, not pleading, Brown, 817 F.3d at 1233, and requires the district court to undertake a "rigorous analysis" to determine the propriety of certification, Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 161 (1982). Although this rigorous analysis frequently "entail[s] some overlap with the merits of the plaintiff's underlying claim," Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 351 (2011), "the district court can consider the merits 'only' to the extent 'they are relevant to determining whether the Rule 23 prerequisites for class certification are satisfied,'" Brown, 817 F.3d at 1234 (quoting Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S. Ct. 1184, 1195 (2013)).

Plaintiff seeks certification of a damages class under Rule 23(b)(3). As a result, along with the Rule 23(a) prerequisites, it must also prove predominance and superiority — that is, "that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Fed. R. Civ. P. 23(b)(3). The court must determine any facts supporting Rule 23 findings by a preponderance of the evidence. Stein v. Monterey Fin. Servs., Inc., No. 2:13-CV-1336-AKK, 2017 WL 412874, at *4 (N.D. Ala. Jan. 31, 2017); In re Delta/AirTran Baggage Fee Antitrust Litig., 317 F.R.D. 675, 679 (N.D. Ga. 2016).

Neither the Supreme Court nor the Eleventh Circuit has set an explicit preponderance-of-the-evidence standard. Most of the circuits to have passed on the question have laid a preponderance burden on the class movant. Brown v. Nucor Corp., 785 F.3d 895, 931 (4th Cir. 2015); Messner v. Northshore Univ. Health Sys., 669 F.3d 802, 811 (7th Cir. 2012); Alaska Elec. Pension Fund v. Flowserve Corp., 572 F.3d 221, 228 (5th Cir. 2009); In re Hydrogen Peroxide Antitrust Litig., 552 F.3d 305, 307 (3d Cir. 2008); Teamsters Local 445 v. Bombardier, Inc., 546 F.3d 196, 202 (2d Cir. 2008). The minority view, championed by the Sixth Circuit, instead reads the "rigorous analysis" language in Falcon as setting an evidentiary standard unique to Rule 23. Gooch v. Life Investors Ins. Co. of Am., 672 F.3d 402, 418 n.8 (6th Cir. 2012).
The majority view has it right. Requiring a preponderance falls in line with the Supreme Court's apparent weighing of the evidence in Wal-Mart, 564 U.S. at 353-59. See Anthony F. Fata, Doomsday Delayed: How the Court's Party-Neutral Clarification of Class Certification Standards in Wal-Mart v. Dukes Actually Helps Plaintiffs, 62 DePaul L. Rev. 674, 681 (2013) (reading the Wal-Mart Court's analysis to implicitly apply a preponderance standard). Moreover, the preponderance standard offers well-worn, concrete guideposts to the trial court; a nebulous rigorous-analysis standard could lead to unpredictable decisions that vary from district to district. Accordingly, by performing a "rigorous analysis," Falcon, 457 U.S. at 161, the court determines whether Plaintiff has proved compliance with Rule 23 by a preponderance of the evidence.

III. DISCUSSION

"[W]hen an expert's report or testimony is critical to class certification," the court must resolve any Daubert objections before ruling on the motion for class certification. Sher v. Raytheon Co., 419 F. App'x 887, 890 (11th Cir. 2011) (quoting American Honda Motor Co. v. Allen, 600 F.3d 813, 815-16 (7th Cir. 2010)). The court finds that the challenged experts' testimony is critical to class certification. As discussed more fully below, Plaintiff must show that causation and damages are provable on a classwide basis. Ian Ratner's expert testimony purports to do just that by utilizing the CAMS alert system. And Defendant argues that Plaintiff acted unreasonably in responding to the Fred's breach, making Plaintiff an atypical and inadequate class representative and creating individualized damages questions that affect predominance. Tony Emrick's testimony puts meat on the bones of that argument by explaining how Plaintiff used more resources dealing with the Fred's breach than it should have. The court therefore finds it necessary to resolve the Daubert objections to Ratner and Emrick's testimony before turning to the motion for class certification. A. The Daubert Motions

The parties filed cross Daubert motions to exclude the testimony of one of the other side's experts. For the reasons discussed below, each of those motions is denied, and the court has considered both experts' testimony in addressing the motion for class certification.

1. Ian Ratner's Testimony Is an Admissible Expert Opinion.

Defendant challenges the admissibility of Ratner's expert testimony as to the cause of the damages suffered by the financial institutions and the reasonableness of the steps taken by those institutions in response to the data breach on two grounds. First, it argues that Ratner is not qualified to opine on the impact of data breaches on financial institutions. Second, it argues that Ratner's methodology used to arrive at his opinions on those issues is unreliable. Each argument is discussed in turn.

a. Ratner Is Qualified under Daubert and Rule 702.

First, Defendant challenges Ian Ratner's qualifications to opine as an expert on the impact of data breaches on issuing banks. Defendant seeks to exclude Ian Ratner's testimony on this issue because, it argues, Ratner is a forensic accountant who has no experience working in the payment card industry. Thus, it contends, Ratner has no business testifying about "how issuing banks should act in response to a CAMS alert or how a CAMS alert can be used to prove causation of fraudulent damages." (Doc. # 44, at 4.)

In response, Plaintiff touts Ratner's experience in a case involving a data breach at Home Depot where he issued an "internal, confidential report of detailed findings leading up to mediation" regarding the steps taken by issuing banks in the event of a data breach and used similar methodologies as those used in this case. (Doc. # 48, at 2.) Plaintiff also points to Ratner's work on behalf of Goldman Sachs, where he "gained experience in credit card processing sales organizations in the payment processing industry." (Doc. # 48, at 2.) Defendant replies that: (1) with respect to the Home Depot litigation, Ratner was not deposed and did not actually prepare an expert report that was submitted to the court; and (2) his work for Goldman Sachs is irrelevant because it involved projects in which Goldman was doing due diligence prior to making a loan to an entity, not analyses of the impact of data breaches on issuing banks.

The court finds that Ratner is qualified under Daubert to testify about the impact of data breaches on issuing banks. In addition to his general experience investigating fraud with respect to payment cards, (Doc. # 45-9, at 5-6), Ratner was retained in an identical capacity in the Home Depot litigation as a damages expert on behalf of issuing banks in which he used similar methodologies — namely, interviewing financial institutions and analyzing their responses to data breaches — to determine what damages the banks suffered as a result of a data breach. (Doc. # 45-9, at 7.) And he testified that his work in that litigation was even more extensive than what he has done in the present lawsuit. (Doc. # 45-9, at 7.) That he did not testify or submit an expert report that was filed with the court in that case does not discount his experience in gathering and analyzing data related to the impact of data breaches on financial institutions. Moreover, Defendant has not explained why forensic accounting is so far removed from analyzing the financial impact data breaches have on banks that experience in the former is not relevant in the latter. And it is not apparent to the court why such experience would not be relevant here. Since Ratner meets Daubert's requirement of being "minimally qualified" to testify in this regard, any deficiencies in his qualifications go only to the weight of his testimony and may be attacked at trial. See Henderson, 2012 WL 5729377, at *6.

b. Ratner's Testimony Is Reliable under Daubert and Rule 702.

Defendant next seeks to exclude Ratner's testimony on the ground that the methodologies he utilizes in determining causation and reasonableness of damages are not reliable. Defendant's arguments as to causation and damages are discussed in turn.

i. Ratner's Testimony on Causation Is Reliable.

Ratner proposes to use the CAMS alert system to determine which cards experienced fraud as the result of the Fred's data breach. Specifically, he proposes to match the list of cards identified by the CAMS alert system as being exposed by the Fred's data breach with known fraudulent activity that occurred during the window of the breach. (Doc. # 41-40, at 15.) Matching compromised cards alerted by the CAMS system in the wake of the breach with known instances of fraud, he says, would allow a fact finder to determine, "with a high probability," that the Fred's breach was the source of the fraud. (Doc. # 41-40, at 15.)

The court finds Ratner's proposal reliable under Daubert. Ratner's proposal simply reflects the common-sense proposition that a payment card identified by the CAMS alert system in the wake of the Fred's breach is more likely than not to have been compromised by that breach. Defendant's objection is that analyzing the causal link between the CAMS alert system and later fraudulent transactions in the aggregate, rather than at the individual cardholder level, is unreliable because it ignores the many reasons, other than the Fred's data breach, that a particular card could experience fraud. (Doc. # 53, at 8.)

This objection misses the mark. It may very well be that the fraud incurred on some of the cards came from some other source. Plaintiff is not required to "eliminate entirely all possibility that [Defendant's] conduct was not a cause" of its damages. Restatement (Second) of Torts § 433B cmt. b on subsection (1). Rather, the question is whether it is reasonable to think that when a card identified as having been compromised by a data breach experiences fraudulent activity, there is a higher probability that the data breach caused the fraud. And the answer to that question is obviously yes. It is nothing more than common sense to say that when two unique events known to bear a causal relationship — a data breach and subsequent fraudulent transaction — occur in the same limited time frame, there is a higher probability that the former caused the latter. This will be true if one assesses the probability that any single card suffered fraud as a result of the breach or if one considers the overall "correlation and causation between exposed cards during the breach window" and the fraudulent transactions. (Doc. # 48, at 15 n.5.) That other causes for the fraud may exist does not render that principle unreliable, and therefore does not warrant exclusion.

Defendant asserts that articulating this common-sense principle renders Ratner's declaration a "lay opinion." (Doc. # 44, at 7.) Not so. To make this inference, one must have an understanding of the CAMS alert system, which requires specialized knowledge.

To be sure, a jury may find the probability that the breach caused the fraud is not high enough for Plaintiff to carry its burden in proving that Defendant's conduct caused its injury. See id. at § 433B cmt. a on subsection (1). But so long as Daubert's requirements have been met, it is for the jury, not the court, to decide whether Ratner's testimony on causation is convincing. The court therefore finds that Ratner's testimony regarding causation is reliable under Daubert. This conclusion should not be read to foreclose Defendant's argument, in the class certification analysis, that individualized questions persist as to causation so that Ratner's CAMS alert-based method cannot prove causation on a classwide basis. The court's conclusion in the Daubert analysis is one of reliability, not of proof.

ii. Ratner's Testimony on Damages Is Reliable.

Defendant also challenges Ratner's "indirect" testimony on the reasonableness of the financial institutions' responses to the breach. Defendant frames this challenge in two ways. First, it challenges Ratner's qualifications to opine on whether the financial institutions' responses to the data breach were reasonable. Second, it challenges the reliability of Ratner's use of surveys completed by financial institutions to assess the reasonableness of their responses to the breach. The objection to Ratner's qualifications on this point have been discussed above. The objection to the reliability of the survey results is also without merit.

Defendant argues that the survey results are unreliable because: (1) banks have a motive to maximize their alleged costs; and (2) banks of different sizes and sophistication levels respond to data breaches differently. As to the first point, some degree of self-interest in responding to a survey does not render the results unreliable. This alleged deficiency may be probed at trial. As to the second, the surveys simply average the cost for each issuing bank in responding to a data breach, giving a baseline of costs that banks incur. Defendant may very well be able to argue at trial that this survey evidence does not adequately show whether a particular bank's response was reasonable. But again, this goes to the weight of the evidence, not its admissibility under Daubert. In any event, Ratner's report makes clear that his model is preliminary and a more accurate damages assessment will require more research, including analyzing statistics on data breaches and interviewing bank representatives to obtain bank-specific information. (See Doc. 41-40, at 16-18.)

Because Ian Ratner is qualified under Daubert and the methodologies he employs to reach his conclusions are reliable, Defendant's motion to exclude his testimony will be denied.

2. Tony Emrick's Testimony is an Admissible Expert Opinion.

Plaintiff moves to exclude only two statements from Emrick's report: (1) his opinion that Plaintiff did not make effective use of the Fiserv call center; and (2) his statement that chargeback requests for each fraudulent transaction cost Plaintiff $12.75 each, resulting in additional damages. Plaintiff does not question Emrick's qualifications; merely the reliability of his opinion.

Fiserv processes debit card transactions for Plaintiff by performing several services, including card management, card production, card issuance, and fraud detection and management. (Emrick Rep. at ¶ 10.)

The court finds that Emrick's testimony meets the requirements of Daubert and Rule 702. As to the first of Emrick's statements Plaintiff challenges, Emrick testified that he based his opinion that Plaintiff did not use the Fiserv call center effectively on deposition transcripts of Plaintiff's employees and his own experience. Plaintiff states that Emrick was "flat wrong" regarding his interpretation of the deposition transcripts, and cites the declaration of another expert to contradict him. (Doc. # 46, at 8.) But the presentation of contradictory expert testimony is hardly a ground for exclusion. If it were, expert testimony would have to be excluded in every case in which there were dueling experts. Instead, as long as the expert's opinion is reliable, "vigorous cross-examination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence." Rosenfeld v. Oceania Cruises, Inc., 654 F.3d 1190, 1193 (11th Cir. 2011) (quotation omitted). Plaintiff does not question Emrick's experience in the payment card industry, and it was reasonable for him to rely on the deposition transcripts of Plaintiff's employees to form his opinion. Any deficiencies in Emrick's opinion may be probed at trial. The court therefore does not find Emrick's opinion that Plaintiff used the Fiserv call center ineffectively unreliable.

The court reaches the same conclusion with respect to the second statement: that chargeback requests for each fraudulent transaction cost Plaintiff $12.75 each and resulted in additional damages to Plaintiff. Plaintiff argues that Emrick based his opinion regarding the chargebacks is unreliable because: (1) he did no study or analysis to determine the impact of the chargebacks; and (2) the chargeback requests were not actually included in Plaintiff's damage calculations. As to the first point, it is clear that Emrick used not only his knowledge of the industry, but reviewed documentation from Plaintiff and Fiserv that provided evidence of the fee Plaintiff was charged for the chargeback requests. As to the second point, Ian Ratner's report makes clear that his damages calculations are only preliminary and therefore subject to revision. The court sees no reason to exclude Emrick's testimony as to the cost of the chargeback requests while there remains the possibility that Plaintiff could seek to include them in its damages calculations at a later time. Moreover, Emrick's testimony is relevant on this point because Plaintiff does not deny that it seeks damages for the labor cost of submitting the chargebacks. Therefore, the court finds no basis under Daubert to exclude Emrick's testimony as to the chargeback requests.

For these reasons, the court finds Emrick's testimony reliable under Daubert, and will deny Plaintiff's motion to exclude his report. B. The Class Certification Motion

Plaintiff moves for certification of a damages class defined as

Financial institutions — including, but not limited to, banks and credit unions — in the United States (including its Territories and the District of Columbia) that issued payment cards or perform, facilitate, or support card issuing services, whose customers made purchases with those cards from Fred's

stores from March 23 to April 14 of 2015 (the "FI Class").

Plaintiff and its counsel also move to be appointed class representative and class counsel under Rule 23(g). Because this case is not appropriate for class treatment, these motions will be denied.

1. Rule 23(a) Prerequisites

Rule 23(a) specifies four conditions that must be satisfied before the court certifies a class. Those four conditions are usually shorthanded as numerosity, commonality, typicality, and adequacy. These conditions are "necessary but not sufficient" for a class action. Fed. R. Civ. P. 23 advisory committee's note to subdivision (a). Each is discussed in turn.

a. Numerosity

Rule 23(a)(1) requires the class to be "so numerous that joinder of all members is impracticable." The Eleventh Circuit has signaled that when the putative class consists of more than forty members, joinder is generally impracticable and the numerosity requirement satisfied. See Vega v. T-Mobile USA, Inc., 564 F.3d 1256, 1266-67 (11th Cir. 2009) (quoting with approval district court's statement that "less than twenty-one is inadequate" but "more than forty is adequate"); see 1 Newberg on Class Actions § 3:12 (5th ed.) (noting that "a class of 40 or more members raises a presumption of impracticability of joinder based on numbers alone"). Although numerosity is uncontested here, "the court must nonetheless independently find that the plaintiff has satisfied" each prong of the Rule 23 analysis. 3 Newberg on Class Actions § 7:19 (5th ed.); see Falcon, 457 U.S. at 160 ("[A]ctual, not presumed, conformance with Rule 23(a) remains . . . indispensable.").

Numerosity poses no hurdle to certification here. There is undisputed evidence that about 2,500 financial institutions issued cards that were identified as having been used at Fred's during the breach window. It goes without saying that joinder of all these banks in this litigation would be impractical. Thus, Rule 23(a)(1)'s numerosity requirement is met.

b. Commonality

Rule 23(a)(2)'s commonality prong mandates that "there are questions of law or fact common to the class." This element sets a much lower bar than Rule 23(b)(3)'s requirement that common questions of law or fact predominate over individualized questions. See Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 623-24 (1997) (stating that "the predominance criterion is far more demanding" than commonality). "Commonality requires the plaintiff to demonstrate that the class members 'have suffered the same injury.'" Dukes, 564 U.S. at 349 (quoting Falcon, 457 U.S. at 157). The claims must be based on a "common contention" that is "of such a nature that it is capable of classwide resolution—which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke." Dukes, 564 U.S. at 350. "[I]t is only necessary to find at least one issue common to all class members." Brown v. SCI Funeral Servs. of Fla., Inc., 212 F.R.D. 602, 604 (S.D. Fla. 2003).

Defendant does not contest commonality, and the court finds this requirement has been met. Common questions of fact include whether Defendant maintained inadequate security features in its payments-processing systems and whether the data breach could have been prevented if Defendant had used other security measures. These questions, resolution of which is central to the resolution of Plaintiff's negligence claim, carry Plaintiff past the low threshold of commonality.

Defendant does contest predominance, which is a different, more stringent requirement than commonality. That requirement is discussed in Section III.B.2.a.

c. Typicality

Rule 23(a)(3) mandates that the "claims or defenses of the representative parties are typical of the claims or defenses of the class." "Typicality measures whether a sufficient nexus exists between the claims of the named representatives and those of the class at large." Vega, 564 F.3d at 1275 (quoting Busby v. JRHBW Realty, Inc., 513 F.3d 1314, 1322 (11th Cir. 2008)) (alteration omitted). "Although typicality and commonality are closely related, typicality focuses less on the class in its entirety and more on the relationship between the class and the representative plaintiffs." Smith v. Triad of Ala., LLC, No. 1:14-CV-324-WKW, 2015 WL 5793318, at *8 (M.D. Ala. Mar. 17, 2017). "[T]raditionally, commonality refers to the group characteristics of the class as a whole, while typicality refers to the individual characteristics of the named plaintiff in relation to the class." Id. (citing Piazza v. Ebsco Indus., Inc., 273 F.3d 1341, 1346 (11th Cir. 2001)) (cleaned up). "A class representative must possess the same interest and suffer the same injury as the class members in order to be typical under Rule 23(a)(3)." Murray v. Auslander, 244 F.3d 807, 811 (11th Cir. 2001) (citing Prado-Steiman v. Bush, 221 F.3d 1266, 1279 (11th Cir. 2000)). "The typicality requirement may be satisfied despite substantial factual differences, however, when there is a strong similarity of legal theories." Id. Typicality is met "if the claims or defenses of the class and the class representative arise from the same event or pattern or practice and are based on the same legal theory." Kornberg v. Carnival Cruise Lines, Inc., 741 F.2d 1332, 1337 (11th Cir. 1984).

Defendant argues that Plaintiff is an atypical class representative because Defendant has unique causation and damages defenses to Plaintiff that threaten to become the focus of the litigation. As explained more fully in the predominance analysis, Defendant's causation arguments are ultimately damages arguments. And "[d]ifferences in the amount of damages between the class representative and other class members do[] not affect typicality." Kornberg, 741 F.2d at 1337. The similarities between the legal theories of Plaintiff and the putative class, however, are strong. The single negligence claim arises out of the same event, pattern, or practice: the Fred's breach and surrounding events, including Defendant's actions leading up to, during, and after the incursion itself. That the breach affected some class members more than others does not change matters. Plaintiff's claims are typical of those of the class.

Tony Emrick's report addresses these damages-related defenses by speaking to the reasonableness of Plaintiff's damages.

d. Adequacy

The final Rule 23(a) prerequisite — adequacy — seeks to ensure that "the representative parties will fairly and adequately protect the interests of the class." Fed. R. Civ. P. 23(a)(4). Courts have interpreted this requirement to include both adequacy of the representative parties and their counsel. Defendant does not quibble with the experience and abilities of Plaintiff's lawyers, and the court finds no reason to question them, either. As to adequacy of the parties themselves, Rule 23(a)(4) "encompasses two separate inquiries: (1) whether any substantial conflicts of interest exist between the representatives and the class; and (2) whether the representatives will adequately prosecute the action." Valley Drug Co. v. Geneva Pharm., Inc., 350 F.3d 1181, 1189 (11th Cir. 2003) (quoting In re HealthSouth Corp. Sec. Litig., 213 F.R.D. 447, 460-61 (N.D. Ala. 2003)).

Defendant argues that Plaintiff is an inadequate class representative for the same reasons it argues Plaintiff's claims atypical. It is unnecessary to repeat the court's response to those arguments. The court finds that Plaintiff is an adequate class representative for two reasons. First, there are no apparent conflicts between Plaintiff's interests and those of the class. Plaintiff has the same economic interest — recovery for damages incurred by the Fred's breach — as the absent class members. Second, Plaintiff's interest in succeeding in this litigation and recovering the damages it seeks is strong. Thus, Plaintiff has established that it is an adequate class representative.

2. Rule 23(b)(3)'s Predominance and Superiority Requirements

Plaintiff seeks certification of a class under 23(b)(3), which requires the court to find that "the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Fed. R. Civ. P. 23(b)(3) (emphasis added). Rule 23(b)(3) therefore contains two requirements, shorthanded as predominance and superiority. The rule lists several factors for courts to use in making predominance and superiority findings:

(A) the class members' interests in individually controlling the prosecution or defense of separate actions;

(B) the extent and nature of any litigation concerning the controversy already begun by or against class members;

(C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; and

(D) the likely difficulties in managing a class action.

Fed. R. Civ. P. 23(b)(3). The predominance requirement, which is "far more demanding" than the commonality requirement, Windsor, 521 U.S. at 624, examines whether the class's interests are "sufficiently cohesive to warrant adjudication by representation," id. at 623. The superiority requirement "is meant to assist courts in identifying those cases in which the money damage class action lawsuit—a form of representative litigation—would be a better form of litigation than the available alternatives." 2 Newberg on Class Actions § 4:64 (5th ed.).

a. Predominance

Predominance contains an implicit two-step analysis. The court must first characterize the issues as common or individual then weigh which of those predominate. See 2 Newberg on Class Actions § 4:50 (5th ed.). "It is not necessary that all questions of fact or law be common, but only that some questions are common and they predominate over individual questions." Klay v. Humana, Inc., 382 F.3d 1241, 1254 (11th Cir. 2004) (quoting In re Theragenics Corp. Secs. Litig., 205 F.R.D. 687, 697 (N.D. Ga. 2002)), abrogated on other grounds by Bridge v. Phoenix Bond & Indem. Co., 553 U.S. 639 (2008). The court must assess "the claims, defenses, relevant facts, and applicable substantive law," id. (quoting Castano v. Am. Tobacco Co., 84 F.3d 734, 744 (5th Cir. 1996)), and determine whether common issues of fact and law "ha[ve] a direct impact on every class member's effort to establish liability and on every class member's entitlement to injunctive and monetary relief," id. at 1255 (quoting Ingram v. Coca-Cola Co., 200 F.R.D. 685, 699 (N.D. Ga. 2001)).

This question is one of proof. "Common questions are ones where 'the same evidence will suffice for each member,' and individual questions are ones where the evidence will '[v]ary from member to member." Brown v. Electrolux Home Prods., 817 F.3d 1225, 1234 (11th Cir. 2016) (quoting Blades v. Monsanto Co., 400 F.3d 562, 566 (8th Cir. 2005)). The rule of thumb is that

if the addition of more plaintiffs to a class requires the presentation of significant amounts of new evidence, that strongly suggests that individual issues (made relevant only through the inclusion of these new class members) are important. If, on the other hand, the addition of more plaintiffs leaves the quantum of evidence introduced by the plaintiffs as a whole relatively undisturbed, then common issues are likely to predominate.

Vega v. T-Mobile USA, Inc., 564 F.3d 1256, 1270 (11th Cir. 2009) (quoting Klay, 382 F.3d at 1255 (cleaned up)).

Predominance is a particularly difficult hurdle where, as here, the claim is for negligence. While all fifty states recognize the tort of negligence and its elements of duty, breach, causation, and damages, each jurisdiction "sing[s] negligence with a different pitch." In the Matter of Rhone-Poulenc Rorer, Inc., 51 F.3d 1293, 1301 (7th Cir. 1995) (Posner, J.). And the court has a constitutional obligation to recognize, and not gloss over, variations in common-law tort rules across the fifty states. See Erie R.R. Co. v. Tompkins, 304 U.S. 64, 74-76 (1938).

No party disputes that the laws of all fifty-one jurisdictions are implicated by this class action through Alabama's choice-of-law rules. A federal court sitting in diversity must apply the choice-of-law rules of the state in which it sits. See Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941). Alabama follows the Restatement (First) of Conflict of Laws, which provides that the lex loci delicti, or law of the place of the wrong, governs tort claims. Ex parte U.S. Bank Nat. Ass'n, 148 So. 3d 1060, 1070 (Ala. 2014). In tort claims involving financial injury, the court applies the law of "the state in which the plaintiff suffered the economic impact." Glass v. Southern Wrecker Sales, 990 F. Supp. 1344, 1348 (M.D. Ala. 1998); cf. Restatement (First) of Conflict of Laws § 377 note 4 (Am. Law Inst. 1934) (stating that the place of the wrong in fraud causes is where the loss is sustained, not where the fraudulent representations were made). Thus, the home-state law of each putative class member applies to the negligence claim.

Of the elements Plaintiff must prove to prevail on its negligence claim, breach is the one issue that is clearly common to the entire class. Evidence of Fred's data-security measures, industry standards, and Fred's response to the data breach will help resolve the issue of breach as to all putative class members. That issue, however, is quickly swamped by the individualized issues required to adjudicate the other elements of Plaintiff's negligence claim.

i. Variations in State Law Involve Individualized Questions.

Plaintiff seeks compensation in negligence for solely economic damages. To be more specific, Plaintiff seeks to recover the costs it incurred in responding to the Fred's breach, such as actual fraud losses and reissuance costs. As it turns out, whether a negligence claim provides a remedy for such financial damages is a hotly debated question across United States jurisdictions. The parties have not cited, and the court has not found, another case in which the negligence laws of all fifty-one jurisdictions were implicated by the claims of a putative class of issuing banks.

Defendant argues that two material variations in state negligence law prevent the court from certifying a class. First, it says the variations on the "economic loss rule" are too great for the court to proceed to trial with a damages class consisting of plaintiffs from all fifty states. Second, Defendant argues that the states apply materially different standards for determining whether Defendant owes each putative class member a duty of care.

These two arguments ultimately pose a single question: Under the law of each jurisdiction, does Defendant owe Plaintiff a tort duty to avoid the unintentional infliction of economic loss? See Dan B. Dobbs et al., Dobbs' Law of Torts § 607 (2d ed.) ("Coherence and clarity may also be fostered by recognizing that the economic loss rules are no-duty rules, and sometimes stating them in that form leads to clearer application."). If there were one answer to that question, the issue of duty could easily be characterized as a common one. But the jurisdictions at issue do not sing the answer to that question in unison, and thus duty is best characterized as involving individualized questions.

"In a multi-state class action, variations in state law may swamp any common issues and defeat predominance." Klay, 382 F.3d at 1261 (quoting Castano v. Am. Tobacco Co., 84 F.3d 734, 741 (5th Cir. 1996)). "[C]lass certification is impossible where the fifty states truly establish a large number of different legal standards governing a particular claim." Id. But if "a claim is based on a principle of law that is uniform among the states," or if "the applicable state laws can be sorted into a small number of groups, each containing materially identical legal standards," then certification is possible. Id. at 1262. The burden of "showing uniformity or the existence of only a small number of applicable standards (that is, 'groupability') among the laws of the fifty states rests squarely" with Plaintiff. Id. Plaintiff must prove through an "extensive analysis," not merely a cursory look, that there are "no material variations among the law of the states for which certification is sought." Powers v. Gov't Emps. Ins. Co., 192 F.R.D. 313, 319 (S.D. Fla. 1998) (citing Walsh v. Ford Motor Co., 807 F.2d 1000, 1001 (D.C. Cir. 1986)); see Sacred Heart Health Sys., Inc. v. Humana Military Heathcare Servs., Inc., 601 F.3d 1159, 1180 11th Cir. 2010) (stating that the party seeking certification must "provide an extensive analysis of state law variations to reveal whether these pose insuperable obstacles" (emphasis in original)).

Whether Defendant owes a tort duty to Plaintiff to avoid the unintentional infliction of economic loss is a matter of law determined by the court. See Restatement (Second) of Torts § 328B(b) & (f) (Am. Law Inst. 1965). In reviewing that legal question, the court finds significant variations in negligence law that require state-specific analysis.

The main variation boils down to the tort doctrine known as the "economic loss rule." This term does not apply a single rule, but several different doctrines working under the same alias. Whether the rule "serves as a formidable barrier to credit card data security breach cases" depends on "whether a state adopts the majority or minority position on the rule, as well as how it defines various exceptions thereto." Catherine M. Sharkey, Can Data Breach Claims Survive the Economic Loss Rule?, 66 DePaul L. Rev. 339, 342 (2017).

Here is the minority version of the economic loss rule, as formulated by the Restatement: "A minority of courts have stated an 'economic loss rule' to the effect that there is generally no liability in tort for causing pure economic loss to another." Restatement (Third) of Torts: Liability for Economic Harm § 1 cmt. b. (Am. Law Inst. Tentative Draft No. 1., April 4, 2012). This version has been dubbed the "stranger rule," because its scope includes parties who are not in privity of contract. See Dan B. Dobbs et al., Dobbs' Law of Torts § 608 (2d ed.). "The first lesson to emerge from data security breach caes is that the extent to which the stranger economic loss rule will bar recovery is highly dependent on the governing state law, which varies considerably across the United States." Sharkey, supra, at 349.

By economic loss, the Restatement "means a financial loss not arising from injury to the plaintiff's person or from physical harm to the plaintiff's property." Restatement (Third) § 1(c).

At least two states, Massachusetts and Pennsylvania, apply a stringent version of the stranger rule to bar tort recovery for pure economic loss in general. See Aldrich v. ADD Inc., 770 N.E.2d 447, 454 (Mass. 2002); Aikens v. Baltimore & Ohio R.R. Co., 501 A.2d 277, 278 (Pa. Super. Ct. 1985); Sharkey, supra, at 350-53. Two federal circuit courts have held, in virtually identical cases involving data-security breaches, that Massachusetts and Pennsylvania would bar a class of issuing banks' negligence claim against a retailer. See In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498-99 (1st Cir. 2009) (applying Massachusetts's stranger rule to bar issuing bank's negligence claim against retailer in data breach case); Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162, 177 (3d Cir. 2008) (applying Pennsylvania's stranger rule to bar issuing bank's negligence claim against retailer in data breach case).

Plaintiff argues that Wyman v. Ayer Properties, LLC, 11 N.E.3d 1074 (Mass. 2014), decided after In re TJX, changed Massachusetts's stranger rule to allow the claims here. Not so. The question in Wyman was simply "whether the economic loss rule applies to damage caused by negligent design and construction of the common areas of a condominium building, whether or not such negligence caused damage to the other property." Id. at 1080. In holding that the economic loss rule did not apply, the Wyman court emphasized the unique difficulty of obtaining relief in this context: "[T]he party exclusively responsible for bringing litigation on behalf of the unit owners for the negligent construction of the common areas (here, the trustees) has no contract with the builder under which it could recover . . . its economic losses." Id. at 1081. The court is unconvinced, without more authority, that the Supreme Judicial Court of Massachusetts intended to create an exception to its economic loss rule beyond those narrow circumstances, which are entirely distinct from the present case.

The state of Pennsylvania's economic loss rule is in doubt after the state's supreme court recently held in Dittman v. UPMC, a data-breach case, that an employer had a common-law duty to act with reasonable care in collecting and storing its employees' personal and financial information on its computer systems. 196 A.3d 1036, 1056 (Pa. 2018). The court held that because this was an independent duty based on the relationship between the parties (more on this below), the economic loss rule did not bar the employees' negligence claims. See id. at 1047, 1054. While Dittman provides evidence that Pennsylvania would allow Plaintiff's negligence claim, it is nonetheless noteworthy that an employment relationship in which the employer requires its employees to entrust the employer with sensitive personal and financial data as a condition of employment is different than the voluntary relationship between merchants and issuing banks. The court need not say definitively that Pennsylvania law does or does not recognize Plaintiff's negligence claim. But Dittman does show the enormity of the task in applying the tort duty rules of all fifty states.

The majority position is stated by the Restatement (Third). The Restatement disclaims the general, no-liability formulation of the stranger rule. It instead endorses the more limited principle that "duties of care with respect to economic loss are not general in character." Restatement (Third) § 1(a) cmt. b (emphasis added). So instead of "implying a needless presumption against a duty on facts not yet considered," the Restatement (Third) merely provides that "duties to avoid causing economic loss require justification on more particular grounds than duties to avoid causing physical harm." Id. (emphasis added).

Thus, § 1(a) states that "[a]n actor has no general duty to avoid the unintentional infliction of economic loss on another," but § 1(b) points to circumstances where courts do recognize a duty to avoid the unintentional infliction of economic loss. For example, a party may be liable for economic loss to another in cases of professional negligence and invited reliance. Restatement (Third) § 1 cmt. d. And the Restatement provides that a court, guided by several factors, may find a "residual" duty to avoid unintentional infliction of economic loss in circumstances not covered by the general rules. Restatement (Third) § 1 cmt. e. This is sometimes called the "special relationship" or "independent duty" exception to the stranger rule. See Sharkey, supra, at 354-55.

A "fairly significant number of states" apply this qualified version of the stranger rule. Id. Alaska and California are two of them. Alaska recognizes an independent-duty exception to the stranger rule. See Mattingly v. Sheldon Jackson Coll., 743 P.2d 356, 360 (Alaska 1987)). But it does so "only if the breach of duty created a risk of personal injury or property damage." St. Denis v. Dep't of Hous. & Urban Dev., 900 F. Supp. 1194, 1203 (D. Alaska 1995). This rule was applied in In re Target Corp. to bar consumers' negligence claim against the retailer in the consumer track of the multidistrict litigation over the Target breach. See In re Target Corp. Data Sec. Breach Litig. ("Target I"), 66 F. Supp. 3d 1154, 1172 (D. Minn. 2014). Plaintiff cites no authority that would lead the court to a different conclusion with respect to Plaintiff's negligence claim.

California recognizes a special-relationship exception to the stranger rule, analyzing several factors to determine whether such a relationship exists between the parties. See J'Aire Corp. v. Gregory, 598 P.2d 60, 62-63 (Cal. 1979). But this special-relationship exception does not necessarily extend to these facts. In another data-breach case, a federal court held that, because the special-relationship exception did not apply, California's stranger rule barred consumers' negligence claim against a computer manufacturer over a network-security intrusion. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 969 (S.D. Cal. 2014). Likewise, the Target I court held that no special relationship existed between the consumers and the retailer and thus California's stranger rule barred the consumers' negligence claims. See Target I, 66 F. Supp. 3d at 1154. Again, Plaintiff cites no authority that would lead the court to a different conclusion with respect to its negligence claim. Although the court recognizes that the relationship between consumers and a retailer is not the same as the relationship between issuing banks and a retailer, Plaintiff has not shown why, in view of these authorities, the facts here are sufficient to give rise to an independent-duty or special-relationship exception under Alaska or California law.

What the Restatement (Third) refers to as "the economic loss rule" is different because it only applies to parties in privity of contract. It says that "there is no liability in tort for economic loss caused by negligence in the performance or negotiation of a contract between the parties." Restatement (Third) § 3 (emphasis added). The rationale for this rule is that it is better to defer to the parties' allocation of risks in the "extensive and finely tuned apparatus" of their agreement instead of applying the blunt instrument of tort law. See Restatement (Third) § 3 cmt. b. This version of the rule serves as a form of "border control" that keeps tort and contract in their separate lanes. Sharkey, supra, at 345 (citing William Powers, Jr., Border Wars, 72 Tex. L. Rev. 1209, 1229 (1994)).

In applying this version of the economic loss rule to data breach cases, state courts are not required to tread in no-man's land, but instead to resolve a boundary dispute.

As the rule implies, it is "limited to parties who have contracts." Restatement (Third) § 3 cmt. a. Thus, Dobbs calls this version the "contracting parties" rule. See Dan B. Dobbs et al., Dobbs' Law of Torts § 608 (2d ed.). Plaintiff prefers this formulation of the economic loss rule, because all agree that there is no direct contractual privity between the putative class members and Defendant. Thus, Plaintiff says, what it dubs as the economic loss rule (which is really the contracting parties rule) does not bar its negligence claim.

But the story is not that simple. As discussed, two federal circuit courts have already held that Plaintiff's claims are barred by the stranger rule in Pennsylvania and Massachusetts. But some states would say that because Plaintiff and Defendant are integrated in the payment industry's network of contracts, the contracting parties rule applies here, too. "When parties enter into a chain of contracts," the Iowa Supreme Court explained, "even if the two parties at issue have not actually entered into an agreement with each other, courts have applied the 'contractual economic loss rule' to bar tort claims for economic loss, on the theory that tort law should not supplant a consensual network of contracts." Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499, 504 (Iowa 2011) (citations omitted); see BRW, Inc. v. Dufficy & Sons, Inc., 99 P.3d 66, 72 (Colo. 2004) ("Contractual duties arise just as surely from networks of interrelated contracts as from two-party agreements."). Thus, Iowa and Colorado courts have indicated that the contracting parties rule is broad enough to cover parties related by a web of contracts but not in direct privity. For this reason, a district court applied Colorado's contracting parties rule to dismiss a issuing banks' negligence claim against a restaurant in a data-breach case. See SELCO Cmty. Credit Union v. Noodles & Co., 267 F. Supp. 3d 1288, 1297 (D. Colo. 2017) ("It makes no difference that Noodles & Company's contractual duties arise from a web of interrelated agreements coordinated by Visa and MasterCard rather than bilateral contracts between the merchants and plaintiffs.").

The Target I court applied Iowa law to bar consumers' negligence claim against a retailer in a data-breach case, although on the ground that, under Iowa law, there was no independent-duty exception to the stranger rule. See Target I, 66 F. Supp. 3d at 1174.

Likewise, the Seventh Circuit recently held that Illinois and Missouri courts would analyze negligence claims by an issuing bank against a retailer under the contracting parties paradigm. See Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 814 (7th Cir. 2018). The court emphasized that "[a]ll parties in the card networks (including card-holding customers) expect everyone to comply with industry-standard data security policies as a matter of contractual obligation." Id. at 817 (emphasis in original). But see Lone Star Nat'l Bank, N.A., v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013) (holding, at the motion to dismiss stage, that there was not enough evidence in the record to conclude that the parties to the contracts between issuing and acquiring banks had a remedy or could have allocated risks differently under their agreement). And it concluded that the issuing banks' negligence claim would be barred in both states: in Illinois by common law, id. at 816-17 (citing Cooney v. Chicago Pub. Schs., 943 N.E.2d 23 (2010)); see also In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 530 (N.D. Ill. 2011) (holding that Illinois's economic loss rule barred customers' negligence claim against retailer in data-breach case), and in Missouri by statute, Cmty. Bank of Trenton, 887 F.3d at 817-18 (citing Mo. Ann. Stat. § 407.1500 (2017)).

Plaintiff has not carried its burden to show, by an extensive analysis, that these variations "do not pose insuperable obstacles" to certification. Sacred Heart, 601 F.3d at 1180. Plaintiff's state-law analysis, contained in its trial plan, is merely a checklist of the elements of negligence showing that each jurisdiction recognizes the tort and its elements of duty, breach, causation, and damages. Nor does Plaintiff's fifty-state survey of the economic loss doctrine, contained in its reply brief, do much to redeem its arguments. That survey only gives one version of each state's economic loss rule — in most instances the contracting parties rule. But, as explained, the contracting parties paradigm is only part of the picture. Plaintiff is obligated to show that the stranger rule (in either its robust or qualified form) does not also bar its negligence claim, as it does in Pennsylvania, Massachusetts, Alaska, and California.

Moreover, Plaintiff's brief sketch of the duty of care analysis across the jurisdictions is of limited use. True enough, all jurisdictions name "foreseeability" and "public policy" as factors to use in deciding whether to impose a duty of care. But California courts do not view public policy the same way as Alabama courts, and what courts see as foreseeable in New York may not be the same as what courts see as foreseeable in Kansas. And this court is Erie-bound to accept the views of state courts as the final word.

It is true, of course, that there is no practical difference between states that would bar the negligence claim because there is no "common-law duty to safeguard information," see Cooney, 943 N.E.2d at 27 (Illinois), states that would bar the claim through application of a statute, see Cmty. Bank of Trenton, 887 F.3d at 817-18 (Missouri), states that would bar the claim through the contracting parties rule, see Annett Holdings, 801 N.W.2d at 504 (Iowa), or states that would bar the claim through the stranger rule, see Aldrich, 770 N.E.2d at 454 (Massachusetts). The result is the same, no matter how each state reaches it: the claim is barred. But were the court to take Plaintiff's cursory analysis at face value, these jurisdictions would all allow the negligence claim. Rule 23 requires Plaintiff to do more.

An extensive analysis would include an assessment of the precise question at stake: Whether, in view of the web of contracts connecting the parties, the law of each relevant jurisdiction would bar Plaintiff's negligence claim for pure economic loss. This is no small amount of work. But that is what is required for Plaintiff to meet its burden in certifying a nationwide damages class. Moreover, an extensive analysis, from the samples discussed above, is unlikely to yield a uniform result that would avoid predominance problems. Without an extensive analysis of the law of each jurisdiction discussing the viability of Plaintiff's negligence claim and pointing to a uniform application of the economic loss rule, the court cannot certify such a class.

An extensive analysis of state negligence law would, at a minimum, also require Plaintiff to acknowledge authorities stating that its claim is barred in several states. That is because of the unique procedural context of this class certification motion. Courts considering similar multi-state negligence claims have done so upon the defendant's motion to dismiss. See In re TJX Cos., 564 F.3d at 500 ("After determining which claims survived, the district court then applied the customary tests to decide whether class action status could be sustained for the case . . . and provisionally concluded that certification was not justified."); Target I, 66 F. Supp. 3d at 1172-76 (deciding whether each jurisdiction barred consumers' negligence claim on a motion to dismiss); In re Sony Gaming, 996 F. Supp. 2d at 966-73 (same). But Defendant moved to dismiss Plaintiff's negligence claim only under Alabama law, not the law of any other jurisdiction. (See Doc. # 14-1.)

It is unclear whether Defendant made a strategic decision to wait until the class certification stage to bring up the fact that some states would bar Plaintiff's negligence claim. But it is clear that the court may not certify a class without resolving dispositive issues of state law, see Brown, 817 F.3d at 1237, that Plaintiff bears the burden of proving an exception to the usual rule that litigation should be conducted on an individual basis, see Comcast, 442 U.S. at 700-01, and that Plaintiff's burden includes showing that there are no material variations in state negligence law, see Sacred Heart, 601 F.3d at 1180. Moreover, Defendant may raise the defense of failure to state a claim as late as trial. See Fed. R. Civ. P. 12(h)(2). That Defendant chose the class certification stage to point out differences in dispositive issues of state law cautions against ignoring these differences and certifying a nationwide class. It remains Plaintiff's burden to prove that it has a viable negligence claim in each jurisdiction.

To borrow Judge Posner's metaphor again, some jurisdictions sing the tune of tort liability for economic loss in C-sharp minor, while others sing it in E-flat major. Still others carry the tune not in any key at all, but in a Phrygian mode. Such a chorus might work for an avant-garde opera from the mid-twentieth century, but Rule 23 requires something closer to Beethoven's Ninth. There are too many differences in state law to certify this case as a class action.

ii. Damages Involve Individualized Questions.

Defendant argues that causation and damages involve individualized questions. Plaintiff responds that questions of causation effectively go to damages, not liability, and there is "well nigh universal" agreement that individualized damages questions do not defeat certification. Comcast, 569 U.S. at 42 (Ginsburg, J., dissenting). Thus, Plaintiff says, that there may be individualized damages questions here should not prevent certification.

At the outset, the court agrees with Plaintiff that Defendant's causation arguments are really damages arguments. Defendant does not seriously contend that the Fred's breach did not cause the putative class any damages; the big question is how much damages a jury can attribute to the breach. See Smith, 2017 WL 1044692, at * 14 ("The sort of proof necessary for causation is the sort of proof necessary for damages . . . .").

But the court does not agree that recharacterizing causation issues as damages issues puts Plaintiff on a quick path to certification. There is "no support in the text of Rule 23 or interpretive case law," the Eleventh Circuit has said, for the court to make a "rigid distinction between liability and damages." Sacred Heart, 601 F.3d at 1178. That is, the court may not brush aside individualized damages questions in deciding predominance simply because they do not go to liability. See id. at 1179. Instead, the Eleventh Circuit has said that individualized damages questions will defeat predominance when computing damages "will be so complex, fact-specific, and difficult that the burden on the court system would be simply intolerable," Brown, 817 F.3d at 1240 (quotation omitted), or "when they are accompanied by significant individualized questions going to liability," id. (quotation omitted). And if neither of those conditions hold, individualized damages questions are "still relevant to whether predominance is satisfied." Id. at 1239 (emphasis added).

Damages — and, implicitly, Defendant's damages-related defenses of contributory negligence and failure to mitigate — involve individualized questions. The response of each issuing bank to the Fred's breach, the amount of fraud incurred on each card, and lost revenue necessarily requires an inquiry into the circumstances of each card reissuance and reimbursement. And Plaintiff will have to prove that the amount of damages each issuing bank incurred came from the Fred's breach, not some other event. This is especially true for actual fraud losses. While Ian Ratner's CAMS alert-based model provides a rough estimate of damages, that estimate will quickly become swamped by individualized questions as Defendant presents evidence, as it already has, to support alternate theories of fraud.

Defendant adds that its liability defenses of assumption of risk and waiver require individualized assessment. It does not elaborate beyond saying that those defenses are "based on issuing banks' voluntary decisions to enter the payment card network, and to continue issuing payment cards despite the known risk of fraud." (Doc. # 45, at 64.) With little explanation of the elements of those defenses or what individualized proof will be necessary to decide them, the court will not consider these defenses as a serious barrier to certification.

Tony Emrick's testimony speaks to Defendant's failure to mitigate defense. The court, of course, has not assessed the merits of this defense; it has only considered Emrick's testimony to the extent that it raises individualized damages issues Plaintiff must overcome at trial.

IV. CONCLUSION

Although Rule 23 is not a numbers game, it is nonetheless appropriate for the court to quantify exactly what treating this case as a class action would involve: 2,500 banks, 1 million cards, and 51 different sets of laws. The difficulties in managing such a class would be highly impractical, if not impossible. What is missing is a "sound normative justification" for adjudicating this claim on a classwide basis. Sharkey, supra, at 344. The case will proceed as an individual action.

***

It is ORDERED as follows:

(1) Plaintiff's motion for class certification (Doc. # 41) is DENIED.

(2) Defendant's motion to exclude Plaintiff's expert Ian Ratner's testimony (Doc. # 44) is DENIED.

(3) Plaintiff's motion to exclude Defendant's expert Tony Emrick's testimony (Doc. # 46) is DENIED.

(4) Defendant's motion for leave to file instanter sur-reply brief (Doc. # 50) is GRANTED.

(5) A telephonic status conference will be held on April 4, 2019, at 10:00 a.m. CDT, at which time the parties should be prepared to discuss the next steps in the litigation, including scheduling, possibility of settlement, and unsealing the class action filings. Defendant is DIRECTED to set up the call. An amended scheduling order will be entered following this status conference.

DONE this 13th day of March, 2019.

/s/ W. Keith Watkins

UNITED STATES DISTRICT JUDGE

S. Indep. Bank v. Fred's, Inc.

Summary

Opinion

I. JURISDICTION AND VENUE

II. BACKGROUND

III. STANDARD OF REVIEW

III. DISCUSSION

IV. CONCLUSION

***

S. Indep. Bank v. Fred's, Inc.

S. Indep. Bank v. Fred's, Inc.

Case Details

Citations

Citing Cases

S. Indep. Bank v. Fred's, Inc.

Summary

Opinion

I. JURISDICTION AND VENUE

II. BACKGROUND

III. STANDARD OF REVIEW

III. DISCUSSION

IV. CONCLUSION

***

S. Indep. Bank v. Fred's, Inc.

S. Indep. Bank v. Fred's, Inc.

Case Details

CitationsCopy Citation

Citing Cases

Citations