Opinion
Civil Action 3:17-CV-186-CHB
03-29-2024
ANDREA K. SAVIDGE, et al., Plaintiffs, v. PHARM-SAVE, INC., d/b/a NEIL MEDICAL GROUP, et al. Defendant.
MEMORANDUM OPINION AND ORDER
CLARIA HORN BOOM, UNITED STATES DISTRICT COURT JUDGE EASTERN AND WESTERN DISTRICTS OF KENTUCKY
This matter is before the Court on several motions. First, Defendant Pharm-Save, Inc. (“Pharm-Save”) filed a Renewed Motion for Partial Summary Judgment. [R. 167]. Plaintiffs Andrea K. Savidge and Beth A. Lynch filed a response to that motion, [R. 171], and Pharm-Save replied. [R. 176]. Next, Plaintiffs filed a Renewed Motion for Class Certification and Request for Oral Argument (“Renewed Motion for Class Certification”). [R. 169]. Pharm-Save responded to that motion, [R. 178], and Plaintiffs have replied. [R. 186]. Both parties also filed motions seeking leave to exceed Local Rule 7.1's page limitations, [R. 170], [R. 177], and no responses were filed. Lastly, Plaintiffs filed a separate motion reiterating their request for oral argument on their Renewed Motion for Class Certification, [R. 188], to which no response was filed. These five motions are now ripe for review. For the reason set forth herein, the Court will deny Pharm-Save's Renewed Motion for Partial Summary Judgment, [R. 167]; grant Plaintiffs' Renewed Motion for Class Certification, [R. 169]; deny Plaintiffs' request for oral argument, [R. 169], [R. 188]; and grant the parties' motions seeking leave to exceed the page limit, [R. 170], [R. 177].
I. BACKGROUND
The Court reviewed the factual and procedural background of this case in its March 31, 2023 Memorandum Opinion and Order. [R. 166, pp. 2-3]. The Court repeats much of that background herein.
Plaintiffs Andrea Savidge and Beth Lynch, both Kentucky residents at all relevant times, were employees of Pharm-Save, a corporation organized under the laws of North Carolina with its principal place of business in the state of North Carolina, from 2013 to 2015 and from 2013 to 2014, respectively. [R. 1-1, ¶¶ 3, 7-8 (Original Complaint)]. On March 3, 2016, after their employment had ended, Plaintiffs' “sensitive and personal information contained in their Form W-2 Wage and Tax Statement(s) was compromised via a data security breach.” Id. ¶ 11. This data breach occurred when Pharm-Save fell victim to a phishing scheme perpetrated by cybercriminals. Id. ¶ 22. According to the Second Amended Complaint, one or more Pharm-Save employees released Plaintiffs' personally identifiable information (“PII”) to cybercriminals posing as company executives. Id.
In Plaintiffs' Second Amended Complaint, the operative pleading, Plaintiffs “repeat[] and re-allege[]” the legal and factual assertions contained in their First Amended Complaint. [R. 104, ¶ 1]. The First Amended Complaint, in turn, “repeat[s] and re-allege[s]” the legal and factual assertions in the Original Complaint. [R. 27, 1].
Pharm-Save promptly notified affected employees, including Lynch and Savidge, by letter. Id. ¶ 23; see also id. at 21-23 (Letter to Lynch), 24-26 (Letter to Savidge). In the letters, dated March 24, 2016, Pharm-Save explained the security breach and told employees, “[i]t is possible that the criminal(s) may have filed or may try to file fraudulent tax refunds in the names of our employees.” Id. at 21, 24. Pharm-Save also offered employees “a complimentary two-year membership of Experian's ProtectMyID Alert,” which it explained “helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.” Id. The letters contained instructions on how to activate the ProtectMyID service. Id.
The Court refers to the page number assigned by the Court's electronic docketing system.
In a letter dated March 29, 2016, the Internal Revenue Service (“IRS”) notified Savidge that it had received a federal income tax return for the 2015 tax year with her name and Social Security number. Id. at 28-29 (IRS Letter). The IRS stated that, “[t]o protect you from identity theft, we need to verify your identity before we process your return.” Id. at 28. The IRS also wrote, “[w]e won't process this . . . tax return until we hear from you.” Id. Indeed, the tax return was fraudulent. Id. at ¶ 24.
Other employees, including Houghton, also had fraudulent tax returns filed in their names shortly after the breach, as evidenced by the deposition testimony of record. See [R. 179-3, pp. 98:18-23, 99:1-9, 115:1-14, 116:22-23, 117:1-16 (Houghton Depo.)]; [R. 179-16, pp. 114-115, 122-123, 138:10-14, 143:21-23, 144:1-2, 173:1-10 (Chad Benfield Depo.)]. When citing to these or other depositions, the Court refers to the page number of the deposition page, rather than the page number assigned by the Court's electronic docketing system.
In 2017, Plaintiffs sued Pharm-Save and Neil Medical Group, Inc. in Kentucky state court, alleging several causes of action related to the theft of their PII. [R. 1, p. 2]; see also [R. 11, pp. 2-19 (Original Complaint)]. Among other things, the plaintiffs alleged that they suffered damages, including “expense associated with mitigating the risk of identify theft and lost time attendant to those mitigation efforts.” [R. 1-1, ¶ 33].
Pharm-Save timely removed the action to this Court, [R. 1], and simultaneously filed a motion to dismiss. [R. 5]. On December 1, 2017, the previously assigned district judge granted the motion in part, finding, among other things, that Plaintiffs' allegations about heightened risks and the possibility of future harm (i.e., that cybercriminals may misuse their PII in the future), without more, were insufficient to plead a cognizable injury. [R. 26, p. 7]. However, the Court found that the plaintiffs' allegations that they suffered out-of-pocket expenses to monitor and manage the data breach were sufficient to allege a cognizable injury to support their negligence claim. Id. at 11-12. This ruling left only two live claims: negligence and breach of implied contract. See generally id. at 27. The Court also granted Plaintiffs' motion for leave to file an amended complaint. Id. at 28.
The Court also denied the motion to dismiss without prejudice to the extent Neil Medical Group Inc. sought dismissal for lack of personal jurisdiction, and it allowed the parties to conduct limited discovery on that issue. [R. 26, p. 27].
Plaintiffs filed an amended complaint reasserting their claims for negligence and breach of implied contract and advancing four new legal theories centered on Pharm-Save's alleged mishandling of Plaintiffs' PII: trade secret misappropriation, conversion, trespass to chattels, and bailment. See [R. 27 (First Amended Complaint)]. Pharm-Save then moved to dismiss the four new counts in the First Amended Complaint pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure [R. 30], which the Court granted. See [R. 72]. After this ruling, only two claims remained: negligence and breach of implied contract.
The Motion to Dismiss, [R. 30], was jointly filed by Pharm-Save and Neil Medical Group. However, following limited discovery, Neil Medical Group renewed its motion to dismiss for lack of personal jurisdiction. [R. 51]. The Court granted that motion, [R. 69], leaving Pharm-Save as the only defendant in this matter.
With leave from the assigned magistrate judge, [R. 103], Plaintiffs filed their Second Amended Complaint on July 1, 2021, raising two new causes of action: violations of the North Carolina Unfair and Deceptive Trade Practices Act (“NCUDTPA”) and intrusion upon seclusion. [R. 104 (Second Amended Complaint)]. Thus, at that time, Plaintiffs raised four claims: negligence, breach of implied contract, NCUDTPA violations, and intrusion upon seclusion. As for the requested damages, Plaintiffs appeared to reallege their allegations regarding lost time and mitigation efforts. See id. ¶ 1 (repeating and realleging the allegations in their earlier complaints)]; [R. 1-1, ¶ 33]. Plaintiffs also alleged that they suffered “significant mental anguish due to the increased risk of identity theft that they have been exposed to by” Pharm-Save's actions. [R. 104, ¶ 3].
Pharm-Save then filed a Motion for Summary Judgment, [R. 110], seeking summary judgment on all claims involving a speculative increased risk of future harm. On November 8, 2021, the Court denied that motion. [R. 122] The Court explained that, under the law-of-the-case doctrine, the Court's December 1, 2017 Memorandum Opinion and Order dictated its decision on the Motion for Summary Judgment. See id. at 4-7. The Court explained that, under that prior ruling, “Plaintiffs may not seek damages for non-cognizable injuries, but may pursue damages for future risk of harm for any cognizable injuries suffered if the required evidentiary burden is met.” Id. 7-8. The Court then explained that the right to have a jury consider whether damages for increased risk of future harm is appropriate “is limited to realized injuries and the Plaintiffs must produce substantial evidence of probative value to support it.” Id. (citation omitted). Finally, the Court noted that federal courts, including this Court, have broadly held that future costs arising from a realized injury are recoverable if there is an evidentiary basis for the jury's award. Id. (citations omitted). In other words, the Court held that, for Plaintiffs to have standing to seek damages for an increased risk of future harm, they first needed to show that they were entitled to damages for out-of-pocket expenses. See [R. 166, p. 30 (discussing its November 8, 2021 Memorandum Opinion and Order)]. Accordingly, the Court found that the plaintiffs were permitted to pursue damages for future risk of harm for any cognizable injuries suffered, so long as they could satisfy the required evidentiary burden. [R. 122, pp. 7-8].
Several months later, Pharm-Save filed three Motions for Partial Summary Judgment. [R. 135, R. 136, R. 137]. Pharm-Save sought summary judgment on the NCUDPTA claim, [R. 135], the intrusion upon seclusion claim, [R. 136], and on Plaintiffs' claimed damages for increased risk of future harm, [R. 137]. Plaintiffs, meanwhile, filed a motion for class certification, [R. 144]. The Court addressed these and other motions in a March 31, 2023 Memorandum Opinion and Order. [R. 167]. The Court granted summary judgment in favor of Pharm-Save on the NCUDPTA and intrusion upon seclusion claims. Id. at 5-27. However, it denied without prejudice Pharm-Save's Motion for Partial Summary Judgment on the damages issue. Id. at 27-31.
Not relevant here, the Court also addressed to motions seeking to exclude expert testimony, [R. 138, R. 139], and a motion for oral argument. [R. 160].
Relevant here, the Court found that it had erred, in part, when it previously ruled on the increased-risk-of-future-harm issue in November 2021. Id. at 29. As noted above, the Court had ruled that, in order to have standing to seek damages for an increased risk of future harm, the plaintiffs first had to show they were entitled to damages for out-of-pocket expenses. Id. at 30. “Upon further consideration,” the Court explained, it found that “this is not entirely accurate.” Id. Citing to TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the Court explained that, in addition to showing an imminent risk of future harm, “the plaintiff must demonstrate ‘some other injury' they suffered stemming from that risk.” Id. (citing TransUnion, 594 U.S. at 437; Bowen v. Paxton Media Grp., LLC, No. 5:21-CV-00143-GNS, 2022 WL 4110319, at *4 (W.D. Ky. Sept. 8, 2022)). That “other injury” can include the emotional distress caused by the threat of identity theft. Id. (citation omitted). “In other words,” the Court explained, “so long as Plaintiffs can show they are at a material risk of concrete harm, and that they have suffered any other harm from that risk-not, as the Court previously held, out-of-pocket expenses specifically-they may be entitled to damages for an increased risk of future harm if they make a sufficient showing of that entitlement at trial.” Id. at 30-31.
While the Court described the TransUnion analysis as a two-part test in its earlier Memorandum Opinion and Order, see [R. 166, p. 30], the Court believes that the discussion of TransUnion provided herein is a more accurate summary of that case.
Having clarified this point, the Court denied Pharm-Save's motion without prejudice, as both the motion and the responsive briefs had been informed by the Court's earlier rulings. Id. at 31. The Court likewise denied without prejudice the plaintiffs' motion seeking class certification, noting that the Court's dismissal of the NCUPTPA and intrusion upon seclusion claims could affect the certification analysis. Pharm-Save has now renewed its motion for partial summary judgment on the issue of damages for increased risk of future harm, [R. 167], and Plaintiffs have renewed their request for class certification, [R. 169].
At this time, a total of five motions are pending before this Court: Plaintiffs' motion seeking leave to file excess pages, [R. 170]; Pharm-Save's motion for leave to file excess pages, [R. 177]; Plaintiffs' motion requesting oral argument, [R. 188]; Pharm-Save's Renewed Motion for Partial Summary Judgment, [R. 167]; and Plaintiffs' Renewed Motion for Class Certification, in which they again request oral argument, [R. 169]. These motions are ripe for review.
II. ANALYSIS
A. Motions Seeking Leave to Exceed Page Limit, [R. 170], [R. 177]
As an initial matter, the Court will grant the parties' motions seeking leave to exceed Local Rule 7.1's page limitations. See [R. 170], [R. 177]. That rule limits motions and their accompanying memoranda to twenty-five pages or less, and replies to fifteen pages or less. See LR 7.1(d). Both parties wish to exceed these limitations, and neither party responded to the others' request. The Court therefore considers these motions to be unopposed and will grant both.
B. Plaintiffs' Motion for Oral Argument, [R. 169], [R. 188]
Local Rule 7.1 allows a party to “request a hearing or oral argument in a motion, response, or reply.” LR 7.1(f). In the present case, Plaintiffs request oral argument on their Renewed Motion for Class Certification. [R. 169], [R. 188]. Plaintiffs argue that “oral argument would be helpful given rapidly evolving data breach jurisprudence, especially as concerns class certification.” [R. 188, p. 2]. More specifically, they insist that “[o]ral argument will aid the Court” in “navigat[ing] uncharted waters to decide whether to certify Plaintiffs' proposed class.” Id. However, given the extensive briefing on this issue, the Court's familiarity with the nuances of this case, and its ability to separately review and consider recent case law relating to data breaches and class certification, the Court finds that oral argument is unnecessary. The Court will therefore deny Plaintiffs' Renewed Motion for Class Certification to the extent they seek oral argument on that motion, [R. 169], and it will also deny Plaintiffs' separate Motion for Oral Argument, [R. 188].
C. Pharm-Save's Renewed Motion for Partial Summary Judgment, [R. 167]
1. Summary Judgment Standard
Under Federal Rule of Civil Procedure 56, a court may grant summary judgment if it first finds that “there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). “A genuine dispute of material fact exists ‘if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.'” Winkler v. Madison County, 893 F.3d 877, 890 (6th Cir. 2018) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)).
The moving party bears the initial burden “of informing the district court of the basis for its motion, and identifying those portions of ‘the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any,' which it believes demonstrate the absence of a genuine issue of material fact.” Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986); see also Anderson, 477 U.S. at 256. That burden may be satisfied by demonstrating that there is an absence of evidence to support an essential element of the nonmoving party's case for which he or she bears the burden of proof. Celotex Corp., 477 U.S. at 323. Once the moving party satisfies this burden, the non-moving party thereafter must produce “specific facts, supported by the evidence in the record, upon which a reasonable jury could find there to be a genuine fact issue for trial.” Bill Call Ford, Inc. v. Ford Motor Co., 48 F.3d 201, 205 (6th Cir. 1995) (citation omitted). “The evidence of the non-movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Anderson, 477 U.S. at 255. However, the Court is not obligated to “search the entire record to establish that it is bereft of a genuine issue of material fact.” In re Morris, 260 F.3d 654, 655 (6th Cir. 2001). Rather, “the nonmoving party has an affirmative duty to direct the court's attention to those specific portions of the record upon which it seeks to rely to create a genuine issue of material fact.” Id. Moreover “[t]he mere existence of a scintilla of evidence in support of the [non-moving party's] position will be insufficient; there must be evidence on which the jury could reasonably find for the [non-moving party].” Anderson, 477 U.S. at 252.
Ultimately, if the record, taken as a whole, could not lead the trier of fact to find for the nonmoving party, then there is no genuine issue of material fact and summary judgment is appropriate. Matsushita Elec. Indus. Co., Ltd. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986) (citations omitted).
2. Standing to Seek Damages for Risk of Future Harm
While Pharm-Save does not couch its argument as an attack on standing, that is the only plausible reading of its motion. To the extent that Pharm-Save intended to argue some other basis for summary judgment, the Court finds that argument to be so wholly undeveloped and unclear that it must be considered waived. Moreover, to the extent Pharm-Save attempted to argue that damages for risk of future harm were not capable of proof with reasonable certainty, the Court explains herein that Plaintiffs' “alleged injury arising from the increased risk of harm is cognizable for standing purposes, and thus could support a claim for damages.” Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276, 289-90 (2d Cir. 2023). As to proof of those damages, the damages for “time and money spent trying to mitigate the consequences of the data breach . . . are unquestionably capable of reasonable proof.” Id. at 290. And Plaintiffs have submitted testimony by their damages expert on the necessity of continuing to pay for identity theft protection for the foreseeable future. See [R. 179-17, p. 55:10-20 (Korczyk Depo.)]; see also [R. 179-2, p. 46:2-14 (Lynch Depo., explaining that she plans to pay for identity theft protection services for the rest of her life)]. While the computation of such damages may not be done with mathematical certainly, it need only be done with “reasonable certainty.” See Bohnak, 79 F.4th at 290 (citations omitted). Accordingly, in this case, the Court would find rule against Pharm-Save to the extent it argued that damages for risk of future harm were not capable of proof with reasonable certainty. Ultimately, the trier of fact will have to determine whether Plaintiffs have proven damages and how much.
Under Article III of the Constitution, a federal court's jurisdiction is limited to “Cases” and “Controversies.” U.S. Const., Art. III, § 2. “The doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.'” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 157 (2014) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). To establish Article III standing, a plaintiff must demonstrate “(1) an ‘injury in fact,' (2) a sufficient ‘causal connection between the injury and the conduct complained of,' and (3) a ‘likel[ihood]' that the injury ‘will be redressed by a favorable decision.”” Id. at 157-58 (quoting Lujan, 504 U.S. at 560-61).
At issue in this case is the injury-in-fact requirement, the “‘[f]irst and foremost' of standing's three elements.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016) (citation omitted). To establish an injury in fact, the alleged injury must be “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent,” not “conjectural” or “hypothetical.” Driehaus, 573 U.S. at 158 (quoting Lujan, 504 U.S. at 560) (internal quotation marks omitted). Thus, to satisfy the injury-in-fact requirement, a plaintiff must demonstrate a legally protected interest, concreteness, particularization, and imminence. See Trichell v. Midland Credit Mgmt, Inc., 964 F.3d 990, 996-97 (11th Cir. 2020) (“Each subsidiary element of injury-a legally protected interest, concreteness, particularization, and imminence-must be satisfied.” (citing Spokeo, 578 U.S. at 334; Lujan, 504 U.S. at 560)). Here, Pharm-Save appears to attack only the concreteness and imminence elements, though it repeatedly conflates the two. See [R. 167; R. 176]. To be clear, however, both concreteness and imminence are independent elements of the injury-in-fact requirement. See id.; see also Spokeo, 578 U.S. at 334 (explaining that the lower court erred by focusing only on particularity element when concreteness was also required).
To satisfy the imminence requirement-i.e., that the alleged injury be actual or imminent, not conjectural or hypothetical-the plaintiff can show either that he has already sustained an injury or is in immediate danger of sustaining an injury. See generally Airline Professionals Assoc. of Intern. Broth. of Teamsters, Local Union No. 1224, AFL-CIO v. Airborne, Inc., 332 F.3d 983, 987 (6th Cir. 2003) (discussing standing requirements). In other words, while a plaintiff can seek redress for an injury already sustained (i.e., an “actual” injury), one “need not wait until he or she has actually sustained the feared harm in order to see judicial redress, but can file suit when the risk of harm becomes imminent.” Clemens v. ExecuPharm, Inc., 48 F.4th 146, 152 (3d Cir. 2022); see also Galaria v. Nationwide Mutual Insurance Co., 663 Fed.Appx. 384, 388 (6th Cir. 2016) (“Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse-a fraudulent charge on a credit card, for example-before taking steps to ensure their own personal and financial security ....”). But without evidence that the injury is “‘actual or imminent,' such an injury can only be ‘conjectural or hypothetical.'” Airline Professionals Assoc. of Intern. Broth. of Teamsters, 332 F.3d at 987 (citation omitted).
In 2013, the Supreme Court emphasized the imminence requirement in Clapper v. Amnesty International USA, 568 U.S. 398 (2013), noting that a “threatened injury must be certainly impending to constitute injury in fact.” Id. at 410 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (internal quotation marks omitted)). Thus, where the plaintiff alleges an injury based on measures taken to avoid a future harm, that future harm must be “certainly impending.” Id. at 415. “In other words, [plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Id. at 416 (citations omitted). However, the Court also clarified that plaintiffs need not “demonstrate that it is literally certain that the harms they identify will come about,” and in some cases, standing has been found “based on a ‘substantial risk' that the harm will occur.” Id. at 414 n.5. Accordingly, under Clapper, “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,' or there is a ‘substantial risk' that the harm will occur.” Driehaus, 573 U.S. at 158 (quoting Clapper, 568 U.S. at 415, 414 n.5) (some internal quotation marks omitted).
A few years later, the Supreme Court would provide guidance on the concreteness requirement in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016). The Court explained that a concrete harm must be “real, and not abstract.” Id. at 340 (citations omitted) (internal quotation marks omitted). Certain harms “readily qualify as concrete injuries,” the most obvious of which are “tangible harms, such as physical harms and monetary harms.” TransUnion, 594 U.S. at 425 (discussing Spokeo). But intangible harms can also satisfy the concreteness requirement. Spokeo, 578 U.S. at 340-42. To determine whether an intangible injury satisfies the concrete-harm requirement, “it is instructive to consider whether [the] alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. at 341 (citation omitted).
Following Clapper and Spokeo, the Sixth Circuit considered whether a data breach victim has standing to sue based on a threat of future harm. In Galaria v. Nationwide Mutual Insurance Co., the Sixth Circuit reversed a district court's dismissal for lack of standing. With respect to actual harm, the plaintiffs alleged that in order to mitigate their risk of loss, they had suffered and would continue to suffer mitigation costs (like purchasing credit monitoring services). Galaria, 663 Fed.Appx. at 386. The Sixth Circuit explained that, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.” Id. at 388. Thus, “it would be unreasonable to expect Plaintiffs to wait for actual misuse . . . before taking steps to ensure their own personal and financial security, particularly when [the defendant] recommended taking these steps.” Id. Because the plaintiffs had reasonably incurred mitigation costs to obtain protections against the substantial risk of future harm, the Sixth Circuit found that “[t]his is not a case where “Plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm.'” Id. at 389 (citing Clapper, 568 U.S. at 416). Instead, the costs incurred after the data breach were “a concrete injury suffered to mitigate an imminent harm, [thereby satisfying] the injury requirement of Article III standing.” Id.
In 2021, the Supreme Court issued its decision in TransUnion, “which built upon Spokeo and provided additional guidance to courts seeking to determine whether an intangible harm suffices as a concrete injury.” Barclift v. Keystone Credit Servs., LLC, 93 F.4th 136, 142 (3d Cir. 2024) (summarizing TransUnion). In that case, TransUnion had flagged the plaintiffs' credits reports because the plaintiffs shared the same names as individuals on a terrorist watchlist. TransUnion, 594 U.S. at 419-21 One group of plaintiffs had their flagged reports distributed to third parties, while the other group of plaintiffs did not have their flagged reports disseminated. Id. at 421. The Supreme Court held that the first group had demonstrated an injury in fact because, although they had not suffered a tangible injury (e.g., monetary losses), they had suffered an intangible injury (i.e., reputational harm) from the publication of their flagged report, and this harm shared a “close relationship” to the harm associated with the traditional tort of defamation. Id. at 432. But, the Court explained, publication is “‘essential to liability' in a suit for defamation.” Id. at 434 (quoting Restatement of Torts § 577, Comment a, at 192). “And there is ‘no historical or common-law analog where the mere existence of information, absent dissemination, amounts to concrete injury.” Id. (quoting Owner-Operator Independent Drivers Assn., Inc. v. United States Dept. of Transp., 879 F.3d 339, 344-45 (D.C. Cir. 2018)). Thus, for the second group of plaintiffs, the Court found that those individuals had not suffered a concrete injury because their reports had never been distributed to potential creditors. Id. at 434.
Because the second group of plaintiffs could not demonstrate that the misleading information on their credit reports alone constituted a concrete harm, the Court went on to consider their alternative argument based on the risk of future harm. Id. at 435. On this point, the Supreme Court discussed its earlier decision in Spokeo and Clapper. In Spokeo, the Court had noted that “the risk of real harm” can potentially “satisfy the requirement of concreteness,” citing to Clapper. See id. (citing Spokeo, 578 U.S. at 341-42). But, the Supreme Court explained, Clapper had been a suit for injunctive relief, and “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” Id. (citations omitted). The Supreme Court clarified, “Spokeo did not hold that the mere risk of future harm, without more, suffices to demonstrate Article III standing in a suit for damages.” Id. at 437 (emphasis added).
Put another way, in a suit for damages, the mere risk of future harm, without more, is insufficient to demonstrate Article III standing. Id. at 436-37. Thus, in TransUnion, the second group of plaintiffs needed to demonstrate something more than just the risk of future harm. The Supreme Court suggested that these plaintiffs could have demonstrated that the risk of future harm had actually materialized-that is, that the flagged credit reports were eventually distributed or caused a denial of credit. Id. at 437. Or the plaintiffs could have shown that they were “independently harmed by their exposure to the risk itself-that is, that they suffered some other injury (such as an emotional injury) from the mere risk that their credit reports would be provided to third-party businesses.” Id. Had they shown that the risk of future harm itself caused a separate concrete harm, they “would have [had] standing to pursue damages premised on that separate concrete harm.” Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276, 285 (2d Cir. 2023) (summarizing TransUnion). But they failed to do so. TransUnion, 594 U.S. at 437.
Moreover, those plaintiffs had not demonstrated that the risk of future harm (i.e., the risk of distribution to third parties) was anything more than speculative. Id. at 438. Because those plaintiffs had failed to “establish[] a serious likelihood of disclosure,” the Court declined to “simply presume a material risk of concrete harm.” Id. at (quoting Ramirez v. TransUnion LLC, 951 F.3d 1008, 1040 (9th Cir. 2020) (McKeown, J., concurring in part and dissenting in part)).
In the three years following TransUnion, only a few circuit courts have considered standing in data breach cases. See 1 Data Sec. & Privacy Law § 9:109 (Nov. 2023 Update). In 2022, the Third Circuit considered whether an injury in fact had been alleged in a data breach case in Clemens v. ExecuPharm, Inc., 48 F.4th 146 (3d Cir. 2022). In that case, hackers stole sensitive information about the defendant's current and former employees, including the plaintiff. Id. at 150. The hackers then posted the data to various underground websites on the Dark Web, “a portion of the Internet that is intentionally hidden from search engines and requires the use of an anonymizing browser to be accessed.” Id. (internal quotation marks omitted). As alleged by the plaintiff, the Dark Web is widely used to sell illegal products, including stolen personal information that can be used to commit identity theft and fraud. Id.
In considering whether the plaintiff had alleged an injury-in-fact, the Third Circuit first acknowledged that the disjunctive nature of the “actual or imminent” requirement “indicates that a plaintiff need not wait until he or she has actually sustained the feared harm in order to seek judicial redress, but can file suit when the risk of harm becomes imminent.” Id. at 152. “This is especially important in the data breach context,” the Third Circuit explained, “where the disclosure of the data may cause future harm as opposed to currently felt harm.” Id. Nevertheless, the Court emphasized that the threatened injury must be “certainly impending” or there must be a “‘substantial risk' that the harm will occur.” Id. (quoting Driehaus, 573 U.S. at 149) (some internal quotation marks omitted); see also Clapper, 568 U.S. at 398, 415, 414 n.5.
The Third Circuit next considered how to determine whether an injury is imminent in a data breach suit, noting that other circuits “rely on a number of factors.” Clemens, 48 F.4th at 153. Those “non-exhaustive factors can serve as useful guideposts,” the Court explained, “with no single factor being dispositive to [the] inquiry.” Id. The Court went on to identify the three factors previously outlined by the Second Circuit in McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021) (hereafter, the McMorris factors). First “is whether the data breach was intentional.” Clemens, 48 F.4th at 153 (citing to case law from the Second, Seventh, Ninth, and D.C. circuits) (citations omitted). Second, courts consider “whether the data was misused.” Id. at 153-54 (citing to cases out of the Second, Ninth, and Seventh circuits) (citations omitted). And third, “courts consider whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft.” Id. (citing to McMorris, 995 F.3d at 302). Reviewing those factors, the Third Circuit found the plaintiff's alleged future injury (i.e., the risk of identity theft or fraud) was sufficiently imminent. Id. at 156-59.
As noted previously, McMorris was decided before TransUnion. To the extent the Second Circuit suggested in McMorris that a sufficiently imminent risk of identity theft, standing alone, could constitute an injury-in-fact in a suit for damages, TransUnion has abrogated that holding. See Rand v. Travelers Indemnity Co., 637 F.Supp.3d 55, 65 n.2 (S.D.N.Y. 2022) (discussing McMorris after TransUnion). The Second Circuit acknowledged as much in Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276 (2d Cir. 2023), but clarified that, while TransUnion governed the concreteness analysis, McMorris (and its three factors) governs the imminence requirement. This Court agrees and applies the McMorris imminence factors when considering imminence.
Turning next to the concreteness element, the Third Circuit explained that “[t]he first step in assessing concreteness is to ask whether the harm is adequately analogous to a harm traditionally recognized as giving rise to a lawsuit.” Id. at 154. As discussed in TransUnion, this can be a physical harm, monetary harm, or an intangible harm. Id. (citing TransUnion, 594 U.S. at 417). The Third Circuit went on to consider the application of this first step in the context of a data breach suit:
In the data breach context, there are several potential parallels to harms traditionally recognized at common law, depending on the precise theory of injury the plaintiff puts forward. For example, if the theory of injury is an unauthorized exposure of personally identifying information that results in an increased risk of identity theft or fraud, that harm is closely related to that contemplated by privacy torts that are “well-ensconced in the fabric of American law.” Though such an injury is intangible, it is nonetheless concrete.Id. at 154-55 (internal citations omitted). In Clemens, the plaintiff's alleged risk of identity theft or fraud was “sufficiently analogous to harms long recognized at common law like the ‘disclosure of private information.'” Id. at 157.
In cases for damages, there is a second step, the Third Circuit explained, again citing TransUnion. Id. at 155 (citing TransUnion, 594 U.S. at 436). In such cases, the plaintiff “can satisfy concreteness as long as he alleges that the exposure to that substantial risk [of identity theft or fraud] caused additional, currently felt concrete harms.” Id. at 156. Such additional harms could include emotional distress or the expenditure of money on mitigation measures, like credit monitoring services. Id. The plaintiff in Clemens had alleged both, and the Third Circuit therefore found that the plaintiff had alleged a concrete injury. Id. at 156-59.
In 2023, the First Circuit would consider similar standing issues in a data breach case, Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). In that case, a homedelivery pharmacy service suffered a data breach, in which hackers infiltrated patient records and stole patients' PII. Id. at 369-70. Two such patients brought a putative class action. Id. One plaintiff alleged that, as a result of the data breach, unauthorized third parties had misused her PII by filing a fraudulent tax return. Id. at 370, 373. The First Circuit found that such actual misuse was sufficient to state a concrete injury, and it further found that, given the temporal connection between the filing of the false tax return and the timing of the data breach, there was a sufficient connection between that injury and the data breach. Id. at 373-74.
The other plaintiff did not allege actual misuse of his stolen PII, but instead alleged an injury based on the material risk of future misuse. Id. at 374. The First Circuit found this argument to be applicable to both plaintiffs. Id. at 374-75 (“This analysis is equally applicable to [the other plaintiff] and provides an independent basis for our conclusion that the complaint plausibly demonstrates standing as to [that other plaintiff].”). Citing to the three non-exhaustive factors considered in Clemens (and in other circuits), the Court found that the plaintiffs had plausibly alleged “an imminent and substantial risk of future misuse of the plaintiffs' PII.” Id. at 376. Of note, the Court explained,
Plaintiffs face a real risk of misuse of their information following a data breach when their information is deliberately taken by thieves intending to use the
information to their financial advantage-i.e., exposed in a targeted attack rather than inadvertently. And the actual misuse of a portion of the stolen information increases the risk that other information will be misused in the future.Id. at 375. The Court also found that the risk of future misuse was heightened “where the compromised data is particularly sensitive.” Id. Thus, based on the three factors outlined in Clemens, the First Circuit found that the risk of future misuse was imminent. Id. at 376.
Having determined that the plaintiffs satisfied the imminence requirement, the First Circuit went on to consider whether the plaintiffs had also alleged “a separate concrete, present harm” caused by the exposure to the risk, as required by TransUnion. Id. at 376 (citing TransUnion, 594 U.S. at 437). The Court found that plaintiffs had sufficiently alleged such injury based on their allegations of “lost time spent taking protective measures that would otherwise have been put to some productive use.” Id. “The loss of time,” the Court explained, “is equivalent to a monetary injury, which is indisputably a concrete injury.” Id. And because the loss of time was incurred as a response to a substantial and imminent risk of harm, the plaintiffs were not “manufactur[ing] standing by incurring costs in anticipation of non-imminent harm.” Id. Accordingly, the plaintiffs had satisfied the injury-in-fact requirement.
Shortly after the Webb decision, the Second Circuit ruled similarly in Bohnak v. Marsh & McLennan Companies, Inc., 79 F.4th 276 (2d Cir. 2023). In that case, the plaintiff brought a putative class action against her employer after her PII (including her name and Social Security number) had been disclosed during a data breach. Id. at 281. The Second Circuit found that TransUnion controlled the issue of concreteness in such cases, where standing was premised on the risk of future harm. Id. at 283. Applying TransUnion, the Court found that the exposure of the plaintiff's PII “bears some relationship to a well-established common-law analog: public disclosure of private facts.” Id. at 287. Additionally, the plaintiff had demonstrated “separate concrete harm[s]” resulted from the risk of future harm, including mitigation costs, lost time and “opportunity costs.” Id. The Court therefore found the concreteness requirement satisfied. Id.
As for the imminence requirement, the Second Circuit, like Clemens, relied on earlier decisions in which it outlined the three factors to consider when determining imminence in a data breach case. Id. at 283, 287-88. The first factor was satisfied because the plaintiff alleged that her PII had been disclosed “as a result of a targeted attempt by a third party to access the data set.” Id. at 288. And she alleged that the stolen PII included her name and Social Security number, and “[t]his is exactly the kind of information that gives rise to a high risk of identity theft.” Id. at 289. The Court found that this was “sufficient to suggest a substantial likelihood of future harm, satisfying the ‘actual or imminent harm' component of an injury in fact,” even though no actual misuse occurred. Id.
Before turning to the parties' arguments, the Court finds it helpful to first summarize the standing cases just discussed. First, it is clear that the injury-in-fact requirement may be satisfied if the plaintiff suffers an actual (i.e., presently occurring) tangible harm, like physical injury or economic loss. See TransUnion, 594 U.S. at 425 (“If a defendant has caused physical or monetary injury to the plaintiff, the plaintiff has suffered a concrete injury in fact under Article III.”). Or a plaintiff may satisfy the injury-in-fact requirement if he suffers an actual (i.e., presently occurring) intangible harm, like reputational harm, for which there is a close historical or common-law analog. See, e.g., Spokeo, 578 U.S. at 34. A plaintiff may also demonstrate an injury in fact if there is a future risk of harm. See TransUnion, 594 U.S. at 435-37; Clapper, 568 U.S. at 415. However, that future harm must be sufficiently imminent, and it must also be concrete. To satisfy the imminence requirement, the future harm must be sufficiently likely to occur. See TransUnion, 594 U.S. at 437-38; Clapper, 568 U.S. at 415. In data breach cases, other circuits focus on the three non-exhaustive McMorris factors to determine if the risk of future harm satisfies this requirement. Bohnak, 79 F.4th at 288; Webb, 72 F.4th at 375-76; Clemens, 48 F.4th at 153-55. Then, to satisfy the concreteness requirement, the future harm must have a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts. TransUnion, 594 U.S. at 424. And in a suit for damages, the plaintiffs must demonstrate that “the risk of future harm materialized,” Id. at 437; Ward v. National Patient Account Servs. Solutions, 9 F.4th 357, 361 (6th Cir. 2021), or the exposure to that risk caused “some other injury,” i.e., a present and concrete harm, which can include emotional damage, mitigation costs, or lost time. TransUnion, 594 U.S. at 437; Bohnak, 79 F.4th at 286; Webb, 72 F.4th at 376-77; Clemens, 48 F.4th at 156. Now, with these basic principles in mind, the Court turns to the parties' arguments.
On the concreteness requirement, the Court notes that there appears to be a divide among the circuits as to whether the plaintiff must demonstrate a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts and “some other injury,” or whether these are alternative means of satisfying concreteness. See, e.g., Bohnak, 79 F.4th at 286 (considering these as alternative means); Webb, 72 F.4th at 376-77 (finding concreteness after considering only whether there existed “some other injury”); Clemens, 48 F.4th at 156 (describing the “some other injury” inquiry as a necessary step in the concreteness analysis, even where the plaintiff has demonstrated a harm with a traditional or common law analog). But the Court need not reach this precise issue because, for the reasons stated below, the plaintiffs have satisfied both inquiries.
In its motion, Pharm-Save again asks the Court to grant summary judgment in its favor on Plaintiff's damages claim for increased risk of future harm. [R. 167]. While Pharm-Save's briefing is less than clear, the Court understands Pharm-Save's argument to challenge both imminence and concreteness. First, Pharm-Save argues that Plaintiffs have failed to identify a substantial risk of a future harm because the purported risk (i.e., misuse of their PII) is too speculative and therefore not imminent enough to qualify. Id. at 6-8. Because there is no imminent risk, Pharm-Save argues the mitigation costs incurred by Plaintiffs cannot qualify as “some other injury” stemming from such a risk. Id. at 8- 9. Stated another way, Pharm-Save argues that the plaintiffs “cannot manufacture [an injury] merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Id. at 9 (quoting Clapper, 568 U.S. at 416 (citations omitted)). Lastly, Pharm-Save argues that there is no evidence of emotional damage or distress. Id. at 9-10.
Plaintiffs do not address Pharm-Save's emotional damages argument, and the Court considers that issue waived. See Brown v. VHS of Mich., Inc., 545 Fed.Appx. 368, 372 (6th Cir. 2013) (“This Court's jurisprudence on abandonment of claims is clear: a plaintiff is deemed to have abandoned a claim when a plaintiff fails to address it in response to a motion for summary judgment.” (citations omitted)); Covington v. Chemicals, 3:18-CV-832-CRS, 2021 WL 3115394, *5 (W.D. Ky. July 22, 2021) (finding claim to be abandoned where the plaintiff failed to address it in response to a motion for summary judgment).
However, Plaintiffs do respond to the remainder of Pharm-Save's motion. First, they argue that, based the three factors outlined by the Third Circuit in Clemens, they were exposed to an imminent risk of identity theft and fraud. [R. 171, pp. 18-23]. Next, they contend that this imminent risk has a “traditionally recognized common-law analogue” (i.e., privacy torts). Id. at 24. And this risk, they argue, has caused them to suffer a sufficiently concrete “other injury” because they lost time dealing with the data breach and incurred expenses for identity theft protection, and their privacy interests have been violated. Id. at 24-25; see also [R. 104, ¶ 1 (Second Amended Complaint, repeating and realleging allegations in earlier complaints)]; [R. 11, ¶ 33 (alleging damages, including lost time and mitigation costs)].
The Court considers the parties' arguments below. In doing so, the Court is mindful of Plaintiffs' burden at the summary judgment stage. Specifically, Plaintiffs, as the party seeking to invoke this Court's jurisdiction, “‘bear[] the burden of establishing' standing,” and at this stage of the proceedings, they cannot rest on “‘mere allegations,' but must ‘set forth' by affidavit or other evidence ‘specific facts.'” Clapper, 568 U.S. at 411-12 (quoting Lujan, 504 U.S. at 561) (some internal quotation marks omitted).
While many of the cases cited herein involve motions to dismiss, rather than motions for summary judgment, the Court finds these cases to be instructive on the imminence and concreteness elements and the factors that should be considered when evaluating these elements. Of course, when considering standing, “each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of litigation.” Lujan, 504 U.S. at 561 (citations omitted); see also Galaria, 387-88 (explaining that “[e]ach element of standing ‘must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation'” (quoting Fair Elections Ohio v. Husted, 770 F.3d 456, 459 (6th Cir. 2014)) (internal quotation marks omitted). Thus, in response to a motion for summary judgment, the plaintiff must “‘set forth' by affidavit or other evidence ‘specific facts'” to support standing. Lujan, 504 U.S. at 561 (quoting Fed.R.Civ.P. 56(e)). In other words, “[t]o prevail on a Federal Rule of Civil Procedure 56 motion for summary judgment-as opposed to a motion to dismiss-however, mere allegations of injury are insufficient,” and instead, “a plaintiff must establish that there exists no genuine issue of material fact as to justiciability or the merits.” Dept. of Commerce v. U.S. House of Representatives, 525 U.S. 316, 329 (1999) (citations omitted).
a. Risk of Future Harm: Imminence
As discussed in detail above, when a plaintiff relies on a risk of future harm, the threatened injury must be “certainly impending” or there must be a “‘substantial risk' that the harm will occur.” Clemens, 48 F.4th at 152 (quoting Driehaus, 573 U.S. at 149) (some internal quotation marks omitted); see also Clapper, 568 U.S. at 398, 415, 414 n.5. To determine whether an injury is imminent in a data breach suit, circuit courts have relied on the following nonexhaustive list of factors: whether the breach was intentional; whether the data was misused; and “whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft.” Clemens, 48 F.4th at 153-54; see also Bohnak, 79 F.4th at 288; Webb, 72 F.4th 375-76. To be clear, this list is non-exhaustive, and while each of these factors can serve “as [a] useful guidepost[],” no single factor is dispositive. Clemens, 48 F.4th at 153; see also Webb, 72 F.4th at 375 (“We stress that these considerations are neither exclusive nor necessarily determinative, but they do provide guidance.” (citation omitted)). However, some courts find the first factor (i.e., whether the breach was intentional) to be the most important. Bohnak, 79 F.4th at 288 (citing McMorris, 995 F.3d at 301). Ultimately, the imminence requirement demands a fact-specific inquiry. See Webb, 72 F.4th at 376 (“We do not hold that individuals face an imminent and substantial future risk in every case in which their information is compromised in a data breach. But on the facts alleged here, the complaint has plausibly demonstrated such a risk.”); McMorris, 995 F.3d at 302 (“These factors are by no means the only ones relevant to determining whether plaintiffs have shown an injury in fact based on an increased risk of future identity theft or fraud. After all, determining standing is an inherently fact-specific inquiry....”).
A plaintiff must demonstrate standing for each form of relief sought (e.g., injunctive relief and monetary damages). See TransUnion, 594 U.S. at 431 (citations omitted). Here, however, the Court considers only whether Plaintiffs have standing to pursue damages for a risk of future harm, as that is the only issue raised in Pharm-Save's motion. Additionally, Plaintiffs' claims all arise from the data breach, and neither party argues that the standing inquiry differs with respect to any claim. Accordingly, the Court treats the claims together throughout its analysis. See Webb, 72 F.4th at 373 n.3.
In Clemens, the Third Circuit found that each of these factors supported the imminence requirement where the hackers “intentionally gained access to and misused the data.” Clemens, 48 F.4th at 157 (emphasis in original). More specifically, the hacking group “launched a sophisticated phishing attack to install malware, encrypted the data, held it for ransom, and published it” to the Dark Web. Id. (citations omitted). Moreover, “[t]he data was also the type of data that could be used to perpetrate identity theft or fraud,” because “[n]ot only did it contain financial information, which, on its own, could subject the breach victims to credit card fraud- but it also contained Social Security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers,” and other sensitive information. Id. “This combination of financial and personal information is particularly concerning as it could be used to perpetrate both identity theft and fraud.” Id. (citations omitted). Thus, the Third Circuit held, “these factors show that [the plaintiff] has alleged a ‘substantial risk that the harm will occur' sufficient to establish an ‘imminent' injury.” Id. (quoting Driehaus, 573 U.S. at 158).
In Webb, the First Circuit ruled similarly. It explained, “It stands to reason that data compromised in a targeted attack is more likely to be misused.” Webb, 72 F.4th at 375 (citations omitted). And the fact “[t]hat at least some information stolen in a data breach has already been misused also makes it likely that other portions of the stolen data will be similarly misused.” Id. at 376 (citations omitted). Further, the First Circuit echoed the Clemens Court's concern that “the risk of future misuse may be heightened where the compromised data is particularly sensitive.” Id. These factors all supported a finding of imminence in that case, where the plaintiffs alleged that the data breach resulted from an intentional attack by cybercriminals, at least some of the information had been misused to file a fraudulent tax reform in one of the two plaintiff's names, and the stolen information included the patient's names and Social Security numbers. Id.; see also Bohnak, 79 F.4th at 288-89 (finding imminence requirement satisfied where the plaintiff alleged that her PII, including her name and Social Security number, was exposed during a third party's targeted attempt to access the data, even though there was no allegation of actual misuse).
With respect to the first factor-whether the data breach was intentional-Pharm-Save points to this Court's ruling on its earlier Motion for Summary Judgment, in which the Court ruled that the disclosure of the employees' PII was not intentional. [R. 176, 3-4]. But in that earlier decision, the Court ruled only that the Pharm-Save employee involved in the phishing attack had not acted intentionally when she disclosed the W-2 forms to the cybercriminals. [R. 166, pp. 11-14, 26-27]. As a result, the Court granted summary judgment in favor of Pharm-Save on the NCUDTPA and intrusion upon seclusion claims, both of which required the defendant to have acted intentionally. Id. Now, however, the Court considers whether the data breach was intentional for purposes of determining whether there exists an imminent risk of future harm arising from the breach. As the above-cited case law makes clear, the question in this context is whether the individuals who obtained the PII (i.e., the cybercriminals) acted intentionally. See, e.g., Bohnak, 79 F.4th at 288 (“[T]he most important factor in determining whether a plaintiff whose PII has been exposed has alleged an injury in fact is whether the data was comprised as the result of a targeted attack intended to get PII.” (citing McMorris, 995 F.3d at 301)).
As to that question, Pharm-Save does not dispute that the cybercriminals who targeted Pharm-Save acted intentionally for the purpose of obtaining employees' PII, nor does any evidence of record suggest otherwise. See generally [R. 179-3, pp. 74-75, 84 (Houghton Depo., discussing the phishing scheme)]. Courts have consistently found such intentional attacks to strengthen the likelihood of future identity theft or fraud. See Clemens, 48 F.4th at 157; see also Bohnak, 79 F.4th at 289; Webb, 72 F.4th 376; Galaria, 663 Fed.Appx. at 388 (“Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.”). Like those courts, this Court also wonders what other purpose these cybercriminals could have had when stealing individuals' PII. Bohnak, 79 F.4th at 288 (“We embraced the Seventh Circuit's reasoning . . .: ‘Why else would hackers break into a store's database and steal consumers' private information?'” (quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015))). “Presumably, the purpose of the [attack] is, sooner or later, to make fraudulent charges or assume [the victims'] identities.” Id. (quoting Remijas, 794 F.3d at 693). Accordingly, this first factor weighs in favor of finding that the risk of future harm (i.e., identity theft or fraud) is imminent.
The fact that the data breach resulted from an intentional attack to obtain PII distinguishes this case from In re Practicefirst Data Breach Litigation, 1:21-CV-00790(JLS/MJR), 2022 WL 354544 (W.D. NY Feb. 2, 2022), a case relied upon by Pharm-Save. See, e.g., [R. 167, pp. 7, 8]. In that case, the defendant was the victim of a ransomware attack, in which an unauthorized third party had accessed and copied its computer files, which included confidential PII of defendant's clients and employees, and then demanded a fee in return for the stolen data. In re Practicefirst, 2022 WL 354544, at *1, 5. The defendant was eventually able to access the stolen data, presumably after paying the fee. Id. at *5. In considering whether this was an intentional attack for standing purposes, the district court noted that “the primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.” Id. And in fact, none of the 1.2 million victims alleged any type of theft or fraud in the year following the data breach. Id. “Thus,” the court concluded, “plaintiffs do not plausibly allege that this data breach was the type of cyber-attack targeted to obtain confidential information for purposes of identity theft, as opposed to garden-variety ransomware attack.” Id. By contrast, the present case involved a targeted email communication for the purpose of obtaining access to employees' PII, and there is no indication that it was obtained for any purpose other than identity theft or fraud. Bohnak, 79 F.4th at 288 (“Presumably, the purpose of the [attack] is, sooner or later, to make fraudulent charges or assume [the victims'] identities.”); see also [R. 179-3, pp. 74-75, 84 (Houghton Depo., discussing the phishing scheme); pp. 98:18-23, 99:1-9, 115:1-14, 116:22-23, 117:1-16 (discussing the misuse of employees' disclosed W-2s)]; [R. 179-16, pp. 114-115, 122123, 138:10-14, 143:21-23, 144:1-2, 173:1-10 (Benfield Depo., same)].
Indeed, the evidence of record demonstrates that fraudulent tax returns were filed in the names of multiple Pharm-Save employees who had their W-2s disclosed during the data breach. See [R. 179-3, pp. 98:18-23, 99:1-9, 115:114, 116:22-23, 117:1-16 (Houghton Depo.)]; [R. 179-16, pp. 114-115, 122-123, 138:10-14, 143:21-23, 144:1-2, 173:1-10 (Benfield Depo.)].
Next, the Court considers the second factor, i.e., whether the data was misused. See, e.g., Clemens, 48 F.4th at 153. On this point, Pharm-Save argues that there was no actual misuse of the stolen data, because the IRS interfered when a fraudulent tax return was filed in Savidge's name, and the fraudulent return was therefore never processed. [R. 176, p. 4]. Thus, Pharm-Save argues, the fraudulent return “resulted in no damage to Savidge and no problem-attempted or otherwise-has happened since.” Id. This argument is problematic for multiple reasons. First, for purposes of determining whether a risk of future harm is imminent, the Court need not find that a plaintiff has experienced any actual “damage” or injury. Instead, to the extent the Court considers such injury, it does so when evaluating concreteness. See infra Section II(C)(2)(b).
Second, Pharm-Save cites to no authority supporting its position that a plaintiff's stolen PII is not actually “misused” for purposes of this imminence inquiry when a fraudulent tax return is filed but ultimately not processed. On this point, Pharm-Save cites to Whalen v. Michael Stores Inc., 153 F.Supp.3d 577 (E.D. NY 2015). [R. 167, p. 7]. However, that case is not instructive. There, the plaintiff was notified that her credit card information had been compromised after hackers used malicious software (“malware”) to obtain such information from Michaels stores. Whalen, 153 F.Supp.3d at 578. The plaintiff “experienced one attempted fraudulent charge,” in which her credit card was presented for payment, but the plaintiff did “not allege that the attempted charges were approved or that she suffered any financial loss.” Id. at 579. Instead, she canceled the credit card and did not experience any further attempted fraudulent charges in the two years following the breach. Id. The district court found that the plaintiff had not suffered an actual harm because she had not suffered any unreimbursed charges. Id. at 580 81. But the question here is whether Plaintiffs have standing based on the increased risk of future harm. On that issue, the district court in Whalen made no reference to the “attempted fraudulent charge” on the plaintiff's credit card. See id. at 583. Indeed, Whalen was decided in 2015, and it does not discuss the three factors outlined more recently in Clemens. Id.
Pharm-Save also cites to In re Practicefirst, see [R. 167, p. 7], but as already discussed, there was no actual or attempted identity theft in that case, so it does not provide any insight into what constitutes “misuse” for purposes of this imminence requirement.
To the extent Pharm-Save relies on Whalen to support its argument that any risk of future harm is too speculative considering the time that has passed without any incidents of identity theft or fraud, the Court discusses that issue below.
In the present case, Savidge testified that she received a letter from the IRS shortly after the breach, advising her that someone had filed a tax return in her name. [R. 179-1, pp. 32:1-12, 34:21-24, 35:1-15 (Savidge Depo.)]. This Court has already described the fraudulent filing of the tax return as a “misuse” of Savidge's PII in its December 1, 2017 Memorandum Opinion and Order. [R. 26, p. 12 (“But the fact that cybercriminals have already misused Savidge's information may suggest that Plaintiffs' purchase of identity protection services, with the knowledge that her information had already been misused, was reasonable and necessary.”). Moreover, the evidence of record demonstrates that approximately five or six other Pharm-Save employees had fraudulent tax returns filed in their names after their data was disclosed in the breach. See [R. 179-3, pp. 98:18-23, 99:1-9, 115:1-14, 116:22-23, 117:1-16 (Houghton Depo.)]; [R. 179-16, pp. 114-115, 122-123, 138:10-14, 143:21-23, 144:1-2, 173:1-10 (Benfield Depo.)]. For at least one of those employees, Houghton, the fraudulent tax return was processed, and a refund was issued to the fraudulent filer. [R. 179-3, p. 115:1-4 (Houghton Depo.)].
And importantly, while actual misuse is not necessary to support a finding of imminence, the very point of this factor is that past misuse makes it more likely that the stolen data will be misused in the future. See, e.g., Webb, 72 F.4th at 376 (“That at least some information stolen in a data breach has already been misused also makes it likely that other portions of the stolen data will be similarly misused.” (citations omitted)). The fact that, in this case, the IRS intervened to prevent the processing of Savidge's fraudulent tax return does not suggest that the stolen PII (of any victim) is any less likely to be misused in the future, whether that be through a fraudulently filed tax return, or some other form of identity theft or fraud.
The Court therefore finds that, based on the undisputed evidence demonstrating that fraudulent tax returns were filed in Savidge's name and in other employees' names shortly after the breach, at least some of the stolen data has been misused in this case, at least for purposes of this imminence inquiry. As such, “it is more likely that other portions of the stolen data will be misused,” and this factor weighs in favor of finding a substantial risk of future harm. Webb, 72 F.4th at 376 (citations omitted); see also Bowen, 2022 WL 4110319, at *4 (finding imminence requirement satisfied where the plaintiffs alleged actual misuse of their stolen PII).
To be clear, because Savidge's stolen PII was actually misused, the Court would likely find that she had suffered an actual concrete injury for standing purposes. See Webb, 72 F.4th at 374 (agreeing with other courts “that consider actual misuse of a plaintiff's PII resulting from a data breach to itself be a concrete injury” (citations omitted)). However, in its motion, Pharm-Save seeks only partial summary judgment on the specific issue of whether Plaintiffs have standing to pursue damages for a future risk of harm. See [R. 167].
This analysis on the second factor applies with equal force to Lynch. As the case law makes clear, “courts have been more likely to conclude that a plaintiff has established a ‘substantial risk of future injury' where some part of the compromised dataset has been misued-even if a plaintiff's own data has not.” Bohnak, 79 F.4th at 288 (quoting Remijas, 794 F.3d at 301) (internal quotation marks omitted); see also Cotter v. Checkers Drive-In Restaurants, Inc., No. 8:19-cv-1386-VMC-CPT, 2021 WL 3773414, *5 (M.D. Fla. Aug. 25, 2021) (rejecting argument that the named plaintiffs in class action suit were required to show misuse of their own data). The same is true here. Because there has been some actual misuse of the stolen PII, “it is more likely that other portions of the stolen data will be misused,” which in turn puts both Savidge and Lynch at risk of future harm. Webb, 72 F.4th at 376 (citations omitted). Thus, the Court need not consider Pharm-Save's argument that Lynch did not suffer any actual misuse of her stolen PII. See [R. 176, p. 4 (arguing that Lynch did not suffer actual misuse of her stolen PII when someone attempted to file a fraudulent unemployment claim in her name, nearly five years after the data breach)].
The Court next considers the third factor-“whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft.” Clemens, 48 F.4th at 154 (citations omitted). Pharm-Save does not dispute that this factor is satisfied here, where Plaintiffs' W-2 forms were disclosed in the breach. See [R. 179-3, p. 70:19-22 (Houghton Depo., explaining that she scanned and emailed W-2s to the cybercriminals)]. Such forms typically include a taxpayer's name, address, and Social Security number. See generally Portier v. NEO Technology Solutions, 3:17-cv-30111-TSH, 2019 WL 7946103, *1 (D. Mass. Dec. 31, 2019) (discussing contents of the plaintiff's W-2); see also [R. 179-3, p. 98-99 (Houghton Depo., discussing other Pharm-Save employees who had fraudulent tax returns filed with their social security numbers after the breach)]. The case law is clear that the disclosure of such highly sensitive personal information is “more likely to create a risk of identity theft or fraud.” Clemens, 48 F.4th at 154 (referencing the disclosure of Social Security numbers, birth dates, and names); see also Webb, 72 F.4th at 376 (“Naturally, the dissemination of high-risk information such as Social Security numbers and dates of birth-especially when accompanied by victims' names- makes it more likely that those victims will be subject to future identity theft or fraud.” (quoting McMorris, 995 F.3d at 302) (internal quotation marks omitted)); cf. In re Illuminate Edu. Data Sec. Incident Litigation, 8:22-cv-01164-JVS (ADSx), 2023 WL 8888839, *3-4(C.D. Cal. Nov. 6, 2023) (finding imminence requirement unsatisfied where students' academic, behavioral, and demographic information were disclosed); Kim v. McDonald's USA, LLC, 2022 WL 442826, at *6 (N.D. Ill. Sept. 7, 2022) (collecting cases where courts found the theft of non-sensitive data, absent other allegations that the feared harms had materialized, fell short of satisfying the imminence requirement). Indeed, some courts have even described this as a “perpetual risk,” as discussed in more detail below. See Bohnak, 79 F.4th at 288 (citing McMorris, 995 F.3d at 302). The Court therefore finds that this third factor weighs in favor of finding a substantial risk of future harm.
Accordingly, Plaintiffs have developed uncontroverted evidence supporting each of the three McMorris factors. Thus, the Court finds that Plaintiffs have sufficiently demonstrated a substantial risk of future harm. However, these factors are not exhaustive, and the inquiry is fact specific. See, e.g., Clemens, 48 F.4th at 153. The Court will therefore address Pharm-Save's argument that any actual misuse in this case (i.e., the fraudulent tax return) occurred several years ago, with no other evidence suggesting misuse since that time. See [R. 167, pp. 4, 7-8]. On this issue, Pharm-Save insists that, “[o]ther than an unsuccessful attempt by criminal actors in early 2016 to file a fraudulent tax return under Andrea Savidge's name, there have been zero attempts by cyber criminals in the last six years to use the information on the W-2 Forms to file tax returns, open bank accounts, open credit cards or obtain anything of monetary value with respect to the Plaintiffs.” Id. at 4. From this, Pharm-Save appears to argue that any risk of future harm is too speculative, and Plaintiffs' injuries are therefore not concrete. See id. at 7 (“The isolated attempted tax return shortly after the data breach is far too speculative to constitute a material risk of future harm sufficient to be concrete.”). But Pharm-Save conflates concreteness with imminence, and the Court understands that Pharm-Save intends to argue that the future risk of harm is too speculative and therefore not imminent. See Airline Professionals Assoc. of Intern. Broth. of Teamsters, 332 F.3d at 987 (explaining that, without evidence that the injury is “‘actual or imminent,' such an injury can only be ‘conjectural or hypothetical'”).
As already explained, the Court considers the fraudulently filed tax return in Savidge's name to be an actual misuse of her stolen data, at least for purposes of this imminence inquiry. Thus, it appears Pharm-Save's argument hinges entirely on the fact that there have been no actual or attempted misuses since the filing of that fraudulent tax return in 2016. This argument is unconvincing for several reasons. First, the data breach cases cited by Pharm-Save are not persuasive. See [R. 167, pp. 7]. In In re Practicefirst, for example, the Western District of New York relied heavily on the fact that there had been no actual misuse of the disclosed data, in addition to the court's finding that the ransomware attack had not been intentional for purposes of the imminence inquiry. In re Practicefirst, 2022 WL 354544 at *5-6. Because two of the three McMorris factors weighed against imminence, the court found there was no substantial risk of future harm. Id. at *6. Here, conversely, each of the three factors weighs in favor of finding a substantial risk of harm.
The Whalen case cited by Plaintiff is equally unpersuasive. In that case, the plaintiff's credit card information was disclosed during a data breach, but “there was no evidence that the hackers retrieved any other customer information, such as names, addresses, or PIN numbers.” Whalen, 153 F.Supp.3d at 578. After the breach, a third party attempted to use the plaintiffs' credit card information but was unsuccessful, and the plaintiff canceled her card. Id. at 579. She did not suffer any more attempted or actual fraudulent charges after canceling her card. Id. Unlike the Whalen plaintiff, however, the plaintiffs in this case had their names and Social Security numbers disclosed during the breach. Unlike a stolen credit card, which can be canceled, some courts have found that stolen Social Security numbers, accompanied by names, create “a perpetual risk of identity theft or fraud.” Bohnak, 79 F.4th at 288 (quoting McMorris, 995 F.3d at 302) (internal quotation marks omitted). The Second Circuit considered this distinction in Bohnak, explaining,
[W]e explained [in McMorris] that courts may consider whether the exposed PII is of the type “more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” [McMorris, 995 F.3d at 302]. On one hand, we noted that “the dissemination of high-risk information such as [Social Security numbers] . . . especially when accompanied by victims' names-makes it more likely that those victims will be subject to future identity theft or fraud.” Id. On the other hand, we reasoned that the exposure of data that is publicly available, or that can be rendered useless (like a credit card number unaccompanied by other PII), is less likely to subject plaintiffs to a perpetual risk of identity theft. Id.Bohnak, 79 F.4th at 288. In other words, when the stolen data includes certain high-risk information, like Social Security numbers accompanied by names, the risk of identity theft remains, even as time passes. Thus, the cases cited by Pharm-Save are not persuasive.
Moreover, the Supreme Court and the Sixth Circuit “have consistently held that ‘the court must determine whether standing exists at the time of the filing of the complaint only.'” Graveline v. Benson, 992 F.3d 524, 532 (6th Cir. 2021) (citing Cleveland Branch, N.A.A.C.P. v. City of Parma, 263 F.3d 513, 524-26 (6th Cir. 2001) (collecting cases)); see generally Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 189-92 (2000) (distinguishing standing from mootness). Thus, the plaintiffs here must demonstrate standing at the time the suit was filed, in 2017, roughly a year after the breach. But Pharm-Save does not argue that the risk of future harm was speculative at that time, nor would any such argument be supported by the case law. See generally Webb, 72 F.4th at 375, Bohnak, 79 F.4th at 288-89. Indeed, Pharm-Save offered credit monitoring services for two years following the breach. See, e.g., [R. 179-3, pp. 115:21-23, 116:1-8 (Houghton Depo.)]; see also Galaria, 663 Fed.Appx. at 388 (“Indeed, Nationwide seems to recognize the severity of the risk [of future identity theft or fraud], given its offer to provide credit-monitoring and identity-theft protection for a full year.”)].
Having considered these three non-exhaustive factors, and having disposed of Pharm-Save's argument about the lack of more recent identity theft or fraud stemming from the data breach, the Court finds that the risk of future harm in this case is sufficiently imminent for Article III standing purposes. The evidence demonstrates that the breach in this case resulted from an intentional and targeted attack, the disclosed PII was misused on at least one occasion, and the disclosed PII included highly sensitive information that can be used to commit identity theft or fraud. See, e.g., [R. 179-3, pp. 70:19-22, 74-75, 84, 98:18-23, 99:1-9, 115:1-14, 116:22-23, 117:1-16 (Houghton Depo.)]; [R. 179-16, pp. 114-115, 122-123, 138:10-14, 143:21-23, 144:1-2, 173:1-10 (Benfield Depo.)].
Together, these factors show that there is a substantial risk that the future harm (i.e., identity theft or fraud) will occur, and this is sufficient to establish an “imminent” injury. Stated another way, Plaintiffs have cited to specific facts and evidence of record demonstrating an imminent injury, and the Court finds that there is no genuine dispute of material fact on the issue of imminence. See generally Dept. of Commerce v. U.S. House of Representatives, 525 U.S. at 329 (explaining that, to survive a motion for summary judgment on standing, the plaintiff must rely on more than “mere allegations of injury,” and must instead establish that there exists no genuine issue of material fact).
Accordingly, the Court goes on to consider whether this imminent injury is also concrete.
b. Risk of Future Harm: Concreteness
i. Historical or Common Law Analog
As noted above, an intangible harm (like the risk of future harm) can be concrete, particularly if the injury has “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 425 (citations omitted). “This inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.” Id. at 424. However, an exact duplicate is not required. Id.
In Clemens, the Third Circuit explained that, “[i]n the data breach context, there are several potential parallels to harms traditionally recognized at common law, depending on the precise theory of injury the plaintiff puts forward.” Clemens, 48 F.4th at 154-55. “For example,” the Court explained, “if the theory of injury is an unauthorized exposure of personally identifying information that results in an increased risk of identity theft or fraud, that harm is closely related to that contemplated by privacy torts that are ‘well-ensconced in the fabric of American law.'” Id. at 155 (quoting In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 638-39 (3d Cir. 2017)). Thus, the Third Circuit concluded, the plaintiff's alleged injury of a risk of future harm was concrete “because the harm involved [was] sufficiently analogous to harms long recognized at common law like the ‘disclosure of private information.'” Id. 157 (quoting TransUnion, 594 U.S. at 425).
Similarly, in Bohnak, the Second Circuit found that the “core injury” alleged, i.e., the exposure of the plaintiff's private PII to unauthorized third parties, “bears some relationship to a well-established common-law analog: public disclosure of private facts.” Bohnak, 79 F.4th at 285 (citing Restatement (Second) of Torts § 652D). The Court did “not [need to] stretch to reach this conclusion” because “the Supreme Court [in TransUnion] specifically recognized that ‘disclosure of private information' was an intangible harm ‘traditionally recognized as providing a basis for lawsuits in American courts.'” Id. at 286 (citing TransUnion, 594 U.S. at 425).
Several district courts have ruled similarly. See, e.g., Miller v. Syracuse Univ., 662 F.Supp.3d 338, 353 (N.D.N.Y. Mar. 20, 2023); In re Pawn American Consumer Data Breach Litigation, 21-CV-2554 (PJS/JFD), 2022 WL 3159874, *3 (D. Min. Aug. 8. 2022). On the other hand, at least one district court has declined to find that the tort of public disclosure is a sufficient common law analog where there is no disclosure of the stolen PII to the public. See Baron v. Syniverse Corp., 8:21-cv-2349-SCB-SPF, 2022 WL 6162696, *6 (M.D. Fla. Oct. 7, 2022). However, the Court agrees with other courts that have considered this argument that the common-law analog need not be an “exact duplicate.” See Rand v. The Travelers Indemnity Co., 637 F.Supp.3d 55, 66 (S.D.N.Y. Oct. 27, 2022) (“To be clear, it is debatable whether Travelers's disclosure to even a group of cybercriminals improperly accessing plaintiff's PII on the agency portal is sufficiently ‘public' under the tort, and whether the type of disclosure here is sufficiently ‘offensive,' but the Supreme Court is clear that the common-law analogue need not be an ‘exact duplicate.'” (quoting TransUnion, 594 U.S. at 424)). Regardless, Pharm-Save does not argue that the tort of public disclosure is dissimilar based on the “publicity” requirement.
In fact, it does not appear that Pharm-Save challenges Plaintiffs' contention that “traditionally recognized privacy torts” are sufficient common law analogs. See [R. 171, p. 24]; [R. 176]. Instead, Pharm-Save challenges Plaintiffs' “claim that their concrete injury is invasion of the privacy from the data disclosure itself.” [R. 176, p. 3]. The Court understands that Pharm-Save makes this argument in response to Plaintiffs' reference to “the violation of class members' very privacy interests themselves” as a separate concrete harm resulting from the risk of future identity theft, see [R. 171, p. 25], an issue which is addressed below. Pharm-Save then argues that, because the Court has dismissed Plaintiffs' claims for invasion of privacy (presumably referring to the intrusion upon seclusion claim), Plaintiffs “have no cognizable loss of privacy” so they should not be able to claim that “they have suffered a concrete injury due to invasion of privacy.” Id. From the best the Court can tell, Pharm-Save argues that Plaintiffs cannot rely on any invasion of privacy tort if the Court has already dismissed their claim for that tort. But whether a plaintiff can maintain a separate cause of action for a specific claim is not the inquiry here. Instead, the Court must ask “whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.” TransUnion, 594 U.S. at 424. And as already explained, the Supreme Court has made clear that an exact duplicate is not required. Id.
Because it is not clear exactly what argument Pharm-Save is responding to, the Court considers this statement here in the context of the “common law analog” inquiry. And to the extent Pharm-Save was responding to the “other concrete injury” inquiry, the Court need not address that alleged concrete harm, as Plaintiffs have sufficiently alleged at least two other concrete harms: lost time and mitigation costs. See infra Section II(C)(2)(b)(ii).
Citing TransUnion, Pharm-Save also states that “[a]lthough the alleged injury may be intangible, there must, in that instance, be evidence of a ‘material risk of future harm' to satisfy concreteness.” [R. 167, p. 6]. Pharm-Save makes this statement when describing what constitutes a concrete injury, and it appears to be an inaccurate summarization of TransUnion. See id. Pharm-Save does not expand on this statement or, from what the Court can tell, make any arguments relating to it.
In the present case, the “core injury” is the exposure of Plaintiff's private and highly sensitive PII to unauthorized third parties. See generally Bohnak, 79 F.4th at 285. Like the Third and Second Circuits, this Court finds that this injury “bears some relationship to a well-established common-law analog: public disclosure of private facts.” Id. (citing Restatement (Second) Torts § 652D); see also Clemens, 48 F.4th at 55. That tort imposes liability on “[o]ne who gives publicity to a matter concerning the private life of another . . . if the matter publicized is of a kind that . . . would be highly offensive to a reasonable person, and . . . is not of legitimate concern to the public.” Restatement (Second) of Torts § 652D (March 2024 Update). Here, the undisputed evidence demonstrates that Plaintiffs' W-2 forms were disclosed to an unauthorized third-party during a targeted cyberattack, and those forms included sensitive and personal information that can be used to commit identity theft and fraud (i.e., their names and Social Security numbers). While these facts might not give rise to a cause of action for a privacy tort in this case, the Supreme Court has made clear that, “[i]n looking to whether a plaintiff's asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts,” an exact duplicate is not required. TransUnion, 594 U.S. at 433. The Court therefore finds that, under the facts of this case, the injury at issue has a “close relationship” to “harms traditionally recognized as providing a basis for lawsuits in American courts,” including the harm associated with the tort of public disclosure of private facts, among other privacy torts.
ii. Some Other Concrete Injury
The Court next considers whether the plaintiffs “suffered some other injury” stemming from the risk of future harm (i.e., the risk of future identity theft or fraud). See TransUnion, 594 U.S. at 437. In TransUnion, the Supreme Court suggested that “emotional injury” resulting “from the mere risk that [the plaintiffs'] credit reports would be provided to third-party businesses” would qualify as “some other injury.” Id. In the years following TransUnion, circuit and district courts alike have concluded that emotional injury, lost time, and mitigation costs, among other things, may qualify as “separate concrete, present harm[s]” caused by exposure to the risk of future harm. Webb, 72 F.4th at 376; see also Bohnak, 79 F.4th at 286 (finding that the plaintiff's mitigation costs, lost time, and “other ‘opportunity costs' associated with attempting to mitigate the consequences of the data breach” satisfied the “some other injury” inquiry); Clemens, 48 F. 4th at 158 (explaining that the plaintiff's emotional distress and related therapy costs and the time and money involved in mitigating the fallout of the data breach satisfied the “some other injury” inquiry); Bowen, 2022 WL 4110319, at *5 (finding that the “some other injury” inquiry was satisfied by mitigation costs, lost time, and emotional damages); In re Mednax Servs., Inc., Customer Data Security Breach Litigation, 603 F.Supp.3d 1183, 1203-04 (S.D. Fla. May 10, 2022) (finding that the “some other injury” inquiry was satisfied by emotional distress and lost time); Galaria, 663 Fed.Appx. at 388-89 (finding, in a pre-TransUnion case, that expending time and money to monitor credit, check bank statements, and modify financial accounts after a data breach resulted in “a concrete injury suffered to mitigate an imminent harm, [thereby satisfying] the injury requirement of Article III standing”).
Ignoring this case law (and the record evidence), Pharm-Save states in its reply brief that time and mitigation costs stemming from a data breach “are not recognized ‘other harms.'” [R. 176, p. 5]. Pharm-Save cites to no authority to support this broad statement. And as the Court makes clear above, several circuit and district courts, including the Sixth Circuit in Galaria, have consistently found that such harms qualify as separate concrete injuries resulting from a substantial risk of future harm. Given the above-cited case law and considering Pharm-Save's abject failure to expand upon or support its argument, the Court will expend no further effort discussing this point.
Next, Pharm-Save argues that any present injuries suffered by Plaintiffs (like lost time and mitigation expenses) do not stem from an imminent risk of future harm, and as a result, they cannot qualify as separate “other injuries” for standing purposes. See, e.g., [R. 167, pp. 8-9]. Stated another way, Pharm-Save argues that the plaintiffs “cannot manufacture [an injury] merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Id. at 9 (quoting Clapper, 568 U.S. at 416 (citations omitted)). This argument necessarily turns on a finding that the risk of future harm is not imminent. As already explained, however, the Court has determined that there is a substantial risk of future harm, and the imminence requirement is therefore satisfied. See supra Section II(C)(2)(a). Accordingly, the lost time and mitigation costs that Plaintiffs experienced as a result of that substantial risk of future harm are separate, concrete present injuries that satisfy the “some other injury” inquiry.
See, e.g., Clemens, 48 F.4th at 157-58; see also [R. 179-1, pp. 73:10-25, 74-77 (Savidge Depo., explaining that she spent time contacting financial institutions to put temporary freezes on her accounts, set up new PIN codes for those accounts, and so on), 64:24-25 (explaining that she wanted to “continue with Identity Theft Protection”), 77:20-25 (discussing her purchase of Zander Identity Theft Protection)]; [R. 179-2, pp. 45:6-25 (Lynch Depo., discussing her purchase of Zander Identity Theft Protection), 40-42 (discussing meetings she had and contacts she made after the breach); 46:2-14 (explaining that she plans to pay for identity theft protection services for the rest of her life)]; [R. 179-17, p. 55:10-20 (Korczyk Depo., discussing the necessity of continuing to pay for identity theft protection for the foreseeable future)].
In sum, the Court finds that Plaintiffs have developed evidence demonstrating a substantial risk that future harm (namely, identity theft or fraud) will occur, sufficient to satisfy the imminence requirement of the injury-in-fact analysis. Further, that injury is concrete because “the harm involved is sufficiently analogous to harms long recognized at common law like the ‘disclosure of private information.'” Id. at 157 (citing TransUnion, 594 U.S. at 425). And Plaintiffs have demonstrated at least two present concrete harms experienced as a result of the risk of future identity theft, namely, mitigation costs and lost time. Thus, in addition to satisfying the imminence requirement, Plaintiffs' injury is also “concrete.” Stated another way, Plaintiffs have cited to specific facts and evidence of record demonstrating an imminent and concrete injury in fact, and the Court finds that there is no genuine dispute of material fact on the issue of standing with respect to the requested damages for risk of future harm. See generally Dept. of Commerce v. U.S. House of Representatives, 525 U.S. at 329 (explaining that, to survive a motion for summary judgment on standing, the plaintiff must rely on more than “mere allegations of injury,” and must instead establish that there exists no genuine issue of material fact).
The Court again notes that Pharm-Save challenges only the concreteness and imminence requirements of an injury in fact. Pharm-Save does not challenge the particularity requirement of an injury in fact, nor does it challenge the traceability and redressability elements of standing.
D. Plaintiffs' Renewed Motion for Class Certification, [R. 169]
Class actions are “exception[s] to the usual rule that litigation is conducted by and on behalf of the individual named parties only.” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 348 (2011) (quoting Califano v. Yamasaki, 442 U.S. 682, 700-701 (1979)) (internal quotation marks omitted); see also In Re Ford Motor Co., 86 F.4th 723, 725 (6th Cir. 2023) (“By enabling enormous aggregation of claims and parties, class actions represent a significant departure from our constitutional tradition of individual litigation.”) (internal citation and quotation marks omitted). The Court “maintains substantial discretion in determining whether to certify a class, as it possesses the inherent power to manage and control its own pending litigation.” Rikos v. Proctor & Gamble Co., 799 F.3d 497, 504 (6th Cir. 2015) (quoting Beattie v. CenturyTel, Inc., 511 F.3d 554, 559 (6th Cir. 2007)) (internal quotation marks omitted); see also Sandusky Wellness Ctr., LLC v. ASD Specialty Healthcare, Inc., 863 F.3d 460, 466 (6th Cir. 2017). “A district court's decision to certify a class is subject to ‘very limited' review and will be reversed only if a strong showing is made that the district court clearly abused its discretion.” Young v. Nationwide Mut. Ins. Co., 693 F.3d 532, 536 (6th Cir. 2012) (citing Olden v. LaFarge Corp., 383 F.3d 495, 507 (6th Cir. 2004)); see also In re Sonic Corp., No. 20-0305, 2021 WL 6694843, *2 (6th Cir. Aug. 24, 2021) (“Generally, if the district court applies the correct legal framework . . . we review the denial of class certification for abuse of discretion.” (citation omitted)).
“In deciding whether to certify a class, the trial court must undertake a ‘rigorous analysis' to ensure ‘that the prerequisites of Rule 23(a) have been satisfied.'” Lyngaas v. Ag, 992 F.3d 412, 428 (6th Cir. 2021) (quoting General Tel. Co. v. Falcon, 457 U.S. 147, 161 (1982)); see also In re Ford Motor Co., 86 F.4th at 726 (explaining that a district court “should not certify a class unless its ‘rigorous analysis' shows that not one or two, but all four Rule 23(a) prerequisites are met” (citation omitted)). Subsection (a) of Rule 23 contains four prerequisites that must all be met before a class can be certified:
(1) the class is so numerous that joinder of all members is impracticable,
(2) there are questions of law or fact common to the class,
(3) the claims or defenses of the representative parties are typical of the claims or defenses of the class, and
(4) the representative parties will fairly and adequately protect the interests of the class.Fed. R. Civ. P. 23(a). Once those conditions are satisfied, the party seeking certification must also demonstrate that it falls within at least one of the subcategories of Rule 23(b). See Senter v. Gen. Motors Corp., 532 F.2d 511, 522 (6th Cir. 1976); see also Lyngaas, 992 F.3d at 428 (“A plaintiff seeking class certification must show that the class satisfies ‘all four of the Rule 23(a) prerequisites-numerosity, commonality, typicality, and adequate representation-and fall[s] within one of the three types of class actions listed in Rule 23(b).'” (quoting Young, 693 F.3d at 537)).
“The party seeking class certification bears the burden of proof to satisfy Rule 23 certification requirements and must offer significant evidentiary proof that he can meet all four of those criteria, where they are contested.” Hall v. Oakland Cnty., No. 20-12230, 2024 WL 209702, at *6 (E.D. Mich. Jan. 19, 2024) (citing In re Ford Motor Co., 86 F.4th at 726; In re Am. Med. Sys., Inc., 75 F.3d 1069, 1079 (6th Cir. 1996)) (cleaned up). Importantly, “[a] class is not maintainable as a class action by virtue of its designation as such in the pleadings.” In re Am. Med. Sys., 75 F.3d at 1079 (citation omitted).
1. Class Definition
Before turning to the requirements of Rule 23, the Court finds it helpful to first define the class. See Taylor v. CSX Transp., Inc., 264 F.R.D. 281, 286 (N.D. Ohio 2007) (“In reviewing a motion for class certification, the Court must first identify the purported ‘class' and determine that the named plaintiffs are members of the class.”). Importantly, “[t]he class definition must specify ‘a particular group at a particular time frame and location who were harmed in a particular way' and define the class so that its membership can be objectively ascertained.” Id. (quoting Edwards v. McCormick, 196 F.R.D. 487, 491 (S.D. Ohio 2000)).
Plaintiffs' proposed class is defined as follows:
All persons who, like ANDREA SAVIDGE and BETH A. LYNCH, were the victims of a data security breach that occurred on or about March 3, 2016, wherein their sensitive and personal data was compromised.[R. 169-1, p. 16].
Pharm-Save challenges Plaintiffs' definition of the class, but that argument appears to rely entirely on the standing and injury questions already resolved by the Court. See [R. 178, pp. 14-16]; supra Section II(C)(2). Pharm-Save does not argue that the class, as defined by Plaintiffs, is not definite enough or that it would be difficult to determine whether a given individual is a member of that class.
However, to ensure that each class member may ultimately demonstrate standing (i.e., a cognizable injury in fact), and to avoid eventual “predominance” issues as discussed below, the Court will modify the proposed class definition as follows:
All persons who, like ANDREA SAVIDGE and BETH A. LYNCH, were the victims of the Pharm-Save data security breach that occurred on or about March 3, 2016, wherein their sensitive and personal data was compromised, and who suffered an actual, present injury from the breach, or who otherwise incurred costs or lost time mitigating the risk of future harm resulting from that data breach.
These individuals appear to be known and easily identifiable, as the parties do not dispute that the Pharm-Save employee emailed W-2s for three-hundred and forty-three known individuals during the data breach. See [R. 169-1, p. 21]; [R. 178, p. 21]. The Court therefore finds that “membership in this class can be objectively determined,” and further finds that Plaintiffs Savidge and Lynch are members of this defined class. Taylor, 264 F.R.D. at 286.
2. Certification Under Rule 23(a)
As noted above, Plaintiffs “must establish all four prerequisites of Federal Rule of Civil Procedure 23(a)-numerosity, commonality, typicality, and adequacy.” In re Sonic Corp., 2021 WL 6694843, at *2 (citations omitted). The Court considers each of these prerequisites in turn.
a. Numerosity
Rule 23(a)(1) requires that a class be “so numerous that joinder of all members is impracticable.” Fed.R.Civ.P. 23(a)(1); see also In re Ford Motor Co., 86 F.4th at 727. “There is no strict numerical test for determining impracticability of joinder.” In re Am. Med. Sys., Inc., 75 F.3d at 1079 (citation omitted). Rather, the numerosity requirement will be met “so long as general knowledge and common sense indicate that joinder would be impracticable.” Young, 693 F.3d at 541 (internal citation and quotation marks omitted). However, “[w]here the number of class members exceeds forty, Rule 23(a)(1) is generally deemed satisfied.” Ham v. Swift Transp. Co., Inc., 275 F.R.D. 475, 483 (W.D. Tenn. 2011) (citations omitted); see also Daffin v. Ford Motor Co., 458 F.3d 549, 552 (6th Cir. 2006) (noting “substantial” numbers usually satisfy numerosity requirement).
In some cases, the number of potential class members alone may be sufficient to demonstrate numerosity. Id. (citation omitted). But apart from class size, the Court may consider other “factors relevant to the joinder impracticability issue,” which “include judicial economy arising from avoidance of a multiplicity of actions, geographic [disbursement] of class members, size of individual claims, financial resources of class members, the ability of claimants to institute individual suits, and requests for prospective injunctive relief which would involve future class members.” Id. (internal citation and quotation marks omitted). Importantly, “[t]he numerosity requirement requires examination of the specific facts of each case and imposes no absolute limitations.” Gen. Tel. Co. of the Northwest, Inc. v. Equal Employment Opportunity Commission, 446 U.S. 318, 329-30 (1980).
In the present case, the parties do not dispute that the Pharm-Save employee emailed W-2s for three-hundred and forty-three individuals during the data breach. See [R. 169-1, p. 21]; [R. 178, p. 21]. Plaintiffs contend that, based on these numbers and the fact that these victims are scattered across two states (Kentucky and North Carolina), the proposed class “is sufficiently numerous such that joinder would be impracticable.” [R. 169-1, p. 21]. In response, Pharm-Save argues that numerosity is “not necessarily” satisfied by the sheer number of victims, and the Court should instead “consider those threshold principles that substantially reduce this number on the front end-principles like standing and the law of this case.” [R. 178, p. 21]. Pharm-Save expends no further effort on developing this argument. From what the Court can tell, Pharm-Save argues that only a small number of the three-hundred and forty-three data breach victims have suffered actual misuse of their stolen data, and as a result, most of the putative class member will ultimately lack standing to pursue damages. But this argument hinges on Pharm-Save's standing and risk-of-future-harm arguments, which the Court has already addressed and disposed of.
The Court finds that the numerosity requirement of Rule 23(a) is satisfied in this case. Here, based on the sheer number of data breach victims alone, joinder is impracticable. See Versen v. City of Detroit, No. 21-11545, 2023 WL 5042169, at *2 (E.D. Mich. Aug. 8, 2023) (finding group of “more than 56 people” to be “sufficiently numerous to satisfy this [numerosity] requirement”); Mitcham v. Intrepid U.S.A., Inc., No. 3:17-CV-703-CHB, 2019 WL 2269918, *3 (W.D. Ky. May 28, 2019) (finding that joinder “would certainly be impracticable” where putative settlement class contained one-hundred thirty-four persons). Further, other factors also support the numerosity analysis in this case, including judicial economy and the avoidance of multiple actions, the likely inability of the plaintiff litigants to maintain individual actions, and the geographic disbursement of the class members across two states. See generally Ham, 275 F.R.D. at 484 (“Taking the number of potential class members into account along with all other relevant considerations-specifically, the likely inability of the plaintiff litigants to maintain individual actions, the need to avoid a multiplicity of actions, and the interests of judicial economy-the Court concludes that the membership of the putative class is so numerous as to make joinder of all members impractical.”).
Accordingly, the Court finds the numerosity requirement to be satisfied.
b. Commonality
To establish the commonality requirement, the named plaintiffs must show that “there are questions of law or fact common to the class.” Fed.R.Civ.P. 23(a)(2); see also In re Ford Motor Co., 86 F.4th at 727 (explaining that, “[t]o represent a class under Rule 23, a named plaintiff must ‘affirmatively demonstrate' four characteristics,” one of which is that “[c]ommon questions of law or fact [] exist” (quoting Wal-Mart Stores, 564 U.S. at 350)). More specifically, the claims of the class “‘must depend on a common contention . . . of such a nature that it is capable of classwide resolution-which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.'” Young, 693 F.3d at 542 (quoting Wal-Mart Stores, 564 U.S. at 350). As the Sixth Circuit has explained, Plaintiffs “must show that there is a common question that will yield a common answer for the class (to be resolved later at the merits stage), and that that common answer relates to the actual theory of liability in the case.” Rikos, 799 F.3d at 505. Importantly, “there need be only one common question to certify a class.” In re Whirlpool Corp. Front-Loading Washer Prod. Liab. Litig., 722 F.3d 838, 853 (6th Cir. 2013) (citation omitted). Moreover, the “mere fact that questions peculiar to each individual member of the class remain after the common questions of the defendant's liability have been resolved does not dictate the conclusion that a class action is impermissible.” Taylor, 264 F.R.D. at 288 (quoting Sterling v. Velsicol Chem. Corp., 855 F.2d 1188, 1197 (6th Cir. 1998)).
In this case, common issues relating to Pharm-Save's liability include (but are certainly not limited to) whether and to what extent Pharm-Save owed a duty to the class members and whether it breached that duty, and the existence and breach of any implied contract between Pharm-Save and the class members. Stated another way, there exist common questions of whether Pharm-Save's conduct was negligent or a contractual breach “and whether it caused a data security breach that resulted in theft of [employees'] data and reasonably prompted [employees'] to take mitigation measures” or expend time to deal with the fallout of the breach. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, 27 (D. Me. 2013). These questions all arise from the 2016 data breach. As such, the questions of facts necessary to resolve these questions are common to the class, or “identical for each potential class member.” Taylor, 264 F.R.D. at 289. And “[a]nswering these questions will resolve issues that are ‘central to the validity of each one of the claims in one stroke.'” In re Hannaford Bros., 293 F.R.D. at 27. “In light of the low bar set by Rule 23(a)(2), this is enough for” Plaintiffs to demonstrate commonality. Smith v. Triad of Alabama, LLC, No. 1:14-CV-324-WKW, 2017 WL 1044692, at *8 (M.D. Ala. Mar. 17, 2017), on reconsideration in part, No. 1:14-CV-324-WKW, 2017 WL 3816722 (M.D. Ala. Aug. 31, 2017).
And importantly, Pharm-Save does not dispute that there are common issues among the class members. See [R. 178, p. 22]. Instead, it argues that “individualized issues of causation and injury will be more determinative of the outcome of this matter than the common issues.” Id. As already explained, however, “even one common question is sufficient to satisfy the commonality requirement, despite the existence of individual questions.” Taylor, 264 F.R.D. at 288 (citing Sprague v. General Motors Corp., 133 F.3d 388, 397 (6th Cir. 1998); Sterling, 855 F.2d at 1197); see also In re Whirlpool, 722 F.3d at 853. Those individual questions “are more appropriately discussed in the Court's Rule 23(b) analysis.” Taylor, 264 F.R.D. at 288; see also supra Section II(D)(3)(a) (discussing predominance requirement of Rule 23(b)).
Moreover, in other data breach cases, courts have found the commonality requirement satisfied, so long as there existed at least one common issue of law or fact. See, e.g., In re Sonic, 2021 WL 6694843, at *3 (rejecting argument that commonality, typicality, predominance, and superiority requirements were not satisfied, noting that the alleged elements of the negligence claim “all arise from common questions,” despite individual damages questions); see also Corra v. ACTS Ret. Servs., Inc., No. CV 22-2917, 2024 WL 22075, at *3 (E.D. Pa. Jan. 2, 2024) (“Here, every single member of the proposed class was a victim of the Data Security Incident underlying this action, so there are multiple common questions, including ‘how the data breach occurred, whether [Defendant] had a duty to protect [the information], and whether [Defendant's employees and customers] were harmed by the breach.'” (citation omitted)). For example, in In re Hannaford Bros. Co. Customer Data Security Breach Litigation, 293 F.R.D. 21, 26-27 (D. Me. 2013), the Court explained,
Whether [the defendant's] conduct was negligent or a contractual breach and whether it caused a data security breach that resulted in theft of customers' data and reasonably prompted customers to take mitigation measures are questions that are common among all the class members. Answering these questions will resolve issues that are “central to the validity of each one of the claims in one stroke.” While the losses of each class member may not be identical in amount or type, [the defendant's] action or inaction that allegedly produced the loss is the same, and the economic injuries are similar. Thus, there are questions of law and fact common to the class, and the commonality requirement is satisfied.Id. at 27.
Similarly, in this case, there are common issues of law and fact, as discussed above. The Court therefore finds that the commonality requirement of Rule 23(a) is satisfied.
c. Typicality
Rule 23(a)(3) requires Plaintiffs to show that “the claims or defenses of the representative parties are typical of the claims or defenses of the class.” Fed.R.Civ.P. 23(a)(3); see also In re Ford Motor Co., 86 F.4th at 727 (“The named plaintiff's claims must be typical of those of the class.” (citing Fed.R.Civ.P. 23(a)(3)). Importantly, typicality looks to “whether a sufficient relationship exists between the injury to the named plaintiff and the conduct affecting the class, so that the court may properly attribute a collective nature to the challenged conduct.” Sprague, 133 F.3d at 399 (citation omitted). Thus, “a claim is typical if ‘it arises from the same event or practice or course of conduct that gives rise to the claims of other class members, and if his or her claims are based on the same legal theory.'” Beattie, 511 F.3d at 561 (quoting In re Am. Med Sys., Inc., 75 F.3d at 1082).
On the other hand, “the typicality requirement is not satisfied when a plaintiff can prove his own claim but not ‘necessarily have proved anybody's else's claim.'” Id. (quoting Sprague, 133 F.3d at 399); see also Reeb v. Ohio Dept. of Rehab & Corr., 435 F.3d 639, 644-45 (6th Cir. 2006) (explaining that typicality is not met if the named plaintiff does not represent an adequate cross-section of the claims asserted by the class). That said, “for the district court to conclude that the typicality requirement is satisfied, ‘a representative's claim need not always involve the same facts or law, provided there is a common element of fact or law.'” Beattie, 511 F.3d at 561 (quoting Senter, 532 F.2d at 525 n.31). “The premise of the typicality requirement is simply stated: as goes the claim of the named plaintiff, so go the claims of the class.” Id.
The U.S. Supreme Court and the Sixth Circuit Court of Appeals have recognized that “[t]he commonality and typicality requirements of Rule 23(a) tend to merge.” Rikos, 799 F.3d at 509 (quoting Wal-Mart Stores, 564 U.S. at 349 n.5) (internal quotation marks omitted). And similar to the commonality requirement, typicality may be satisfied even if some evidence, defenses, or injuries vary among the class. See Beattie, 511 F.3d at 561 (citation omitted).
In the present case, Pharm-Save argues that the typicality requirement is not satisfied because “[r]esolving the claims of Plaintiffs Savidge and Lynch would not resolve the claims of any other putative class members” due to the “wide variation in evidence relating to causation, injury, and damages that would be individualized across the entire putative class.” [R. 178, p. 25]. While Pharm-Save cites to several non-data-breach cases to support this argument, the Court notes that, in several data breach cases, courts have found the typicality requirement satisfied. See In re Sonic, 2021 WL 6694843, at *3 (rejecting argument that commonality, typicality, predominance, and superiority requirements were not satisfied, noting that the alleged elements of the negligence claim “all arise from common questions,” despite individual damages questions); Carroll v. Macy's, Inc., No. 2:18-CV-01060-RDP, 2020 WL 3037067, at *10, n.8 (N.D. Ala. June 5, 2020) (explaining that “the claims alleged against Macy's adversely affected Plaintiff and other Settlement Class Members ‘in the same general fashion,' and those claims were “indeed typical of the claims of the entire class”); In re Hannaford Bros., 293 F.R.D. at 2729 (finding typicality requirement satisfied, even where individualized damages questions existed).
As already noted, there exist common questions of whether Pharm-Save's conduct was negligent or a contractual breach “and whether it caused a data security breach that resulted in theft of [employees'] data and reasonably prompted [employees'] to take mitigation measures” or expend time to deal with the fallout of the breach. In re Hannaford Bros., 293 F.R.D. at 27; see also supra Section II(D)(2)(b). On these issues of liability, the named plaintiffs are “entirely typical of the class,” Id., and Pharm-Save does not argue otherwise. In other words, Pharm-Save's liability turns on questions common to all class members.
Instead, “[w]here things differ is in the economic impact on various class members.” In re Hannaford Bros., 293 F.R.D. at 27. Some of the data breach victims suffered actual misuse of their PII, for example, through fraudulently filed tax returns, but perhaps others did not. Some took advantage of the free credit monitoring offered by Experian, while others did not. Some purchased additional credit monitoring services at their own expense, and others did not.
However, here, “the fact of damages [is] a question common to the class even if the amount of damages sustained by each individual class member varie[s].” In re Sonic Corp., 2021 WL 6694843, at *3 (quoting In re Scrap Metal Antitrust Litig., 527 F.3d 517, 535 (6th Cir. 2007)) (internal quotation marks omitted) (emphasis added). And “damages that vary from one class member to the next do not necessarily make for an atypical class.” Smith, 2017 WL 1044692, at *9 (citation omitted). Instead, “so long as the Named Plaintiffs and putative class members ‘have an interest in prevailing on similar legal claims,' a ‘difference[ ] in the amount of damages claimed' will not defeat typicality.” Id. (quoting Wright v. Circuit City Stores, Inc., 201 F.R.D. 526, 543 (N.D. Ala. 2001)). Thus, in similar data breach cases, courts have determined that individualized inquiries into the amount of damages for each class member does not defeat typicality (or commonality or predominance). In re Sonic, 2021 WL 6694843, at *3; see also infra Section II(D)(3)(a) (discussing this same issue in the context of Rule 23(b)(3)'s predominance requirement).
The same is true of the individualized causation issues. See infra Section II(D)(3)(a) (discussing this same issue in more detail in the Court's Rule 23(b)(3) predominance analysis). While some of the class members may have had their PII stolen or disclosed in events completely unrelated to the Pharm-Save data breach, it is also true that, based on the definition of the class set forth below, every class member had their highly sensitive PII disclosed in the 2016 Pharm-Save data breach and every class member suffered a cognizable injury in fact. While the amount of damages may vary from class member to class member for various reasons, including whether they were victims of a separate data breach, the fact of damages remains a common issue among the class. See In re Sonic Corp., 2021 WL 6694843, at *3. Simply put, then, by proving their own claims, Savidge and Lynch will necessarily have proved the claims of the other class members. Beattie, 511 F.3d at 561.
Accordingly, the Court finds that the typicality requirement is satisfied.
d. Fair and Adequate Protection of the Class
Lastly, Rule 23(a) permits certification if “the representative parties will fairly and adequately protect the interests of the class.” Fed.R.Civ.P. 23(a)(4); see also In re Ford Motor Co., 86 F.4th at 727 (“[T]he named plaintiff must be prepared to ‘fairly and adequately protect' the class's interests.” (citing Fed.R.Civ.P. 23(a)(3))). “This requirement is essential to due process because a final judgment in a class action is binding on all class members.” Cmty. Refugee & Immigr. Servs. v. Registrar, Ohio Bureau of Motor Vehicles, 334 F.R.D. 493, 505 (S.D. Ohio 2020) (citing In re Am. Med. Sys., 75 F.3d at 1083). To satisfy this requirement, “[a] class representative must be part of the class and possess the same interest and suffer the same injury as the class members.” Beattie, 511 F.3d at 562 (quoting Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 625-26 (1997)). The Sixth Circuit has articulated two criteria for determining the adequacy of representation: (1) “[t]he representative must have common interests with unnamed members of the class,” and (2) “it must appear that the representative will vigorously prosecute the interests of the class through qualified counsel.” Senter, 532 F.2d at 525 (citation omitted).
Pharm-Save does not challenge the second of these criteria. [R. 178, p. 27 (noting that it “does not disparage the capabilities of Plaintiffs' counsel to represent parties in class action litigation” and making no further argument on this point)]. Moreover, Plaintiffs' counsel represents that it has extensive experience in prosecuting complex litigation, including class action and other data breach cases. [R. 169-1, p. 28]. The Court is not aware of any facts suggesting that Plaintiffs' counsel is unqualified or unwilling to vigorously represent the interests of the class in this case. Accordingly, this second criteria is easily satisfied.
Turning to the first criteria-that the named plaintiffs have common interests with the unnamed class members-the Court finds this requirement is also satisfied. On this point, Pharm-Save discusses a case in which a conflict of interest was found between the named plaintiffs and the unnamed class, but it does not appear to argue that any such conflict exists in this case. See [R. 178, p. 28]. Instead, it appears that Pharm-Save argues that the named plaintiffs and the unnamed class members suffered different injuries. Specifically, Pharm-Save argues that Savidge and Lynch are “the only employees known at this time who sustained any out-of-pocket expenses.” Id. To the extent that this argument relies on the Court's previous ruling that the named plaintiffs must demonstrate out-of-pocket expenses in order to pursue damages for a risk of future harm, that issue has already been addressed. See supra Section II(C)(2). The Court has clarified that, after TransUnion, out-of-pocket expenses are not necessary to pursue damages for a risk of future harm. See supra Section II(C)(2). As the Court has explained, and as the case law demonstrates, a plaintiff suffers an injury in fact when he demonstrates a future risk of harm that is imminent and concrete. See supra Section II(C)(2). To be concrete, a future risk of harm need not cause out-of-pocket expenses, and can instead cause “some other injury,” i.e., a present and concrete harm, which can include emotional damage, mitigation costs, or lost time. See, supra Section II(C)(2); TransUnion, 594 U.S. at 437; Bohnak, 79 F.4th at 286; Webb, 72 F.4th at 376-77; Clemens, 48 F.4th at 156.
In the present case, the named plaintiffs have sufficiently demonstrated that they suffered a future risk of harm that is both imminent and concrete. See supra Section II(C)(2). Based on the definition of the class as defined by the Court above, see supra Section II(D)(1), the named plaintiffs will share this injury with the unnamed class members. In other words, the plaintiffs seek compensation for the same injuries that the class members seek to address, specifically for injuries associated with the 2016 data breach. See In re Equifax Inc. Customer Data Security Breach Litig., 999 F.3d 1247, 1275-76 (11th Cir. 2021). Thus, the plaintiffs' and the class members' claims all arise out of “the same unifying event,” namely, the 2016 data breach. There is “no dispute that the data breach harmed all class members and made none better off.” Id. (citation omitted). And the Court is not aware of any “fundamental” conflicts “going to the specific issues in controversy.” Id. (quoting Valley Drug Co. v. Geneva Pharms., LLC, 350 F.3d 1181, 1189 (11th Cir. 2003)); see also In re Anthem, Inc. Data Breach Litig., 327 F.R.D. 299, 309-11 (N.D. Cal. 2018) (finding the adequacy requirement satisfied where all class members had their personal information compromised in the data breach and generally sought the same relief). Accordingly, the Court finds that the named plaintiffs, Savidge and Lynch, share common interests and injuries with the unnamed class members. Both criteria of this “adequate representation” element of Rule 23(a) are thereby satisfied.
To summarize the Court's ruling under Rule 23(a), the Court finds that the rule's numerosity, commonality, typicality, and adequate representation requirements are all satisfied.
3. Certification Under Rule 23(b)(3)
As previously stated, even where all four requirements of Section 23(a) are met, class certification is not appropriate unless one of the three categories of Rule 23(b) also applies. Senter, 532 F.2d at 522; Lyngaas, 992 F.3d at 428. More specifically, Rule 23(b)(3) requires a finding “that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy.” Fed.R.Civ.P. 23(b)(3); see also In re Am. Med. Sys., 75 F.3d at 1084. Lastly, “[t]he Sixth Circuit has held that ‘Rule 23(b)(3) classes must also meet an implied ascertainability requirement.'” Costello v. Mountain Laurel Assurance Co., No. 2:22-CV-35, 2024 WL 239849, at *11 (E.D. Tenn. Jan. 22, 2024) (quoting Hicks v. State Farm Fire & Cas. Co., 965 F.3d 452, 464 (6th Cir. 2020))
a. Predominance
Rule 23(b)(3)'s requirement that common questions of law or fact predominate over individual ones is similar to but “far more demanding” than Rule 23(a)'s commonality requirement. See Amchem Prods., 521 U.S. at 623-24 (citation omitted). Indeed, “[t]he requirement that ‘common' issues predominate over individual issues assures that the goal of judicial economy is served in fact, not just in theory.” Kelly, 2007 WL 4562913, at *5 (quoting In re Am. Med. Sys., 75 F.3d at 1085). To satisfy the predominance requirement, “‘a plaintiff must establish that issues subject to generalized proof and applicable to the class as a whole predominate over those issues that are subject to only individualized proof.'” Young, 693 F.3d at 544 (quoting Randleman v. Fidelity Nat'l Title Ins. Co., 646 F.3d 347, 352-53 (6th Cir. 2011)).
Even where individualized damages assessments must be performed, “‘a class may obtain certification under Rule 23(b)(3) when liability questions common to the class predominate over damages questions unique to class members.'” In re Whirlpool Corp., 722 F.3d at 861 (quoting Comcast Corp. v. Behrend, 569 U.S. 27, 42-43 (2013)). “In conducting the predominance inquiry, courts must take into account the claims, defenses, relevant facts, and applicable substantive law, to assess the degree to which resolution of the class-wide issues will further each individual class member's claim against the defendant.” Hosp. Auth. of Metro. Gov't of Nashville & Davidson Cnty., Tennessee v. Momenta Pharms., Inc., 333 F.R.D. 390, 405 (M.D. Tenn. 2019) (internal citations and quotation marks omitted).
“To evaluate predominance, ‘[a] court must first characterize the issues in the case as common or individual and then weigh which predominate.'” Martin v. Behr Dayton Thermal Prod. LLC, 896 F.3d 405, 413 (6th Cir. 2018) (quoting 2 William B. Ruebstein, Alba Conte, & Herbert B. Newberg, Newberg on Class Actions § 4:50 (5th ed. 2010)). With respect to this inquiry, the U.S. Supreme Court has offered, and the Sixth Circuit has endorsed, the following guidance:
An individual question is one where members of a proposed class will need to present evidence that varies from member to member, while a common question is one where the same evidence will suffice for each member to make a prima facie showing or the issue is susceptible to generalized, class-wide proof. The predominance inquiry asks whether the common, aggregation-enabling, issues in the case are more prevalent or important than the non-common, aggregationdefeating, individual issues. When one or more of the central issues in the action are common to the class and can be said to predominate, the action may be considered proper under Rule 23(b)(3) even though other important matters will have to be tried separately, such as damages or some affirmative defenses peculiar to some individual class members.Id. (quoting Tyson Foods, Inc. v. Bouaphakeo, 577 U.S. 442, 453 (2016)).
Pharm-Save's arguments relating to predominance largely mirror its arguments relating to commonality and typicality. More specifically, it argues that “Plaintiffs simply cannot establish that common issues predominate over individualized inquiries in this matter,” including “individualized questions of causation and damages.” [R. 178, p. 34]. To support its point, Pharm-Save points to district court cases out of this circuit, none of which involved data breaches and many of which involved a wide variety of individualized issues not present in this case. Id. at 31-32.
For example, in Taylor v. CSX Transportation, Inc., 264 F.R.D. 281 (N.D. Ohio 2007), the Court found predominance lacking where “significant individual questions [were] at issue.” Id. at 294 (citation omitted). Those questions included
(1) issues of injury (whether Plaintiffs suffer from asthma, emphysema, or COPD, as well as whether Plaintiffs suffer mental distress or a fear of cancer); (2) issues of causation (for example, showing any of the above injuries were caused or exacerbated by the diesel exhaust); (3) issues of defenses (whether claims are barred because of the statute of limitations or releases); (4) issues of comparative negligence; and (5) issues relating to claims based on FELA negligence, not LIA negligence per se.Id. These issues, the district court explained, “will necessitate discussion of Plaintiffs' different medical history, family history, social history, risk factors, length of exposure, symptoms and treatment, and prior diesel claims or releases.” Id. The court continued, “While each of these individual issues alone may not preclude class certification under Rule 23(b)(3), when viewed together they not only predominate, but overwhelm the common questions Plaintiffs seek to certify.” Id.; see also Johnson v. ITS Financial LLC, 314 F.R.D. 441, 448 (S.D. Ohio 2015) (noting that “the imposition of additional taxes, penalties, and interest may have resulted from any number of errors, omissions, or irregularities-including mere negligence, oversight, or even the taxpayer's own fraud” and “ascertaining whether putative class members suffered injury and whether such injury was caused-or to what extent it was caused-by Defendants' allegedly fraudulent conduct would require extensive analysis of each putative class members' tax returns”). Here, on the other hand, there exist some individualized questions relating to damages and even causation, but those questions are not so numerous or complicated as to “overwhelm the common questions” relating to liability.
Pharm-Save does point to one data breach case to support its predominance arguments, relying on the out-of-circuit district court case McGlenn v. Driveline Retail Merchandise, Inc., No. 18-CV-2097, 2021 WL 165121, (C.D. Ill. Jan. 19, 2021). Much like in the present case, in the McGlenn case, a defendant's payroll department fell victim to an email phishing scam, where a criminal posing as the company's Chief Financial Officer requested copies of all employees' W-2s. McGlenn, 2021 WL 165121, at *1. The employee complied with the request and tendered the files via email without encryption or password protection. Id. The plaintiff sued for negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, and violation of Illinois consumer protection statutes. Id. at *3. On the plaintiff's renewed motion for class certification, the court found that the commonality requirement (and relatedly, the predominance requirement) was not met. Id. at *5, *10. Acknowledging that “an individual inquiry on damages is typical for class actions” the court nevertheless found that those “[i]individualized issues on causation, injury, and damages will require more than the common questions.” Id. at *6. In other words, the court recognized that while individual damages inquiries will not necessarily defeat commonality, where individualized issues “require more” than those common among the class, the common issues will not predominate.
This case presents similar facts to McGlenn and similar concerns over the individualized nature of the causation and damages inquiries. Regarding damages, several circuits, including the Sixth Circuit, have “said that variations in damages do not prevent class certification.” In re Hannaford Bros., 293 F.R.D. at 30 (referencing cases out of the First, Fourth, Ninth, and Sixth Circuits) (emphasis added); Beattie, 511 F.3d at 564 (“[C]ommon issues may predominate when liability can be determined on a class-wide basis, even when there are some individualized damage issues.” (citation omitted)). Accordingly, district courts out of this circuit have held that, “if common issues predominate, class certification should not be denied simply because individual class members are entitled to differing damages.” Versen, 2023 WL 5042169, at *5 (citations omitted). Thus, in a typical case within this circuit, “it remains the black letter rule that a class may obtain certification under Rule 23(b)(3) when liability questions common to the class predominate over damages questions unique to class members.” Id. (quoting In re Whirlpool, 722 F.3d at 861) (internal quotation marks omitted). Consequently, “[w]hen adjudication of questions of liability common to the class will achieve economies of time and expense, the predominance standard is generally satisfied even if damages are not provable in the aggregate.” Id. (quoting In re Whirlpool, 722 F.3d at 860) (internal quotation marks omitted). Indeed, “[i]n class action suits involving individualized damage determinations, the Sixth Circuit has explained that Rule 23 permits district courts to utilize several solutions to address individualized damages, including bifurcating the issues of liability and damages, utilizing a special master to determine damages, or employing a formula for damage calculation.” Id. at *6 (citing Olden v. LaFarge Corp., 383 F.3d 495, 509 (6th Cir. 2004); Hicks v. State Farm Fire & Cas. Co., 965 F.3d 452, 460 (6th Cir. 2020)). Given the Sixth Circuit precedent on this issue, the Court finds that “the prospect of individualized damages does not preclude Plaintiffs from clearing the predominance hurdle.” Id.
“While case law is legion that individual questions of the amount of each class member's damages will not preclude certification, the causation-related determination of whether class members were injured at all by the defendants-the fact of damage-ordinarily must be amenable to classwide disposition in order for predominance to be satisfied.” 1 McLaughlin on Class Actions § 5:23 (20th ed.). The Sixth Circuit recently considered this issue. In In re Sonic Corporation, No. 20-0305, 2021 WL 6694843 (6th Cir. 2021), various financial institutions brought a putative class action to recover economic damages arising from reissuing customers' cards and reimbursing customers' bank accounts following a data breach. Id. at *1. The district court certified the class. Id. Seeking to appeal that order, the defendant argued that commonality, typicality, predominance, and superiority could not be established “because individualized issues abound based on a financial institution's response and whether the response was directly attributable to the breach,” or in other words, whether the financial institution's comparative fault played a role in its injuries. Id. at *3. The Sixth Circuit quickly disposed of this argument, explaining,
In In re Sonic, the Sixth Circuit considered the defendant's petition for permission to appeal under Federal Rule of Appellate Procedure 5, and in doing so, it was permitted to consider any relevant factors that it found persuasive, including “whether the petitioner is likely to succeed on appeal under the deferential abuse-of-discretion standard.” 2021 WL 6694843, at *1 (citation omitted).
Here, the alleged elements of a negligence claim-duty, breach, and causation- all arise from common questions: whether Sonic's internal data security measures and its remote access policy caused the data breach, leading to the issuance of the alerts and actions by the plaintiffs to limit or reimburse harms. Whether the Financial Institutions' responses were prompted by the Sonic data breach goes directly to the merits of causation. But merits questions need only be considered at the certification stage to the extent they are relevant to determining if the Rule 23 prerequisites for certification are satisfied. Amgen Inc. v. Conn. Ret. Plans & Tr.Funds, 568 U.S. 455, 466 (2013). At the present stage of the proceedings, the Financial Institutions need only show “that they can prove ... that all members of the class have suffered the same injury.” Rikos, 799 F.3d at 505 (internal quotation marks omitted). Here, “the fact of damages [is] a question common to the class even if the amount of damages sustained by each individual class member varie[s].” In re Scrap Metal Antitrust Litig., 527 F.3d 517, 535 (6th Cir. 2007) (internal quotation marks omitted). To the extent a financial institution's comparative fault plays a role, that impacts the calculation of damages, not the issue of liability. See [In re Target Corp. Customer Data Breach Littig., 309 F.R.D. 482, 488-89 (D. Minn. 2015)].2021 WL 6694843 at *3; see also Hicks, 965 F.3d at 459-63 (identifying several individualized questions relating to damages but finding that these individualized issues did not predominate over common questions of liability); Beattie, 511 F.3d at 564 (“[C]ommon issues may predominate when liability can be determined on a class-wide basis, even when there are some individualized damage issues.” (citation omitted)).
Similarly, in the present case, Pharm-Save's liability for negligence and/or breach of implied contract arises from common questions. For example, with respect to negligence, common questions include whether Pharm-Save owed a duty to the class members and whether it breached that duty. Whether Pharm-Save's breach of that duty caused injury to the class members is also a common question, even if there also exists other individualized questions about causation (e.g., whether a class member was a victim of another unrelated data breach that might increase the risk of future harm, see [R. 178, p. 33]). And the fact of damages is a question common to the class, as it is defined herein. This is true even if the specific amount of damages sustained by each individual class member may ultimately vary because, for example, they were involved in other data breaches as Pharm-Save argues. But to the extent those issues are relevant, they “impact[] the calculation of damages, not the issue of liability.” Id. (citation omitted). In other words, Pharm-Save's concerns do not require a “causation-related determination of whether class members were injured at all by the defendants.” 1 McLaughlin on Class Actions § 5:23 (20th ed.) (emphasis added). Instead, the issues cited by Pharm-Save as causation determinations go to individual variations in damages, and, as already explained, such variations in damages do not typically prohibit class certification. See, e.g., Beattie, 511 F.3d at 564; see also Green-Cooper v. Brinker International, Inc., 73 F.4th 883, 984 (11th Cir. 2023) (“Any individual inquiry into particularized damages resulting from the data breach . . . does not predominate over the three categories of common damage inquiries analyzed by the plaintiffs' expert.”). Stated another way, “the questions of causation in this case are bound up in the questions of damages, and because causation plays only a minor role in the larger controversy, common questions predominate in this class action.” Smith, 2017 WL 1044692, at *14; see also Corra, 2024 WL 22075, at *5 (“Although there may be slight differences among class members regarding degree of damages or the exact type of injury suffered (e.g., breach of sensitive financial information or breach of health data), none of these differences would preclude resolution on a class-wide basis.”).
With respect to the elements of these causes of action, neither party disputes that Kentucky law applies.
Plaintiffs filed a Notice of Supplemental Authority, citing the Green-Cooper case, on August 22, 2023. [R. 187]. Pharm-Save filed a response to that notice shortly thereafter. [R. 189]. In its response, Pharm-Save attempts to factually distinguish the present case from Green-Cooper, id. at 1-2, before arguing that the type of representative evidence permitted in Green-Cooper (i.e., a common method of calculating damages) is problematic. Id. at 2-4. For support, Pharm-Save relies largely on the dissent in Green-Cooper. But the Court is not persuaded by Pharm-Save's arguments or its reliance on the dissenting opinion. Given the majority opinion in Green-Cooper, and the Court's above analysis regarding predominance, the Court does not believe that Plaintiffs' proposed damages calculation method for risk of future harm, see, e.g., [R. 179-17, pp. 27-33 (Korczyk Depo.)], will present individualized issues that predominate over the myriad issues common to the class. Moreover, Pharm-Save wholly failed to address Plaintiffs' proposed methodology in its response brief, [R. 178], and instead attacked the “averages” calculation method only after Plaintiff provided notice of Green-Cooper.
Accordingly, the Court finds that common questions of law or fact predominate over individual ones, and Rule 23(b)(3)'s predominance requirement is thereby satisfied.
b. Superiority of Class Action
As stated, in addition to the predominance requirement, Rule 23(b)(3) requires that the Court find a class action to be “superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3). The Court considers four factors, enumerated in Rule 23(b)(3), to determine whether Plaintiffs have demonstrated that a class action is the superior means for adjudicating the dispute:
1) whether there would be an interest by individual class members in prosecuting their actions separately; 2) if class members have other litigation pending about the controversy, the extent and nature of that litigation; 3) the desirability of this forum for the action; and 4) what difficulties would be expected in managing the class.Costello, 2024 WL 239849, at *20 (citing Fed.R.Civ.P. 23(b)(3)). The Sixth Circuit Court of Appeals has also instructed:
To determine whether a class action is the superior method for fair and efficient adjudication, the district court should consider the difficulties of managing a class action. The district court should also compare other means of disposing of the suit to determine if a class action is sufficiently effective to justify the expenditure of the judicial time and energy that is necessary to adjudicate a class action and to assume the risk of prejudice to the rights of those who are not directly before the court. Additionally, the court should consider the value of individual damage awards, as small awards weigh in favor of class suits.Martin, 896 F.3d at 415-16 (quoting Pipefitters Local 636 Ins. Fund v. Blue Cross Blue Shield of Mich., 654 F.3d 618, 630-31 (6th Cir. 2011)). The Sixth Circuit has further explained that the purpose of superiority is to “achieve economies of time, effort, and expense, and promote . . . uniformity of decision as to persons similarly situated, without sacrificing procedural fairness or bringing about other undesirable results.” Id. at 415 (quoting Amchem Prods., 521 U.S. at 615) (internal quotation marks omitted).
Pharm-Save does not address Rule 23(b)'s superiority requirement. See [R. 178]. Having reviewed the four factors outlined above and enumerated in Rule 23(b)(3), the Court finds that a class action is the superior method for adjudicating this controversy. As other courts have found in similar data breach cases, this Court likewise finds that, “[g]iven the size of the claims, individual class members have virtually no interest in individually controlling the prosecution of separate actions,” thereby satisfying the first factor. In re Hannaford Bros., 293 F.R.D. at 33-34; see also Fed.R.Civ.P. 23(b)(3)(A) (listing “the class members' interests in individually controlling the prosecution or defense of separate actions”); see also Martin, 896 F.3d at 416 (noting that “the court should consider the value of individual damages awards, as small awards weigh in favor of class suits” (quoting Pipefitters Local 636 Ins. Fund, 654 F.3d at 630-31)). Moreover, the Court is not aware of any related litigation pending in any other court, and the second and third factors therefore weigh in favor of a class action. See In re Hannaford Bros., 293 F.R.D. at 34 (noting that all the litigation had been transferred to that court when addressing the second and third factors); Fed.R.Civ.P. 23(b)(3)(B) (listing “the extent and nature of any litigation concerning the controversy already begun by or against class members”); Fed.R.Civ.P. 23(b)(3)(C) (listing “the desirability or undesirability of concentrating the litigation of the claims in the particular forum”). As for the fourth factor, “the likely difficulties in managing a class action,” the Court understands that this case presents individualized issues regarding causation and damages, but as already explained, those individualized issues do not predominate over the common questions affecting the class. See supra Section II(D)(3)(a). As such, the minimal difficulties in managing this class action do not render a class action inferior under Rule 23(b)(3). See In re Hannaford Bros., 293 F.R.D. at 34 (discussing individualized issues and noting that “[i]ndividual damages will vary, but a lump sum verdict against [the defendant] would establish the fund against which class members could make claims and prove their eligibility”).
Accordingly, the Court finds that a class action is “the superior method for fair and efficient adjudication” in this case. Martin, 896 F.3d at 415 (quoting Pipefitters Local 636 Ins. Fund, 654 F.3d at 630-31). In reaching this conclusion, the Court has considered the difficulties of managing a class action, but believes that “a class action is sufficiently effective to justify the expenditure of the judicial time and energy that is necessary to adjudicate a class action and to assume the risk of prejudice to the rights of those who are not directly before the court.” Id. at 415-16 (quoting Pipefitters Local 636 Ins. Fund, 654 F.3d at 630-31).
c. Ascertainability
Finally, “[t]he Sixth Circuit has held that ‘Rule 23(b)(3) classes must also meet an implied ascertainability requirement.'” Costello, 2024 WL 239849, at *11 (quoting Hicks, 965 F.3d at 464); see also In re Sonic Corp., 2021 WL 6694843, at *2. “A class is ascertainable if the class definition is ‘sufficiently definite so that it is administratively feasible for the court to determine whether a particular individual is a member of the proposed class.'” Costello, 2024 WL 239849, at *11 (quoting Hicks, 965 F.3d at 464); see also Tarrify Properties, LLC v. Cuyahoga Cnty., Ohio, 37 F.4th 1101, 1106 (6th Cir. 2022) (defining ascertainability as “an implied requirement that the putative class members can be readily identified based on the class definition” (citation omitted)).
Neither party directly addresses the ascertainability requirement of Rule 23. However, as discussed above, Pharm-Save challenges Plaintiffs' definition of the class, but that argument appears to rely entirely on the standing and injury questions already resolved by the Court. See [R. 178, pp. 14-16]; supra Section II(D)(1). Pharm-Save does not argue that the class, as defined by Plaintiffs, is not definite enough or that it would be difficult to determine whether a given individual is a member of that class.
As noted above the class definition is as follows:
All persons who, like ANDREA SAVIDGE and BETH A. LYNCH, were the victims of the Pharm-Save data security breach that occurred on or about March 3, 2016, wherein their sensitive and personal data was compromised, and who suffered an actual, present injury from the breach, or who otherwise incurred costs or lost time mitigating the risk of future harm resulting from that data breach.
The Court has already found that this class definition sufficiently defines the class such that its members can be objectively obtained. See supra Section II(D)(I). In the context of Rule 23's ascertainably requirement, the Court again finds this class definition to be “‘sufficiently definite so that it is administratively feasible for the court to determine whether a particular individual is a member of the proposed class.'” Costello, 2024 WL 239849, at *11 (quoting Hicks, 965 F.3d at 464). As noted previously, the parties do not dispute that the Pharm-Save employee emailed W-2s for three-hundred and forty-three individuals during the data breach. See [R. 169-1, p. 21];
[R. 178, p. 21]. These individuals appear to be known and easily identifiable. Accordingly, the Court finds that the ascertainability requirement of Rule 23(b)(3) is satisfied.
To summarize the Court's ruling on class certification under Rule 23(b), the Court finds that common questions of law or fact predominate over individual ones; a class action is superior in this case; and the class is readily ascertainable. Having found that both the requirements of Rule 23(a) and Rule 23(b) are satisfied, the Court will grant the plaintiffs' motion for class certification.
III. CONCLUSION
For the reasons set forth above, the Court will deny Plaintiffs' request for oral argument, [R. 169], [R. 188], and grant the parties' motions seeking leave to exceed the page limit, [R. 170], [R. 177]. Further, the Court concludes that the Plaintiffs have standing to pursue damages for a risk of future harm and will therefore deny Pharm-Save's Renewed Motion for Partial Summary Judgment, [R. 167]. The Court further finds that the requirements of Rule 23(a) and Rule 23(b)(3) are satisfied, and as a result, the Court will grant Plaintiffs' Renewed Motion for Class Certification, [R. 169].
The Court again notes that the trier of fact must ultimately determine if Plaintiffs are entitled to damages for a risk of future harm, and in what amount. The Court's decision here is limited to their standing to pursue such damages.
IT IS HEREBY ORDERED as follows:
1. Plaintiffs Andrea K. Savidge and Beth A. Lynch's Motion for Leave to File Excess Pages for Plaintiffs' Memorandum of Law in Support of Their Renewed Motion for Class Certification, [R. 170], is GRANTED.
2. Defendant Pharm-Save, Inc's Motion for Leave to File Response Brief Exceeding Page Limitation, [R. 177], is GRANTED.
3. Plaintiffs Andrea K. Savidge and Beth A. Lynch's Motion for Oral Argument, [R. 188], is DENIED.
4. Defendant Pharm-Save, Inc.'s Renewed Motion for Partial Summary Judgment. [R. 167] is DENIED.
5. Plaintiffs Andrea K. Savidge and Beth A. Lynch's Renewed Motion for Class Certification and Request for Oral Argument, [R. 169], is GRANTED.