By Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley
Duane Morris Takeaways: In Vest Monroe, LLC v. Doe, No. S23G1224, 2024 Ga. LEXIS 187 (Ga. Sept. 4, 2024), the George Supreme Court reversed the Georgia Court of Appeals and held that a trial court did not abuse its discretion when it denied class certification in a data breach class action lawsuit alleging that a health facility failed to protect patients’ sensitive information. The trial court originally ruled that Plaintiff failed to establish the elements of typicality and commonality, since the named Plaintiff did not suffer the same harm as the putative class that he sought to represent. The Georgia Supreme Court vacated a holding by the Georgia Court of Appeals that parted ways with the trial court.
For businesses that are embroiled in the rapidly evolving data breach class action litigation arena, this case provides valuable insight regarding how companies can oppose motions for class certification.
Case Background
Plaintiff received treatment at Ridgeview Institute – Monroe, a behavioral health and addiction treatment facility. After an employee at the facility was terminated, the employee contacted Plaintiff’s counsel of record in a medical malpractice case pending against Ridgeview and provided the attorney with digital copies of documents and recordings that she obtained from Ridgeview. Id. at *3. After becoming aware of the disclosure of the patient information, Ridgeview discovered that information pertaining to nearly 2,000 patients was compromised.
In March 2020, Defendants filed a lawsuit against the former employee in federal court, which ultimately enjoined the former employee and her counsel from further dissemination of the Ridgeview documents, and ordered her to delete the material in her possession. Defendants also notified all potentially affected individuals of the incident. In November 2020, after receiving notice of the incident, Plaintiff filed a class action complaint against Defendants, asserting a number of claims related to the unauthorized disclosure of patient information.
Plaintiff moved for class certification in March 2022. The trial court denied Plaintiff’s motion for class certification on the grounds that Plaintiff failed to establish either the required elements of commonality or typicality under OCGA § 9-11-23 (a). In finding a lack of commonality, the trial court noted the differences in the type of documents disclosed with respect to members of the proposed class, as some contained diagnosis and treatment information, while others did not. Id. at *4. Relatedly, the trial court concluded that Plaintiff’s claims did not satisfy the element of typicality because some members of the proposed class had clinical information revealed, while Plaintiff did not.
Plaintiff appealed, and the Georgia Court of Appeals reversed the trial court’s decision. The Court of Appeals rejected the trial court’s findings on commonality and typicality, and instead concluded that with respect to typicality, Plaintiff’s claims and those of the putative class arose “from the same alleged events” and were “based on the same legal theories.” Id. at *6.
The Georgia Supreme Court thereafter granted review to consider whether the trial court abused its discretion by finding that the putative class lacked commonality and typicality under OCGA § 9-11-23 (a).
The Georgia Supreme Court’s Decision
The Georgia Supreme Court reversed the Court of Appeals’ decision and held that the trial court acted within its discretion in finding a lack of typicality.
First, the Georgia Supreme Court opined that the trial court’s order reflected that it conducted the rigorous analysis contemplated by OCGA § 9-11-23.10. For instance, in its order denyingclass certification, the trial court explained that the OCGA § 9-11-23 (a)(3) typicality requirement directs that the class representative “possess the same interest and suffer the same injury as the classmembers,” and that the pertinent inquiry is “whether asufficient nexus exists between the claims of the namedrepresentatives and those of the class at large.” Id. at *9-10. The trialcourt further recognized that it was Plaintiff’s burden to prove that class certification wasappropriate and must do so by introducing affirmative evidence. Agreeing with the trial court, the Georgia Supreme Court held that Plaintiff failed to fulfill this burden.
Second, the Georgia Supreme Court held that the trial court did not rely on incorrect facts in determining that typicality was lacking. Pertinent to its assessment of typicality, the trial court found that the former employee who was responsible for the breach had access to information that had no relationship to her job duties, including patient files, many of which contained significant sensitive medical information. Id. at *10-11. The trial court also highlighted the undisputed fact that no diagnosis or treatment information related to Plaintiff was revealed. Accordingly, the Georgia Supreme Court reasoned that the trial court properly concluded that Plaintiff’s claims “do not represent the claims of all of the proposed class members because some of [the patients had] clinical information revealed whereas [Plaintiff] has not” which “leads to factual and legal differences between the claims in the case.” Id. at *13.
Finally, the Georgia Supreme Court noted that in reviewing the trial court’s findings with respect to typicality, the question before the Court of Appeals was whether the trial court’s analysis as to typicality fell “within the range of possible outcomes” permissible on abuse-of-discretion review “in which there could be room for reasonable and experienced minds to differ.” Id. at *16 (citations omitted). The Georgia Supreme Court held that, “because the trial court’s typicality determination was made in conformity with the governing legal principles, was not based on incorrect or irrelevant facts, and was within the reasonable range of possible outcomes, we cannot say that the trial court abused its discretion by finding a lack of typicality and denying [Plaintiff’s] motion for class certification on that basis.” Id. at *16-17. Accordingly, it held that the Court of Appeals erred in determining that the trial court wrongly failed to certify the class on the basis of typicality, and reversed the Court of Appeals’ decision.
Implications For Businesses
For employers and consumer-facing businesses, data breach class action litigation is near or at the top of nearly every company’s “biggest risk” list. When breaches do occur, there is a strong likelihood that a class action lawsuit will follow.
Fortunately, this decision provides a blueprint for one avenue to attack class certification — the element of typicality. It is conceivable that many other data breach class action named plaintiffs, like Plaintiff here, will not have suffered the same harm as the putative class. Accordingly, data breach class action defendants would be prudent to explore the potential factual differences between the named Plaintiff and the putative class to strengthen this defense.