From Casetext: Smarter Legal Research

In re TJX Companies Retail Security Breach Litigation

United States District Court, D. Massachusetts
Nov 29, 2007
246 F.R.D. 389 (D. Mass. 2007)

Summary

refusing to certify a class of banks alleging damages resulting from a retailer's data breach because of individual issues relating to causation

Summary of this case from In re TD Ameritrade Account Holder Litigation

Opinion

          Janet G. Abaray Lopez, Hodes, Restaino, Milman & Skikos, Cincinnati, OH, William A. Baird, Milstein, Adelman & Kreger LLP, North Santa Monica, CA, John Michael Barclay, Whatley Drake & Kallas LLC, Birmingham, AL, Ben Barnow Barnow & Associates, P.C., Chicago, IL, for Plaintiffs.

          James R. Carroll, Nicholas I. Leitzes, Skadden Arps Slate Meagher & Flom LLP, Richard D. Batchelder, Jr., Brian R. Blais, Seth C. Harrington, Douglas H. Meal, Mark Szpak, Harvey J. Wolkoff, Ropes & Gray LLP, Robert E. Ditzion, Thomas G. Shapiro, Shapiro, Haber & Urmy, LLP, Kristen Marquis, Robert T. Naumes, Fritz Thornton & Naumes LLP, Margaret M. Pinkham, Paul W. Shaw, Brown Rudnick Berlack Israels LLP, Jonathan Shapiro, Stern, Shapiro,

Weissberg & Garin, Patrick J. Sheehan, Whatley Drake & Kallas LLC, Boston, MA, James R. Byrne, William H. Champlin, III, William S. Fish, Jr., Tyler, Cooper & Alcorn, LLP, Hartford, CT, Michael G. Caldwell, Benjamin A. Solnit, Tyler Cooper & Alcorn, LLP, New Haven, CT, Richard Lyle Coffman, The Coffman Law Firm, Beaumont, TX, Eric M. Quetglas-Jordan, Quetglas Law Office, San Juan, PR, Christopher P. Connors, Skadden, Arps, Slate, Meagher & Flom John R. Wylie, Futterman, Howard, Watkins, Wylie & Ashley, Steven P. Mandell, Stephen J. Rosenfeld, Mandell Menkes & Surdyk LLC, Aron David Robinson, Law Office of Aron D. Robinson, Kevin Barry Rogers, Law Offices of Kevin Rogers, Erich Paul Schork, Barnow and Assoc., PC, Chicago, IL, Michael G. Crow, Crow Law Firm, LLC, Harry Rosenberg, Phelps & Dunbar, LLP, New Orleans, LA, Gregory Louis Davis, Greg Davis LLC, Montgomery, AL, Danielle Disporto, Lester L. Levy, Michele F. Raphael, Wolf Popper LLP, Joe R. Whatley, Jr., Elizabeth Rosenberg, Whatley Drake & Kallas LLC, Richard J.J. Scarola, Scarola Ellis LLP, New York, NY, Launa Nicole Everman, Milstein, Adelman & Kreger Santa Monica, CA, Michael T. Fantini, Jon J. Lambiras, Berger & Montague, P.C., Sherrie R. Savett, Berger & Montague, P.C., Philadelphia, PA, Patrick E. Geraghty, Geraghty, Dougherty & Edwards, P.A., Ft. Myers, FL, John E. Goodman, Bradley, Arant, Rose & White, James C. Huckaby, Jr., Christian & Small, LLP, David G. Hymer, Bradley, Arant, Rose & White, F. Inge Johnstone, The Lamb Firm LLC, Archie C. Lamb, Jr., Law Offices of Archie Lamb LLC, John W. Scott, Scott, Dukes & Geisler, PC, E. Kirk Wood, Richard P. Rouco, Whatley Drake & Kallas LLC, Birmingham, AL, Malcome A. Heinicke, Munger, Tolles & Olson, San Francisco, CA, Darrel J. Hieber, Marcus R. Mumford, Skadden, Arps, Slate, Meagher & Flom, Cary B. Lerman, Teri-Ann E. Nagata, Munger, Tolles & Olson, Los Angeles, CA, Jordan L. Lurie, Leigh A. Parker, Zev B. Zysman, Weiss & Lurie, Wayne S. Kreger, Milstein Adelman and Kreger LLP, North Santa Monica, CA, Brant M. Laue, Ralph K. Phalen, Attorney at Law, Kansas City, MO, Michael M. Malinowski, Michael M. Malinowski, PLC, Grand Rapids, MI, C. Bradford Marsh, Swift, Currie, McGhee & Heirs, Atlanta, GA, Margaret Diane Mathews, Akerman Senterfitt Tampa, FL, Guyte P. McCord, III, McCord, Bubsey & Ketchum, Tallahassee, FL, James R. Patterson, Harrison, Patterson & O'Connor, San Diego, CA, Michael R. Pennington, Michael F. Walker, Bradley, Arant, Rose & White, LLP, North Birmingham, AL, John Michael Pickett, Young Pickett & Lee, Texarkana, TX, Louis Cooper Rutland, Jr., Rutland Law Firm LLC, Union Springs, AL, Thomas M. Sobol, Hagens Berman Sobol Shapiro LLP, Cambridge, MA, John S. Steward, Burstein Law Firm P.C., Clayton, MO, John E. Suthers, Savannah, GA, Robert N. Webner, Vorys Sater Seymour and Pease LLP, Columbus, OH, William Breck Weigel, Vorys, Sater, Seymour and Pease, LLP, Cincinnati, OH, for Defendants.


          MEMORANDUM AND ORDER

          YOUNG, District Judge.

         I. INTRODUCTION

         This Court has previously discussed the background and progress of this litigation. See In re TJX Cos. Sec. Breach Litig., 524 F.Supp.2d 83, 86-88, 2007 WL 2982994, at *1-3 (D.Mass. Oct. 12, 2007); McMorris v. TJX Cos., Inc., 493 F.Supp.2d 158, 160-61 (D.Mass.2007). As a result, only the most relevant history will be mentioned here.

         On September 9, 2007, Amerifirst Bank and its newly added co-plaintiff, SELCO Community Credit Union (collectively, " Amerifirst" ), ask the Court to recognize a class action against Fifth Third Bank and Fifth Third Bancorp (" Fifth Third" ). Amerifirst, Saugusbank, Collinsville Savings Society, and Eagle Bank join forces with the Massachusetts Bankers Association, the Connecticut Bankers Association, and the Maine Association of Community Banks (collectively, the " issuing banks" ) and also seek the certification of a class against the TJX Companies, Inc. (" TJX" ).

          After thorough briefing, the Court heard oral argument on October 16. In the interim, this Court issued an order granting in part and denying in part Fifth Third and TJX's motions to dismiss, leaving in play only the issuing banks' claims of negligent misrepresentation and an alleged violation of Massachusetts General Laws Chapter 93A, based on negligent misrepresentation.

Amerifirst and the issuing banks have moved to amend their complaints, asserting an alternate ground for relief under Chapter 93A and a claim for conversion. [Doc. nos. 201 & 201] TJX and Fifth Third opposed the motion, alleging, among other things, that the claims are futile. Fifth Third Opp. to Amend. [Doc. 224] at 6-9; TJX Opp. to Amend. [Doc. 229] at 6-11. The Court expresses no opinion on this motion but notes that, should such an amendment be allowed, the present analysis of class certification will need to be reassessed. The Court is scheduled to hear oral argument on this motion on December 11, 2007.

         II. DISCUSSION

         A plaintiff who seeks to certify a class action has the burden of demonstrating that four prerequisites enumerated in Federal Rule of Civil Procedure 23(a), plus one of the provisions of Federal Rule of Civil Procedure 23(b), are satisfied. Smilow v. Southwestern Bell Mobile Sys., Inc., 323 F.3d 32, 38 (1st Cir.2003) (citing Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 614, 117 S.Ct. 2231, 138 L.Ed.2d 689 (1997)). Rule 23(a) requires that:

(1) the class is so numerous that joinder of all members is impracticable, (2) there are questions of law or fact common to the class, (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class, and (4) the representative parties will fairly and adequately protect the interests of the class.

Fed.R.Civ.P. (23)(a).

         Once Rule 23(a)'s initial bar is hurdled, Rule 23(b) sets forth the three situations in which a class action can be maintained. Amerifirst and the issuing banks rely primarily on Rule 23(b)(3), see Issuing Banks' Memo. Sup. Class Cert. (" Issuing Banks' Memo." ) [Doc. 128] at 10-18; Amerifirst Memo. Sup. Class Cert. (" Amerifirst Memo." ) [Doc. 130] at 7-19, which permits certification when " the court finds that the questions of law or fact common to the class predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy." Fed.R.Civ.P. 23(b)(3). Amerifirst and the issuing banks also suggest that Rule 23(b)(2), which allows for certification when " the party opposing the class has acted or refused to act on grounds generally applicable to the class, thereby making appropriate final injunctive relief or corresponding declaratory relief with respect to the class as a whole," Fed.R.Civ.P. 23(b)(2), is appropriate. See Issuing Banks' Memo. at 18; Amerifirst Memo. at 19-20.

         Although Amerifirst and the issuing banks filed separate motions for class certification, the class definitions in those motions are identical and encompass

all financial institutions [nationwide] who received an alert from MasterCard or Visa related to the security breach of TJX's computer system in Framingham, Massachusetts and identifying one or more credit or debit cards issued by the financial institution.

Amerifirst Mot. to Cert. Class [Doc. 124] at 2; Issuing Banks Mot. to Cert. Class [Doc. 127] at 1. Interestingly, this definition appears broader than the class that Amerifirst and the issuing banks delineated in their consolidated class complaints, which would have included in the class only " financial institutions that have suffered damages and/or harm as a result of the data breaches." Issuing Banks' Am. Compl. [Doc. 81] ¶ 28; Amerifirst Am. Compl. [Doc. 142] ¶ 67.

          This Court has serious doubts whether the class as proposed in the motions for class certification is properly defined. Furthermore, this Court is uncertain that the class definition set forth in the Amended Complaints is proper because, as the Court will describe below, in many instances it will not be obvious that an issuing bank's injuries occurred " as a result of the data breaches" as opposed to an unrelated fraud. Where individualized fact-finding is required to identify class members, " the class fails to satisfy one of the basic requirements for a class action under Rule 23." Crosby v. Social Sec. Admin., 796 F.2d 576, 580 (1st Cir.1986).

It is well-established that members of a plaintiff class must all have the legal right to bring suit against the defendant on their own; inclusion of those without such standing renders the class overbroad. See Pagan v. Dubois, 884 F.Supp. 25, 28 (D.Mass.1995) (Harrington, J.) (ruling that proposed class " would have to be redefined to consist only of those" who were injured); see also Slaughter v. Levine, 598 F.Supp. 1035 (D.Minn.1984) (" [E]ach class member must have standing to bring the suit in his own right." ), overruled on other grounds by Gardebring v. Jenkins, 485 U.S. 415, 108 S.Ct. 1306, 99 L.Ed.2d 515 (1988); Daigle v. Shell Oil Co., 133 F.R.D. 600, 604 (D.Colo.1990) (rejecting proposed class because it could " easily contain thousands of people who sustained no injury" as a result of defendant's conduct). The class as defined in the motions for class certification appears to sweep in financial institutions who suffered no injury as a result of the data breach; one example would be the bank who suffered no damages because all of its " compromised" cards had already expired or been cancelled at the time of the intrusion.

         Ultimately, however, the Court need not focus on this issue because the dispositive element in this case-the predominance of individualized questions-applies equally to both proposed class definitions.

         A. Requirements of Rule 23(a)

         The parties apparently agree that the proposed class would fulfill Rule 23(a)'s numerosity and commonality requirements. Rather, the dispute centers around whether the named plaintiffs can be considered typical and whether they can be relied upon adequately to represent absent class members.

          1. Typicality

         " [A] plaintiff's claim is typical if it arises from the same event or practice or course of conduct that gives rise to the claims of other class members, and if his or her claims are based on the same legal theory." In re Neurontin Mktg. and Sale Practices Litig., 244 F.R.D. 89, 106 (D.Mass.2007) (Saris, J.); see also Modell v. Eliot Sav. Bank, 139 F.R.D. 17, 22 (D.Mass.1991) (Harrington, J.). The goal underlying the typicality analysis is to ensure that " the interests of the class and the class representatives [are such] that the latter will work to benefit the entire class through the pursuit of their own goals." Neurontin, 244 F.R.D. at 105-106.

          It is obvious that the proposed class as a whole is premised on the same " course of conduct" -namely, the alleged failure of Fifth Third and TJX to maintain proper data security and their alleged failure to notify third parties about this deficiency. It is further apparent that the negligent misrepresentation and Chapter 93A theories of recovery asserted by Amerifirst and the issuing banks theoretically could have caused injury to many members of the proposed class. Because of these essential similarities between the proposed representatives and a large number of the members of the proposed class, this Court rules that the named plaintiffs are typical.

But see supra note 1.

         Although Fifth Third and TJX vigorously contest this conclusion, a number of their objections address only immaterial differences between the representatives and the class members. Although the size of the banks, the brand of credit or debit card they issue, or their response to the security breach may vary, see TJX Mem. in Opp. [Doc. 164] at 2-10; Fifth Third Mem. in Opp. [Doc. 170] at 13, " in general, [typicality] may be satisfied even though varying fact patterns support the claims ... of individual class members." 7A Charles Alan Wright, Arthur R. Miller & Mary Kay Kane, Federal Practice and Procedure § 1764 at 266 (3rd ed.2005). None of these factual differences alter the congruity between the named plaintiffs and the remainder of the class with regard to the events from which their claims arose and the legal theories on which they might seek relief.           Similarly, this Court is unpersuaded that the possible use of affirmative defenses against some class representatives renders them atypical. TJX, for instance, asserts that the choice of some named plaintiffs to reissue immediately the compromised cards makes them vulnerable to affirmative defenses that do not apply to other class members. TJX Mem. in Opp. at 7. Although the existence of unique defenses against a named plaintiff can defeat typicality, this generally is true only if the defenses " threaten to become the focus of the litigation." See, e.g., Gary Plastic Packaging Corp. v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 903 F.2d 176, 180 (2d Cir.1990). Courts usually are " reluctant to deny class action status ... simply because affirmative defenses may be available against individual members." In re Sepracor, Inc., 233 F.R.D. 52, 54 (D.Mass.2005) (Lasker, J.); see also Smilow, 323 F.3d at 39-40; Neurontin, 244 F.R.D. at 106 (" [T]ypicality should be determined with reference to the [defendant's] actions, not with respect to particularized defenses it might have against certain class members." ) (second alteration in original) (internal quotation marks omitted). Because it does not appear that the possible use of affirmative defenses against class members will, in fact, become the " focus of litigation," this Court finds typicality present here.

In fact, some of these so-called " differences" demonstrate the similarity between the two groups. For instance, TJX and Fifth Third make much of the fact that none of the named plaintiffs suffered losses due to fraud monitoring because they all immediately reissued their cards. In this Court's opinion, TJX's assertion that this demonstrates that the named plaintiffs did not suffer " the same type of injury" as the class members, TJX Mem. in Opp. at 9; see also Fifth Third Mem. in Opp. at 13, relies on an overly narrow definition of the word " injury." Whether due to fraud, monitoring, or card reissuance, the core of the plantiffs' claim is that they lost money due to the security breach and the resultant compromise of their confidential data. When viewed from this more general perspective, the named plaintiffs' typicality in terms of injury cannot seriously be disputed.

         Other arguments concerning why the issuing banks should be considered atypical (such as the need to determine reliance and causation on an individualized basis) bear on whether Rule 23(b)(3) is satisfied, rather than on the existence of typicality. Ultimately, because Amerifirst and the issuing banks meet the standard set forth in Neurontin, they satisfy Rule 23(a)'s typicality requirement.

         B. Adequacy of Representation

         Because " the typicality analysis is a functional one addressed primarily to the question of whether the putative class representative can fairly and adequately pursue the interests of the absent class members without being sidetracked by her own particular concerns," Swack v. Credit Suisse First Boston, 230 F.R.D. 250, 264 (D.Mass.2005) (Woodlock, J.), the adequacy element of Rule 23(a) " tends to merge with the commonality and typicality criteria." Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 626 n. 20, 117 S.Ct. 2231, 138 L.Ed.2d 689 (1997)(internal quotation marks omitted). Nonetheless the First Circuit utilizes an independent two-part inquiry to determine if a class representative is adequate, asking (1) whether there is a potential for conflict and (2) whether there is an assurance of vigorous prosecution of the action. In re Relafen Antitrust Litig., 221 F.R.D. 260, 270 (D.Mass.2004) (citing Andrews v. Bechtel Power Corp., 780 F.2d 124, 130 (1st Cir.1985)).

          Considering the present record, this Court has grave concerns about whether the named plaintiffs can in fact be considered adequate representatives with regard to the suit against Fifth Third. It appears likely that some issuing banks included in the proposed class are, like Fifth Third, acquiring banks. See Fifth Third Mem. in Opp. at 15. Thus, while banks that serve only as issuers-such as the named plaintiffs in this case-would clearly benefit from a victory, " mixed" banks may actually be negatively affected. Indeed, a decision that acquiring banks can be held liable in circumstances such as these very well could come back to haunt such " mixed" banks in the future. The " mixed" banks' interest in shielding themselves from liability for millions of dollars if they are ever in Fifth Third's position is contrary to the named plaintiff's objectives. The existence of this fundamental conflict makes the Court skeptical that the class can be certified as defined. See, e.g., Pickett v. Iowa Beef Processors, 209 F.3d 1276, 1280 (11th Cir.2000); Lockwood Motors, Inc. v. General Motors Corp., 162 F.R.D. 569, 576 (D.Minn.1995) (noting that adequacy requires that " representative's interests are sufficiently similar to those of the class such that it is unlikely that their goals and viewpoints will diverge" ); 7A Wright & Miller § 1768 at 389 (" It is axiomatic that a putative representative cannot adequately protect the class if [his] interests are antagonistic to or in conflict with the objectives of those being represented." ).

Due to these facts, the Court is wholly unpersuaded by Amerifirst's assertion that it is not " seeking relief that will conflict with the economic interests of, or otherwise negatively affect" any class member. Amerifirst Reply [Doc. 172] at 15.

         Furthermore, the Court is concerned that the class Amerifirst seeks to certify appears marked by substantial dissent with regard to the decision to sue Fifth Third. Fifth Third Mem. in Opp. at 14. For instance, Fifth Third points this Court to the affidavits of leaders of banking associations in New England. Although these associations are named plaintiffs in the suit against TJX, they have indicated that their membership did not wish to pursue an action against Fifth Third. See, e.g., Spitzer Aff. [Doc. 41 Ex. 2] ¶ 6-8; Pinkham Aff. [Doc. 41 Ex. 3] ¶ 6-8.

         It is true that class certification generally is not defeated simply because some class members do not approve of the suit. See, e.g., 1 Newberg on Class Actions § 3:30 (4th ed.2007). At the same time, courts hesitate to recognize class actions where a significant portion of the proposed class does not wish to pursue the relief that the named representatives seek. See, e.g., East Texas Motor Freight Sys., Inc. v. Rodriguez, 431 U.S. 395, 405, 97 S.Ct. 1891, 52 L.Ed.2d 453 (1977) (denying class certification in part because majority of proposed class voted to reject merger of the city- and line-driver collective-bargaining units demanded by plaintiff's complaint); Alston v. Virginia High School League, Inc., 184 F.R.D. 574, 579 (denying certification where " a majority" of the proposed class surveyed " would not favor the injunctive relief sought by plaintiffs" )(W.D.Va.1999); Pratt v. Chicago Hous. Auth., 155 F.R.D. 177, 180 (N.D.Ill.1994). Amerifirst, who has the burden of proving that Rule 23(a) is satisfied, has failed to present to this Court evidence that allays the concerns raised by Fifth Third's allegation that a high percentage of the proposed class members do not wish the suit to go forward. The cases cited above, as well as the fact that it seems to defeat the point of Rule 23 to certify a class if the vast majority of that class will opt-out anyway, incline this Court to conclude that Amerifirst is an inadequate representative. This, combined with the consideration of Rule 23(b)(3) below, lead this Court to rule that certification of the proposed class is inappropriate.

          While there is less doubt about the adequacy of the plaintiffs pursuing TJX, this Court need not decide whether the named issuing banks are appropriate class representatives. Even were that the case, individual issues, as will be seen below, still predominate over common questions and thus defeat class certification.

         C. Rule 23(b)(3)'s Predominance Requirement

          1. Negligent Misrepresentation

          In order to recover on a claim of negligent misrepresentation, a plaintiff must demonstrate that the defendant, in the course of his business, supplied false information for the guidance of others in their business transactions. Marram v. Kobrick Offshore Fund, Ltd., 442 Mass. 43, 59 n. 25, 809 N.E.2d 1017 (2004). In addition, and important for the purposes of deciding this motion, the plaintiff must prove that he reasonably relied on the information and that doing so caused him pecuniary loss. Id.

          Proving the element of reliance will necessarily involve individual questions of fact, and the issuing banks will be unable to invoke a presumption of reliance on the part of class members. See Mallozzi v. Zoll Med. Corp., 1996 WL 392146, at *11 (D.Mass.1996) (Gertner, J.) (noting presumption of reliance has not been applied to common-law fraud claims in Massachusetts). Therefore, the scope of TJX and Fifth Third's liability can be determined only by showing actual reliance on the part of each issuing bank included in the class. Although Amerifirst and the issuing banks assert that this can be shown on a class-wide basis through the use of circumstantial evidence, the Court disagrees. " A fraud class action cannot be certified when individual reliance will be an issue." Castano v. American Tobacco Co., 84 F.3d 734, 745 (5th Cir.1996); see also Broussard v. Meineke Disc. Muffler Shops, Inc., 155 F.3d 331, 341-42 (4th Cir.1998) (noting that " because reliance must be applied with factual precision, plaintiffs' fraud and negligent misrepresentation claims do not provide a suitable basis for class-wide relief" ) (citations and internal quotation marks omitted); Mowbray v. Waste Management Holdings, Inc., 189 F.R.D. 194, 198 (D.Mass.1999) (explaining that when " the individual issue of reliance" must be litigated, certification is " inappropriate" ); Rothwell v. Chubb Life Ins. Co. of America, 191 F.R.D. 25, 31 (D.N.H.1998) (agreeing with " majority view that certification generally is inappropriate when individual reliance is an issue" ); Mack v. General Motors Acceptance Corp., 169 F.R.D. 671, 678 (M.D.Ala.1996) (stating that, where individual reliance must be shown, " [t]here is no way to resolve the reliance issue on a class-wide basis" ). Even the Supreme Court has indicated that the necessity of proving reliance on the part of class members " effectively would ... prevent" a class from being certified because " individual issues then would ... overwhelm[ ] the common ones." Basic Inc. v. Levinson, 485 U.S. 224, 242, 108 S.Ct. 978, 99 L.Ed.2d 194 (1988) (explaining that the " fraud-on-the-market" theory, which includes a presumption of reliance, is what permits securities class actions to proceed despite individualized nature of reliance inquiry and the requirements of Rule 23).

         Even if reliance could, in some situations, be demonstrated for the class as a whole via circumstantial evidence, doing so would not be appropriate here. The record before this Court raises significant questions about whether there was in fact class-wide reliance on TJX and Fifth Third's alleged misrepresentations. For instance, some banks appear to have considered only one factor-the need to keep up with the competition-when making their decisions about card issuance. See Caffrey Aff. [Doc. 168] Ex. 1 (" Capps Dep." ) at 23. Another bank suggested that, at least in some situations, a merchant's failure to comply with data security standards would not cause the bank to alter its behavior. See id. Ex. 3 (" Carlson Dep." ) at 185-86. Yet another issuing bank indicated that its beliefs about TJX's security, whatever they may have been, did not influence what security steps it adopted. See id. Ex. 5 (" Mitchell Dep." ) at 54-55. Furthermore, there is evidence that Visa informed at least some issuing banks that many merchants fail to comply with data security standards. See Fifth Third Appx. [Doc. 179] Ex. 44 (" Majka Dep." ) at 299-303. Fifth Third and TJX would have the right to introduce this type of evidence at trial in order to rebut the banks' assertion of reliance, creating precisely the type of " individualized evidentiary issue [that is] a persuasive reason for denying certification." Mowbray, 189 F.R.D. at 198.

         Furthermore, even if an issuing bank did rely on TJX and Fifth Third's alleged misrepresentations, it must prove that reliance was reasonable and justifiable in order to recover. First Marblehead Corp. v. House, 473 F.3d 1, 9 (1st Cir.2006) (discussing Massachusetts law); Brennan v. GTE Gov't Sys. Corp., 150 F.3d 21, 30 (1st Cir.1998) (same). Because there is evidence that at least some banks were informed that a majority of retailers were not in compliance with data security standards, an individualized determination of what each bank knew when it acted, and an individual evaluation of whether, given the information available to that bank, its reliance was reasonable, will be required. See Broussard, 155 F.3d at 341 (holding that, in suit alleging fraud and negligent misrepresentation, " proof of reasonable reliance would depend upon a fact-intensive inquiry into what information each [plaintiff] actually had" ).

          Reasonable reliance is not the only element of the negligent misrepresentation claim that will require individual inquiries. Demonstrating that the negligent misrepresentation caused the proposed class members' pecuniary loss is similarly not amenable to determination on a class-wide basis. In arguing to the contrary, Amerifirst and the issuing banks again invoke circumstantial evidence, pointing, for instance, to the fact that there was a spike in card fraud following the TJX data breach. See Oral Arg. Tr., October 16, 2007, at 7-9. This information might be sufficient to show that the TJX data breach led to fraud in general. The problem for the plaintiffs is that the liability of TJX and Fifth Third will not hinge on whether the data breach caused fraud-related losses; liability will depend on whether the breach caused a particular plaintiff's loss. See Smith v. Brown & Williamson Tobacco Corp., 174 F.R.D. 90, 96 (W.D.Mo.1997) (" Liability will not turn on whether cigarettes are generally capable of causing disease; liability will turn on whether cigarettes caused a particular plaintiff's disease." ). Given that there are a myriad of ways in which fraud losses can occur, as well as the fact that the plaintiffs themselves have admitted the difficulty of attributing any particular loss to the data breach, see, e.g., Caffrey Aff. Ex. 7 (" Pinkham Dep." ) at 224; id. Ex. 11 (" Keenan Dep." ) at 168, evidence of general causation will not suffice to prove the element of causation with regard to fraud-related losses on a class-wide basis. Instead, causation will have to be determined loss-by-loss, bank-by-bank, further rendering certification inappropriate. See, e.g., Smith, 174 F.R.D. at 90; Harding v. Tambrands, Inc., 165 F.R.D. 623, 630 (D.Kan.1996) (rejecting class certification due to predominance of individual issues, including causation, and noting that " [a] finding of general causation would do little to advance this litigation" ); Mertens v. Abbott Labs., 99 F.R.D. 38, 41-42 (D.N.H.1983).

For instance, as Fifth Third suggests, the majority of fraud is so-called " friendly fraud," which occurs when the cardholder lends their credit card to someone and then disputes the charges made by the person to whom they lent their card. See Oral Arg. Tr. at 37. Obviously, there are many other ways through which credit or debit card fraud can be effectuated.

         This Court recognizes that the analysis above applies only to some types of losses, such as the cost of reimbursing cardholders for fraudulent transactions and the cost of reissuing cards when the decision to reissue was made only after fraudulent activity was observed. Where issuing banks engaged in fraud monitoring or reissued their cards solely because they received the alert about the TJX data breach and were concerned about the security of their accounts, causation is a less vexing issue.

         It would not be prudent, however, to certify a class, even one only consisting of those issuing banks who suffered the latter type of injury. First, as discussed above, liability could not be determined on a class-wide basis because each bank would have to show reasonable reliance on TJX and Fifth Third's negligent misrepresentations. Furthermore, TJX and Fifth Third have indicated that they intend to present proof regarding the comparative negligence of some issuing banks, including the named plaintiffs. See TJX Mem. in Opp. at 7-8. This evidence will necessarily be of an individual nature, as issuing banks differ with regard to how they conducted their affairs both before and after they learned of the data breach. See, e.g., Majka Dep. at 283-84; 289-90; Carlson Dep. at 99-100. The Seventh Amendment requires that evidence relating to the individualized issue of comparative fault be presented at the same time as evidence relating to TJX and Fifth Third's liability. See, e.g., Castano, 84 F.3d at 750 (noting that bifurcation of trial, such that a second jury would evaluate individual issue of comparative negligence, would violate the Seventh Amendment); In re Rhone-Poulenc Rorer, Inc., 51 F.3d 1293, 1302-04 (7th Cir.1995) (same).

         In sum, this constellation of individualized issues convinces the Court that the proposed class is not " sufficiently cohesive to warrant adjudication by representation." Amchem Prods., 521 U.S. at 594, 117 S.Ct. 2231.

          2. Chapter 93A

          In order to prevail on their chapter 93A claim, the issuing banks must demonstrate (1) that they suffered the loss of money or property (2) as a result of the use by another of an unfair or deceptive trade practice. Mass. Gen. Laws c. 93A § 11. As applied here, Amerifirst and the issuing banks will have to show that TJX and Fifth Third's negligent misrepresentations caused their losses. The difficulties of establishing causation on a class-wide basis evident in the context of the negligent misrepresentation claim also are present with regard to the chapter 93A claim. For instance, if a particular instance of fraud occurred because a thief stole a cardholder's wallet and used the credit card therein, that fraud would be wholly divorced from the conduct of TJX and Fifth Third; the issuing bank could not recover for that loss under chapter 93A, even if that same cardholder's information was compromised in the data breaches. Of course, as discussed above, the issuing banks themselves apparently are unable to determine definitively whether the discrete fraud events to which they were each victim can be traced to the data breaches. Thus, in order to meet the burden of proving the elements of the Chapter 93A claim, it is foreseeable that the issuing banks will be required to present individualized proof that rules out alternative sources of fraud. For the reasons discussed above, this is incompatible with class certification on this cause of action. See Markarian v. Connecticut Mut. Life Ins. Co., 202 F.R.D. 60, 68 (D.Mass.2001) (Wolf, J.) (declining to certify class under Chapter 93A given lack of common proof with regard to causation).

Although Amerifirst and the issuing banks argued that there are other bases for the chapter 93A claim, this Court has held that negligent misrepresentation presents the only viable theory of recovery. See In re TJX Cos. Retail Sec. Breach Litig., 524 F.Supp.2d 83, 93-94, 2007 WL 2982994, at *9 (D.Mass., Oct. 12, 2007)(dismissing Chapter 93A claim insofar as it was grounded in alleged violations of the Gramm-Leach-Bliley Act or the Federal Trade Commission Act).

         Furthermore, even if the data breaches can be determined to be the but-for cause of an issuing bank's loss (as is the case with regard to automatic card reissuance and fraud monitoring), that is insufficient to prevail on Chapter 93A. This is because it is TJX's and Fifth Third's negligent misrepresentations, not the security compromises, that are the unfair or deceptive trade practices that undergird the Chapter 93A claim. Thus, it will not be enough for the banks to simply show that the data breach is the but-for cause of their loss or that TJX and Fifth Third failed to remedy shortcomings in its data security systems. They will have to show that, had TJX and Fifth Third been candid about their data security compliance, their losses would not have occurred.

         This, in turn, implicates reliance. It is true that the under Massachusetts law reliance is " not an essential element of a [Chapter 93A] claim." Hershenow v. Enterprise Rent-A-Car Co. of Boston, Inc., 445 Mass. 790, 800 n. 20, 840 N.E.2d 526 (2006). In some cases, however, reliance constitutes an " essential link" in the chain of causation that does have to be proven under Chapter 93A. Trifiro v. New York Life Ins. Co., 845 F.2d 30, 33 n. 1 (1st Cir.1988); see also Spenlinhauer v. Kane, 1998 Mass.App.Div. 155, 1998 WL 474170 at *5 (1998) (noting that if plaintiff cannot prove all of the elements of her case for negligent misrepresentation-including reasonable reliance-" as a matter of law the plaintiff would have no reasonable expectation of proving a violation of [Chapter] 93A" ); Massachusetts Laborers' Health & Welfare Fund v. Philip Morris, Inc., 62 F.Supp.2d 236, 242 n. 3 (D.Mass.1999) (O'Toole, J.).

         This is one of those cases where reliance is a necessary part of the causal chain. If TJX and Fifth Third can prove that issuing banks were aware at the relevant times that merchants violated security standards or that, even had such banks known that a particular merchant such as TJX was in noncompliance, that they would not have altered their behavior with regard to card issuance, participation in the credit card networks, or in honoring transactions from that merchant, then TJX and Fifth Third's alleged negligent misrepresentations by omission would not appear to be the but-for reason that the issuing banks were in a position to be harmed by the data breaches. Even were this not the case, however, the difficulties of demonstrating causation on a class-wide basis, combined with the inability of the plaintiffs to prove on a class-wide basis the negligent misrepresentation claim upon which their Chapter 93A cause of action is based, present a sufficient basis for ruling against class certification.

          3. Damages

          " [T]he need for individualized damages decisions does not ordinarily defeat predominance where there are ... disputed common issues as to liability." Tardiff v. Knox County, 365 F.3d 1, 6 (1st Cir.2004). On the other hand, where, as here, issues as to liability require individualized inquiry, the fact that damages must be determined on a plaintiff-by-plaintiff basis further " weighs against class status." Id.           It is undisputed that losses in this case, assuming they can be satisfactorily tied to the TJX data breaches, will vary from bank to bank. For example, some banks had more accounts compromised than others, which led to varying amounts of card reissuance and fraud monitoring costs. Similarly, banks experienced differing amounts of fraud. Absent an acceptable method for determining damages in the aggregate, identifying damages will necessarily be an individualized issue.

         Amerifirst and the issuing banks assert that damages can be determined in the aggregate and have proposed that this Court use the Visa Account Data Compromise Recovery Process (ADCR) to do so. Oral Arg. Tr. at 36. As the name suggests, Visa created and employs this methodology in its internal relations with the members of its credit card network. Reduced to its essence, ADCR seeks to provide an efficient and cost-effective method of settling disputes arising out of account data compromises and resultant fraud. Visa, Inc., What Every Merchant Should Know About the New Account Data Compromise Recovery Process 1 (2006), available at http:// usa. visa. com/ download/ merchants/ adcrfinal. pdf.

         Under this approach, the first step is to create a " baseline" of fraud, or the amount of fraud that would have taken place even had the data breach had not occurred. To determine this, Visa analyzes a large sample of credit card accounts-making sure not to include any accounts compromised-and determines what percentage of their transactions are fraudulent. Visa then determines the amount of fraud taking place on the compromised accounts. Any difference between the percentage of fraud on the latter accounts and the baseline level is attributed to the acquiring bank and its merchants. Id. at 2; Oral Arg. Tr. at 22. Issuing banks may recover for 80 percent of their accounts involved in the compromise; they may also recover $1 per account for reissuing or monitoring costs. Visa, Inc. at 2. The calculations are limited to a thirteen month window, the twelve months before and the one month after the alert regarding the compromise was sent to issuing banks. Id. at 1.

         This methodology strikes this Court as an excellent alternative dispute resolution procedure. But it is just that: alternative. It was designed with efficiency in mind. This Court is not convinced that this methodology is appropriate for use in a court of law. For example, the ADCR methodology, as implemented by Visa, does not require the establishment of a causal connection between the data breach and any particular fraud. Similarly, ADCR limits the window of liability to 13 months, leading this Court to be concerned that it perhaps would not provide an adequate estimation of losses given the timeline of the events in question and the fact that, according to plaintiff's counsel, fraud losses possibly attributable to the data breach are still being reported. Oral Arg. Tr. at 9.

         The ADCR procedure was created to address precisely the type of incident at issue in this case. Accordingly, if the plaintiffs here feel that ADCR adequately will estimate their losses, then perhaps they should-to the extent that they issue Visa cards-consider taking advantage of Visa's dispute settlement procedure. The Court, however, ought not transform a private mechanism for dispute resolution into a judicial procedure, with all its attendant niceties. See Dennis Jacobs, The Secret Life of Judges, 75 Fordham L.Rev. 2855, 2859 (2007) (criticizing the judicial tendency to " expand the spheres of activity in which lawyers act and control" ). In court, determining damages must be fact-intensive and individualized, which is yet another point against class certification given the predominance of individual issues with regard to liability.

          4. Conclusion

         Based upon questions regarding the propriety of the scope of the proposed class, concerns regarding the adequacy of the class representatives, and the number of individual questions touching on fundamental issues, this Court rules that this action is inappropriate for class certification under Rule 23(b)(3).

         D. Certification Pursuant to Rule 23(b)(2)

          Amerifirst and the issuing banks alternatively urge the Court to certify their proposed class pursuant to Rule 23(b)(2). See Amerifirst Memo. at 19; Issuing Banks Memo. at 18. Rule 23(b)(2), however, " does not extend to cases in which the appropriate or final relief relates exclusively or predominately to money damages." Advisory Committee Note to 1966 Amendments to Rule 23. " In other words, if it is readily apparent ... that [plaintiffs'] primary objective is money damages [,] certification under Rule 23(b)(2) is not appropriate." Markarian, 202 F.R.D. at 70 (internal quotation marks omitted) (alterations in original).

         It is true that Amerifirst and the issuing banks have requested declaratory and injunctive relief. Issuing Banks Am. Compl. at ¶ 1; Amerifirst Am. Compl. at 29 ¶ 1. The thrust of their prayer for relief, however, is undisputably monetary: Amerifirst and the issuing banks have requested compensatory damages, treble damages for the alleged violation of Chapter 93A, and attorney fees and costs. Furthermore, the Court is convinced, based on the whole record before it, that the named plaintiffs are far more concerned with recovering the money they expended after the security breach than in obtaining equitable relief. Because the predominate motive behind this suit is financial, class certification pursuant to Rule 23(b)(2) is not justified.

         III. WHAT NOW?

         The denial of class certification-should the Court adhere to this finding and ruling after consideration of the most recent motion to amend, see supra note 1-poses a host of practical issues, some legal and others practical, which the parties are invited to address at their earliest convenience.

         For example, while the denial of class certification is immediately appealable pursuant to Federal Rule of Civil Procedure 23(f), the underlying case is not automatically stayed during the pendency of such an appeal, see Fed.R.Civ.P. 23(f), and this Court has no intention of staying it. What, then, is the Court's subject matter jurisdiction? With the dismissal of the claims that relied upon federal law, In re TJX Cos. Retail Sec. Breach Litig., 524 F.Supp.2d 83, 2007 WL 2982994 (D.Mass.2007) (dismissing Chapter 93A claim insofar as it was based on a violation of the Federal Trade Commission Act and a violation of the Gramm-Leach-Bliley Act), the Court's jurisdiction rests solely on the diversity of the parties. As an initial matter, however, it may very well be that the presence of the Massachusetts' Bankers Association as a plaintiff destroys diversity, given that TJX is also headquartered in Massachusetts. See Caterpillar Inc. v. Lewis, 519 U.S. 61, 68, 117 S.Ct. 467, 136 L.Ed.2d 437 (1996) (" The current general-diversity statute ... 28 U.S.C. § 1332(a) [ ] thus applies only to cases in which the citizenship of each plaintiff is diverse from the citizenship of each defendant." ). Furthermore, absent class action treatment, the claims of the individually named plaintiff banks appear too small (even if the Court assumed a jury would treble the Chapter 93A damages, see Massachusetts Eye and Ear Infirmary v. QLT, Inc., 495 F.Supp.2d 188, 197 (D.Mass.2007) (ruling there is constitutional right to trial by jury for Chapter 93A claim when damages are sought)) to meet section 1332's $75,000 amount-in-controversy requirement. The claims of the plaintiff banking associations are likewise vulnerable to dismissal since the Declaratory Judgment Act, 28 U.S.C. § 2201, affords only a remedy, not an independent grant of federal jurisdiction. See id. § 2201(a) (" In a case of actual controversy within its jurisdiction ... any court ... may declare the rights or other legal relations of any interested party seeking such declaration ...." ) (emphasis added).

          If this Court cannot provide a forum to these plaintiffs, where are they to go? True, the various out-of-state plaintiff banks and associations may commence independent actions in their several home states and call upon the courts there to interpret and apply Massachusetts law, which Amerifirst and the issuing banks assert is controlling. Amerifirst Memo. at 11-14; Issuing Banks' Memo. at 12-15. Of course, the law of Massachusetts-especially Chapter 93A (with its attendant potential punitive damages and attorneys' fees)-is a subject with which these foreign courts may have little familiarity. In this circumstance, the parties face uncertain application of the law, such as in determining whether Chapter 93A's prerequisite that the " center of gravity" of the alleged " unfair and deceptive business practices" be in Massachusetts is satisfied. See Kuwaiti Danish Comp. Co. v. Digital Equip. Corp., 438 Mass. 459, 472-73, 781 N.E.2d 787 (2003) (noting that determining whether unfair or deceptive trade practice is covered by Chapter 93A is a " fact intensive" inquiry that requires evaluating the context of the entire claim to identify the " center of gravity" ); see also Kotva s.a. v. Weiss, No. 05-cv-10679 (D.Mass. Nov. 1, 2007) (order directing verdict for defendant with regard to Chapter 93A action where " center of gravity" of the action was in the Czech Republic, although the conduct allegedly was directed from Brookline, Massachusetts).

         Should the plaintiffs elect to press their suit here in Massachusetts, what is the appropriate venue? Because the TJX headquarters are in Framingham, " remand" to the Massachusetts Superior Court sitting in and for the County of Middlesex would seem in order. This action has the added benefit of affording the parties the option of seeking transfer to the distinguished Business Law Session of the Massachusetts Superior Court, sitting in the County of Suffolk, where these state law claims may be appropriately and expeditiously addressed. See Hon. Allan van Gestel, The Business Litigation Session After Five Years, at 11 (February 6, 2006), available at http:// www. boston. com/ business globe/articles/2007/11/07/judge_vs_the_judges; see also Judge Margot Botsford, Judge Nonnie Burns, Judge Ralph Gants, and Judge Susan Garsh, Response to Judge Van Gestel's Report on the Business Litigation Session of the Superior Court (March 1, 2006), at 1 (confirming the court-wide institutional support for this special session), available at http:// www. boston. com/ business/globe/articles/2007/11/07/judge_vs_the_judges.

While simple dismissal is the appropriate remedy when an action, originally filed in federal court, is dismissed for want of federal jurisdiction, this Court routinely " remands" such actions to our sister courts of the Commonwealth when those courts have jurisdiction and venue is appropriate. Such action is in the interests of justice, as it keeps the case on track, impairs the rights of no party, and conserves the parties' transaction costs. Just as routinely, the Superior Court of Massachusetts accepts such " remands."

         IV. CONCLUSION

         Accordingly, the motions for class certification [Docket Nos. 124 & 127] are DENIED.

         SO ORDERED.


Summaries of

In re TJX Companies Retail Security Breach Litigation

United States District Court, D. Massachusetts
Nov 29, 2007
246 F.R.D. 389 (D. Mass. 2007)

refusing to certify a class of banks alleging damages resulting from a retailer's data breach because of individual issues relating to causation

Summary of this case from In re TD Ameritrade Account Holder Litigation

refusing to certify a class of banks alleging damages resulting from a retailer's data breach because of individual issues relating to causation

Summary of this case from In re TD Ameritrade Account Holder Litig.
Case details for

In re TJX Companies Retail Security Breach Litigation

Case Details

Full title:In re TJX COMPANIES RETAIL SECURITY BREACH LITIGATION

Court:United States District Court, D. Massachusetts

Date published: Nov 29, 2007

Citations

246 F.R.D. 389 (D. Mass. 2007)

Citing Cases

In re Target Corp. Customer Data Sec. Breach Litig.

         " [T]he need for individualized damages decisions does not ordinarily defeat predominance where…

In re Neurontin Mktg., Sales Practices

Finally, in In re TJX Cos. Retail Security Breach Litigation, a negligent misrepresentation case brought by…