Texas Federal Court Throws Out Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Austin v. Fleming, Nolen & Jez, LLP, No. 4:23-CV-00901, 2024 U.S. Dist. LEXIS 60696 (S.D. Tex. Apr. 2, 2024), Judge Andrew S. Hanen of the U.S. District Court for the Southern District of Texas granted Defendant’s motion for summary judgment in a data breach class action. The Court found that the time Plaintiff’s allegations about the time spent – (i) researching the data breach, (ii) exploring credit monitoring and identity theft options, (iii) self-monitoring her accounts, and (iv) seeking legal counsel – were not compensable damages and could not support her claims.  This case serves as an important reminder that named Plaintiffs in data breach class actions must have suffered an actual, viable, concrete injury to sustain their claims.

Case Background

On February 6, 2023, a cybercriminal breached Defendant’s servers and obtained some of its confidential client data.  Id. at *1.  The cybercriminal then demanded Defendant pay money to avoid the publication of Defendant’s confidential client data on the dark web.  Id.  After Defendant sent out data breach notice letters to their potentially affected clientele, the named Plaintiff, a former client of Defendant, filed a class action complaint against Defendant asserting claims for negligence, breach of confidence, breach of implied contract, and breach of implied covenant of good faith and fair dealing.  Id.

Defendant moved for summary judgment on the basis that Plaintiff had not, and could not, establish that she had suffered any damages as a result of the data breach.  Id.  In response, Plaintiff presented an affidavit from a putative class member who had suffered monetary damages due to identity theft.  Id.

The Court’s Decision

The Court ruled that Plaintiff could not rely on a putative class member’s purported damages to support her claims prior to class certification, and as such, any evidence supporting the claims of other class members was “irrelevant.”  Id. at 4.  As a result, the Court only considered Defendant’s motion for summary judgment as it pertained to Plaintiff’s individual claim against the Defendant. Id.

The Court held that none of the following allegations of harm were sufficient for Plaintiff to maintain her claims — “time spent verifying the legitimacy and impact of the data breach, exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying and/or mitigating the effects of the data breach.”  Id. at *5-6.

Accordingly, the Court found that because Plaintiff could not show “that she was injured by the data breach” or that “she suffered any damages,” summary judgment was proper.  Id. at *6.

Implications For Companies

The Court’s ruling in Austin v. Fleming underscores the importance of damages and a viable injury-in-fact in data breach class actions.  The first line of defense in any data breach class action challenging whether the named Plaintiff suffered an actual, concrete injury.  Used effectively, companies can parlay a Plaintiff’s claimed damages in data breach class actions as quick off-ramp out of litigation.

Texas Federal Court Strikes Down NLRB’s 2023 Joint Employer Rule

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Chamber of Commerce of the U.S.A. et al. v. NLRB et al., No. 6:23-CV-00553, 2024 WL 1045231 (E.D. Tex. Mar. 8, 2024), Judge J. Campbell Barker of the U.S. District Court for the Eastern District of Texas granted the Plaintiffs motion for summary judgment and denied the Defendants cross-motion for summary judgment. Under the NLRB’s 2023 joint employer rule, even companies who exercise just “indirect control” over the employees of another entity could be considered a joint employer under federal labor laws. The Court held that the NLRB’s 2023 joint employer rule did not provide a meaningful two-part test to determine joint employer status, and that the NLRB’s reason for rescinding the 2020 Rule was arbitrary and capricious.  Accordingly, the Court vacated the 2023 Rule and reinstated the 2020 Rule. 

This ruling is a huge win for businesses, as it reinstates the 2020 Rule’s heightened “substantial direct and immediate control” standard for determining joint-employer status.

Case Background

In 2020, the NLRB issued a joint-employer final rule, providing that an entity “is a joint employer of a separate employer’s employees only if the two employers share or codetermine the employees’ essential terms and conditions of employment” (the “2020 Rule”).  Id. at 12 (quoting 29 C.F.R. § 103.40(a) (2020)).  Under the 2020 Rule, a company is a joint employer when it exercises “substantial direct and immediate control” over one or more of the following “essential terms or conditions of employment” – “wages, benefits, hours of work, hiring, discharge, discipline, supervision, and direction.”  Id. at 12-13 (quoting 29 C.F.R. § 103.40(a), (c)(1) (2020)).

In 2023, the NLRB rescinded the 2020 Rule and enacted a new joint-employer final rule (the “2023 Rule”).  Id. at 14.  The 2023 Rule defined a joint employer as an entity that exercised “reserved control” or “indirect control” over one of seven terms and conditions of employment, including: “(1) work rules and directions governing the manner, means, and methods of the performance, and (2) working conditions related to the safety and health of employees.”  Id. (29 C.F.R. § 103.40(d)-(e)).

In 2023, Plaintiffs sued the Defendants, challenging the 2023 Rule on two grounds: (i) that it is inconsistent with the common law; and (ii) that it is arbitrary and capricious.  Id. at 14-15.

In response, the Defendants cross-moved for summary judgment on the Plaintiffs claims, alleging that the 2023 Rule was based on, and is governed by, common law principles, that it is not arbitrary and capricious, and that the Board acted lawfully in rescinding the 2020 Rule.  Id. at 20.

The Court’s Decision

The Court granted the Plaintiffs motion for summary judgment, and denied Defendants cross-motion for summary judgment, thereby “vacating the 2023 Rule, both insofar as [the 2023 Rule] rescind[ed] the [2020 Rule] and insofar as it promulgate[d] a new version of [the 2020 Rule].”  Id. at 30.

First, the Court focused on the main dispute between the parties, i.e., whether the 2023 Rule had a meaningful two-step test to determine an entity’s joint employer status, or the 2023 Rule only had one step for all practical purposes.  Id. at 20-21.  The Defendants argued that the 2023 Rule’s joint-employer injury had the following steps: (i) “an entity must qualify as a common-law employer of the disputed employees”; and (ii) “only if the entity is a common-law employer, then it must also have control over one or more essential terms and conditions of employment.”  Id.  The Court disagreed, finding that “an entity satisfying step one, along with some other entity doing so, will always satisfy step two,” since “an employer of a worker under the common law of agency must have the power to control ‘the material details of how the work is to be performed,” and the Defendants proposed step two included “work rules and directions governing the manner, means and methods of the performance of duties.”  Id. at 22-23 (internal citations omitted).

The Court then analyzed whether the Board lawfully rescinded the 2020 Rule.  It opined that “to survive arbitrary-and-capricious review, agency action must be ‘reasonable and reasonably explained.”  Id. at 28-29.  The Court held that the Board did not provide a “reasonable or reasonably explained” purpose for rescinding the 2020 Rule, and therefore, its recension was arbitrary and capricious.  Id. at 29.  Since “vacatur of an agency action is the default rule” in the Fifth Circuit when such rule “is found to be discordant with the law or arbitrary and capricious”, the Court vacated the 2023 Rule.  Id. at 30.

Implications For Employers

The Court’s vacatur of the 2023 Rule in Chamber of Commerce of USA et al. v. NLRB et al. is an important victory for employers. The 2023 Rule would have made “virtually every entity that contracts for labor . . . a joint employer.” Id. at 25. Moreover, the 2020 Rule, in addition to imposing the heightened “substantial direct and immediate control standard,” provides integral guidance for what actions are considered joint, and what actions are not.  The Court’s decision to reinstate the 2020 Rule, therefore, is also a significant win for employers.

Three Months After Class Certification Was Denied, New Mexico Federal Court Allows Sixteen FedEx Delivery Drivers To Intervene In A Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Martinez v. Fedex Ground Package System, Inc., No. 20-CV-1052, 2024 WL 418801 (D.N.M. Feb. 5, 2024), Judge Steven C. Yarbrough of the U.S. District Court for the District of New Mexico granted the intervention motion of 16 putative class members to join the lawsuit,  The Court held that the plaintiff-intervenors met the standard for permissive intervention under Rule 24(b)(2).  The Court’s decision in this case serves as an important reminder that Rule 23 and Rule 24 employ two separate commonality standards, and that class action cases are not automatically over when a court denies class certification.

Case Background

On October 12, 2020, Plaintiffs Fernandez Martinez and Shawnee Barrett (collectively, “Plaintiffs”) filed suit against Defendant Fedex Ground Package System, Inc. (“Fedex”), alleging that Fedex misclassified them as independent contractors and failed to pay them and putative class members overtime wages in violation of the New Mexico Minimum Wage Act (“NMMWA”).

On November 8, 2022, Plaintiffs moved to certify a class of all current or former New Mexico FedEx drivers who were paid a day rate without overtime compensation.  On October 27, 2023, the Court denied Plaintiffs’ motion on the basis that Plaintiffs failed to demonstrate that common questions predominated over individualized issues pursuant to Rule 23(b)(3).  Martinez v. FedEx Ground Package Sys., No. 20-CV-1052, 2023 WL 7114678 (D.N.M. Oct. 27, 2023).

On December 15, 2023, a group of 16 putative class members (the “Intervenors”) filed a motion to intervene as plaintiffs in the Lawsuit under Rule 24.  Martinez, 2024 WL 418801, at 1. In their motion, the Intervenors alleged that they, like Plaintiffs, were “current or former New Mexico FedEx delivery drivers who were paid the same amount of money regardless of how many hours they worked in a day, resulting in no premium payment for overtime hours worked in violation of the [NMMWA].”  Id.

The Court’s Decision

The Court granted the Intervenors’ motion.  Id. at 2.  It held that the Intervenors presented sufficient “questions of law and fact in common with the main action” under Rule 24.  Id.

The Court noted that permissive intervention under Rule 24 is appropriate where (i) a federal statute creates a conditional right, or (ii) where the “intervenor has a claim or defense that shares with the main action a common question of law or fact.”  Id.

In its opposition, FedEx asserted that because the Intervenors were employed by independent service providers (“ISPs”) to deliver packages on behalf of FedEx, and were not employed by FedEx directly, FedEx was not liable under the NMMWA for allegedly unpaid overtime.  Id.  Further, FedEx argued that the commonality requirement of Rule 24 was not met because the Court already found the absence of a common question when it denied class certification.  Id.

While the Court recognized that it denied class certification under Rule 23’s commonality requirement, it was not persuaded by FedEx’s arguments.  The Court underscored that under Rule 24, “rather than asking whether a question is susceptible to resolution ‘in one stroke,’ courts must ask whether intervenors present ‘questions of law and fact in common with’ the main action.”  Id.

The Court concluded that the “existing plaintiffs and every intervenor [would] assert that certain common aspects of [FedEx’s] contracts with ISPs [made FedEx] a joint employer and, consequently, jointly liable for any [NMMWA] violations.”  Id.  Accordingly, the Court ruled that the Intervenors satisfied the Rule 24 commonality standard and were permitted to join the lawsuit as plaintiffs.  Id. at 3.

Implications For Companies

The decision in Martinez v. FedEx serves as an important reminder for defendants that class actions are not necessarily over once class certification is denied – and some members of the putative class may take a run at joining the lawsuit per Rule 24.  Additionally, it underscores the distinct commonality analyses under Rule 23 and Rule 24.

Illinois Federal Court Dismisses Five Of Six Causes of Action In Data Breach Class Action Against Chicagoland Nonprofit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Wittmeyer v. Heartland Alliance for Human Needs & Rights, No. 23-CV-1108, 2024 WL 182211 (N.D. Ill. Jan. 17, 2024), U.S. District Judge Jeremy C. Daniel granted in part and denied in part Defendant Heartland’s motion to dismiss under Rule 12(b)(6). The Court found that the Plaintiffs only pled facts sufficient to support their negligence claim, and dismissed their negligence per se, breach of express and implied contract, breach of the Illinois Consumer Fraud Act and Deceptive Business Practices Act claims, and declaratory judgment and injunction claims.  The ruling is exceedingly favorable for companies. Data breach class action defendants should utilize this decision as a roadmap when preparing motions to dismiss.

Case Background

Heartland Alliance for Human Needs & Rights (“Heartland”) is a non-profit, anti-poverty organization that provides healthcare and other services to individuals.  Id. at *1.  To receive services, individuals provide Heartland with personally identifiable information (“PII”) such as names and social security numbers.  Id.  For those individuals who receive medical services, Heartland also collects and stores personal health information (“PHI”) including medical diagnoses and medication records.  Id.

In January 2022, unauthorized individuals obtained access to the PII and PHI of Heartland’s clients, employees, and independent contractors.  Id.  In December 2022, Plaintiffs Tracy Wittmeyer and Audrey Appiakorang received notice that their PII and PHI were compromised in the data breach.  Id.  Plaintiffs alleged that they experienced various damages such as increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with the data breach, and, in particular as to Plaintiff Appiakorang, that someone fraudulently obtained car insurance in her name.  Id.

Plaintiffs filed a class action against Heartland for various claims, including: (i) negligence, (ii) negligence per se, (iii) breach of express contract, (iv) breach of implied contract, (v) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and (vi) a declaratory judgment and injunction.  Id.  Subsequently, Heartland moved to dismiss the lawsuit under Rule 12(b)(6).  Id.

The Court’s Decision

U.S. District Judge Jeremy C. Daniel granted Heartland’s motion to dismiss as to Plaintiffs’ negligence per se, express and implied breach of contract, violation of the ICFA, and declaratory judgment and injunction claims.  Id.  at * 7.

The Court, however, denied Heartland’s motion to dismiss Plaintiffs’ negligence claim.  Id. at *3.  Heartland asserted that it did not owe Plaintiffs a duty to safeguard their personal information.  Id.  The Court disagreed. It “decline[d] to find, as a matter of law, that Heartland owed no duty to the plaintiff to safeguard their personal information.”  Id.  (citing an amendment to the Illinois Personal Information Protection Act and the Illinois Appellate Court’s holding in Flores v. Aon Corp., 2023 IL App (1st) 230140,  at ¶ 23.).

The Court granted Heartland’s motion to dismiss Plaintiffs’ negligence per se claim.  Id.  Plaintiffs alleged that because Heartland failed to comply “with the FTCA and its corresponding obligations under HIPAA,” Plaintiffs were injured.  Id. at *4.  However, the Court reasoned that a violation of a statute only constitutes negligence per se “when it is clear that the legislature intended for the act to impose strict liability.”  Id. at *3.  Since Plaintiffs did not allege that either the FTCA or HIPAA imposed strict liability, the Court granted Heartland’s motion to dismiss.  Id. at *4.

The Court also granted Heartland’s motion to dismiss Plaintiffs’ breach of express and implied contract claims.  Id. at *4-6.  The Court dismissed Plaintiffs’ breach of express contract claim because they failed to allege facts in the complaint to demonstrate that the parties entered into an express contract regarding security measures for Plaintiffs’ PII and PHI.  Id. at *4.  While the Court observed that an implied contract could exist between the parties, because Plaintiffs’ complaint did not contain any allegations that the Plaintiffs suffered monetary damages as a result of the data breach, the Court dismissed its breach of implied contract claim.  Id. at *5-6.

Finally, the Court dismissed Plaintiffs’ ICFA and declaratory judgment and injunction claims. Id. at *6-7.  Under the ICFA, the Court opined that Plaintiffs were required to plead facts sufficient to demonstrate the existence of a “real and measurable” loss.  Id. at *6.  The Court dismissed Plaintiffs’ ICFA claim because it found that Plaintiffs failed to plausibly plead that they suffered an economic loss.  Id.  In addition, the Court dismissed Plaintiffs’ declaratory judgment and injunction causes of action, noting that while they are forms of relief, they are not cognizable, independent causes of action.  Id. at *7.

Implications For Data Breach Defendants

The decision in Wittmeyer v. Heartland Alliance for Human Needs & Rights serves as a roadmap for data breach class action defendants to utilize when preparing motions to dismiss.

Early in the litigation, data breach class action defendants typically move to dismiss a plaintiff’s complaint under Rule 12(b)(1) for lack of subject matter jurisdiction and/or, as Heartland did here, under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. Importantly, various jurisdictions across the United States have different approaches to the issue of whether various claimed damages (i.e., increased risk of fraud and identity theft, expenditure of time and effort in mitigating harms associated with a data breach, loss of value in PII and PHI, and emotional harms like anxiety and stress) can confer standing upon a plaintiff. Class action defendants should conduct a thorough review of their relevant jurisdiction’s holdings concerning the plaintiff’s claimed damages in support of any motion to dismiss.

 

Fifth Circuit Refuses To Revive EEOC COVID-Era Mask Bias Suit

By Gerald L. Maatman, Jr., Emilee N. Crowther, and Christian J. Palacios

Duane Morris Takeaways:  In EEOC v. U.S. Drug Mart, Inc., No. 23-50075, 2024 WL 64766, at *1 (5th Cir. Jan 5, 2024), the Fifth Circuit refused to resurrect an EEOC lawsuit alleging that a Texas pharmacy created a hostile work environment under the Americans with Disabilities Act (the “ADA”) by reprimanding an asthmatic employee for wearing a mask during the beginning of the COVID-19 pandemic.  This case illustrates the Fifth Circuit’s high evidentiary standards associated with establishing the existence of a hostile work environment, especially with regards to demonstrating that the conduct was “sufficiently severe or pervasive to alter the conditions of the victim’s employment.”  Id.

Background

The charging party, David Calzada, was a pharmacy technician at U.S. Drug Mart (d/b/a Fabens Pharmacy).  Id.  Mr. Calzada suffered from asthma, and elected to wear a face mask to work on March 26, 2020. Id.  However, after arrival, the store manager informed Mr. Calzada that mask-wearing violated the pharmacy’s policy, and instead of removing his mask, Mr. Calzada left for the day.  Id.  A few days later, when Mr. Calzada returned to work, his supervisors informed him that the pharmacy’s polices were updated and he was now permitted to wear a mask and gloves at work.  Id.  However, during the meeting, Mr. Calzada was repeatedly belittled by the head pharmacist and at one point called a “disrespectful stupid little kid.”  Id.  Mr. Calzada quit the same day. Id.

Mr. Calzada subsequently filed a charge of discrimination with the EEOC.  Id.  The EEOC brought suit against U.S. Drug Mart on his behalf, alleging the Texas pharmacy created a hostile work environment and constructively discharged Calzada based on the conduct of the store manager and head pharmacist.  Id.  The district court granted summary judgment in favor of U.S. Drug Mart in October of 2022. It determined that “an isolated instance of verbal harassment is generally not sufficient to support a hostile work environment claim.” EEOC v. United States Drug Mart, Inc., No. EP-21-CV-00232, 2022 WL 18539781, at *8 (W.D.Tex. 2022). The EEOC appealed on January 31, 2023.

The Fifth Circuit’s Ruling

The Fifth Circuit, in affirming the district court’s summary judgment decision, held that the EEOC was unable to establish a prima facie case for a hostile work environment claim because it was unable to prove that the head pharmacist’s harsh words were “sufficiently severe or pervasive to alter the conditions of the victim’s employment.”  EEOC, 2024 WL 64766, at *2.  The Fifth Circuit observed that although the head pharmacist’s behavior was “certainly brusque,” it fell well short of the Fifth Circuit’s fairly high standard for “severe” conduct.  Id.  The Fifth Circuit noted that the EEOC’s constructive discharge claim failed for the same reason, because proving constructive discharge required an even “greater degree of harassment than that required by a hostile work environment claim.”  Id.  Accordingly, the Fifth Circuit affirmed the district court’s grant of summary judgment in favor of the employer.

Implications For Employers

The COVID-19 pandemic was accompanied by a variety of novel legal theories and questions of first impression. One thing that remains the same, however, is the high evidentiary standard that plaintiffs need to satisfy to prove their hostile work environment claims, specifically with respect to the element of “severe and pervasive” conduct.

Texas Federal Court Greenlights EEOC Lawsuit Against Three Companies As Parts Of An Integrated Enterprise

By Gerald L. Maatman, Jr., Emilee N. Crowther, and Christian J. Palacios

Duane Morris Takeaways: In EEOC v. 1901 South Lamar, LLC, No. 1:23-CV-539, 2024 WL 41202, at *1 (W.D. Tex. Jan. 3, 2024), U.S. District Judge Robert Pitman adopted U.S. Magistrate Judge Susan Hightower’s recommendation to deny Defendants’ three Motions to Dismiss an EEOC pregnancy discrimination lawsuit. As Magistrate Judge Hightower’s recommendation illustrates, even smaller entities that would ordinarily not satisfy Title VII’s numerosity requirement cannot escape the EEOC’s grasp if they collectively operate as a single, integrated enterprise. 

Case Background

Defendants 1901 South Lamar, LLC d/b/a Corner Bar (“Corner Bar”), Revelry Kitchen & Bar, LLC (“RK&B”), and Revelry on the Boulevard, LLC (“ROTB”) (collectively, “Defendants”) hired Kellie Connolly (“Connolly”) in September 2020 to work at the Corner Bar in Austin, Texas.  Id. at *1. On January 31, 2021, Connolly informed the Defendants she was pregnant.  Id.  Two months later, after Connolly became visibly pregnant, the Defendants allegedly reduced her work hours.  Id.  On June 25, 2021, Connolly’s manager terminated her employment, stating that “she was becoming ‘too much of a liability’” and that they would part ways “until after the baby.”  Id.

The EEOC filed suit against the Defendants alleging they discriminated against Connolly on the basis of her pregnancy in violation of Title VII.  Id. In seeking to dismiss the lawsuit, the Defendants argued: (i) Corner Bar was not an “employer” under Title VII because it employed fewer than 15 employees during the relevant time period, and (ii) the Defendants were not an integrated single employer enterprise under Title VII.  Id. at *2.

The Court’s Decision

Magistrate Judge Hightower was unpersuaded by the Defendant’s arguments. As a preliminary matter, Magistrate Judge Hightower held that Title VII’s numerosity requirement was not jurisdictional, and could therefore not serve to support Defendant’s Motion to Dismiss for lack of subject- matter jurisdiction.

The Magistrate Judge then applied a four-factor test to determine whether these separate entities were a “single, integrated enterprise” under Title VII and concluded that the factors weighed in favor of the EEOC.  In particular, the Court found the following facts supported the EEOC’s “integrated business enterprise” allegations: (i) Defendants all shared bartending staff and inventory, (ii) utilized a single Director of Operations to handle all human-resources related services, (iii) jointly marketed their businesses, and (iv) utilized a disciplinary form that bore the logo of each of the Defendants.  Id. at *3.  Accordingly, the Magistrate Judge found that these facts could support a finding of centralized control of labor relations and recommended the District Court deny Defendants’ Motion to Dismiss. Id. at *4.

The Defendants challenged the order by way of Rule 72 objections. On January 3, 2024, District Court Judge Robert Pitman rejected the Rule 72 objections, and accepted and adopted the Magistrate Judge’s report and recommendation.

Implications For Companies

As the ruling in EEOC v. 1901 South Lamar, LLC, illustrates, even employers with fewer than 15 employees that would ordinarily be exempt from Title VII’s requirements may be sued by the EEOC, provided they have sufficiently integrated affiliates that would collectively put them over Title VII’s numerosity threshold.

Maryland Federal Court Reinstates Class Certification In Data Breach Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In the proceeding captioned In Re Marriott International Customer Data Security Breach Litigation, MDL No. 8:19-MD-02879, 2023 WL 8247865 (D. Md. Nov. 29, 2023), Judge John Preston Bailey of the U.S. District Court for the District of Maryland granted Plaintiff’s Motion for Class Certification and reinstated several previously-certified classes.  The defendant argued that class certification was improper, in part, because the putative class members signed a Choice of Law Provision that contained a class action waiver.  Conversely, the plaintiffs contended that the defendant waived its defense based on the Choice of Law Provision.  The Court held that (i) the defendant waived its Choice of Law Provision, and (ii) in the absence of an arbitration agreement, the Choice of Law Provision did not override the Rule 23 requirements.  For these reasons, this case serves as an important reminder for companies on the importance of the terms of contractual agreements in the context of seeking to arbitrate cases and potentially avoid class or collective actions.

Case Background

In 2016, Marriott purchased Starwood Hotels & Resorts Worldwide (“Starwood”), and inherited Starwood’s IT infrastructure provided by Accenture LLP (“Accenture”) for all Starwood properties.  Id.  In September 2018, Marriott learned that an unidentified party tried to gain access to the Starwood guest reservation database.  After an investigation, Marriott determined Starwood’s database was compromised from July 2014 through September 2018.  Id. *1.  On November 30, 2018, Marriott disclosed the data breach.  Id.

Thereafter, affected consumers filed suit against Marriott and Accenture nationwide.  Id.  Marriott requested that the actions be consolidated into one multi-district litigation (“MDL”) in the U.S. District Court for the District of Maryland, where Marriott is headquartered.  Id. * 4.  The case was consolidated, and the plaintiffs filed their joint MDL Complaint alleging various state law contract, statutory consumer protection, and state law negligence claims.  Id.  The plaintiffs then moved to certify various classes.  Id. *2.

The putative class included members of the Starwood Preferred Guest Program (“SPG”).  Id. *2.  Members of the SPG program signed a contract that contained a “Choice of Law and Venue” Provision (the “Choice of Law Provision”).  Id.  The Choice of Law Provision stated that any disputes related to the SPG program would “be handled individually without any class action” and would have exclusive jurisdiction in the State of New York.  Id.  Therefore, the defendant asserted that Rule 23(a)’s “typicality” requirement was not met because the class members were SPG program members, and the class contained both members and non-members of the SPG program.  Id.

The District Court agreed with the defendant, and redefined all classes to include only SPG members.  Id. *3.  However, by doing so, every putative class member was “someone who had purportedly given up the right to engaged in just such class litigation.”  In Re Marriott Int’l, Inc., 78 F.4th 677, 682-83 (4th Cir. 2023).  The District Court “did not further consider the import of the class waiver on its certification decision,” id. at 683, and granted certification as to three of the plaintiffs’ Rule 23(b)(3) and four Rule 23(c)(4) damages classes.  In Re Marriott Int’l, Inc., 341 F.R.D 128, 172-73 (D. Md. 2022).  Subsequently, the defendants appealed.

On appeal, the Fourth Circuit held that the District Court erred in failing to address whether or not the SPG members agreed to bar the certification of a class action.  In Re Marriott International, 2023 WL 8247865, at *3.  The Fourth Circuit vacated the class certification and remanded to the District Court to consider the effect of the Choice of Law Provision on the class.  Id.

The District Court’s Decision

The District Court concluded that (i) the defendants waived the Choice of Law Provision, and (ii) absent an arbitration agreement, Rules 23 and 42 prevailed over the parties’ Choice of Law Provision Id. Accordingly, the District Court reinstated the previously-certified classes.

First, the District Court analyzed the plaintiff’s position that the defendants waived the Choice of Law Provision.  It opined that “[w]aiver is the intentional relinquishment or abandonment of a known right.”  United States v. Olano, 507 U.S. 725, 733 (1993) (internal citations omitted).  The District Court reasoned that a party “waives a contractual provision when the party takes actions that are inconsistent with the provision.” In Re Marriott International, 2023 WL 8247865, at *4.  The District Court held the defense “clearly waived 5/6” of its Choice of Law Provision because the defendants: (1) requested consolidation into an MDL, which “is the antithesis of handling each claim on an individual basis”; (2) stated that “separately litigating each of the 59 related actions” would “offer no benefit” and heighten the burdens of all involved; and (3) stated venue was proper in Maryland and requested that the MDL be assigned to Maryland, which was inconsistent with the New York Choice of Law Provision.  Id.  As such, the District Court found that the defendants waived the Choice of Law Provision and all terms contained therein.  Id.

Second, the District Court held that it was not required to enforce the Choice of Law Provision outside of a binding arbitration provision.  Id. *8.  The Choice of Law Provision was “patently distinguishable” from “all of the reported cases on contractual class action waivers” because it did not have a mandatory arbitration clause.  Id. *7.  When parties agree to resolve their case in a non-judicial forum such as arbitration, “the Federal Rules have limited applicability”.  Id. *6. However, in the absence of such an agreement, the District Court opined that “[t]he parties cannot by agreement dictate that a district court must ignore the provisions of Rule 23 of the Federal Rules of Civil Procedure.”  Id. *7.  The District Court found that Rule 23 and Rule 42 do not “call for consideration of the parties’ preferences,” but rather “furtherance of efficient judicial administration.”  Id.  Thus, the District Court was not required to enforce the Choice of Law Provision, and held that the plaintiffs did not waive their right to bring a class action claim.  Id. *8 *(quoting Martrano v. Quizno’s Franchise Co., 2009 WL 1704469, at *20-21 (W.D. Pa. June 15, 2009)).

Implications For Companies

Companies should proactively review their arbitration agreements and class or collective action waivers to ensure that contractually agreed-upon terms can and will be imposed by a court.  Additionally, when faced with multiple nationwide claims, companies should analyze their case defense strategy and make an informed decision before filing and/or joining an MDL.  Finally, as part of any acquisition, companies should have their own data security team thoroughly vet and approve the acquired company’s security infrastructure prior to, or shortly after, the acquisition.

Illinois Federal Court Denies Class Certification In A Nationwide FCRA Lawsuit Due To Issues With Commonality, Adequacy Of Representation, And Predominance

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Sgouros v. Transunion Corp., No. 1:14-CV-01850, 2023 WL 6690474 (N.D. Ill. Oct. 12, 2023), Judge Sharon Johnson Coleman of the U.S. District Court for the Northern District of Illinois denied Plaintiff’s motion for class certification in a Fair Credit Reporting Act (“FCRA”) case because Plaintiff failed to satisfy the Rule 23 requirements of commonality, adequacy of representation, and predominance. For entities facing FCRA class actions, this decision provides a concise explanation of what factors courts may consider with respect to commonality, adequacy of representation, and predominance in ruling on a motion for class certification.

Case Background

In this litigation, Defendants are collectively a well-known American consumer credit reporting agency.  In 2013, Defendants offered a 3-in-1 Credit Report, Credit Score & Debt Analysis for consumers to purchase. The 3-in-1 report included a VantageScore, which, similar to a FICO score, looks at the information in a consumer’s credit report and generates a score to help lenders determine a consumer’s creditworthiness.

On June 10, 2013, Plaintiff purchased a 3-in-1 Credit Report and VantageScore from Defendants.  Id. at 1.  On the same day he purchased the report, Plaintiff alleged he was denied his desired auto loan because “the credit score the lender was provided was more than 100 points lower than the number contained in the VantageScore [Plaintiff] purchased.”  Id.

Plaintiff later testified he knew the VantageScore was “useless” in September 2012, and failed to provide an explanation as to why he purchased a VantageScore nine months after such realization.  Id.  Plaintiff also testified that, contrary to the allegations in his complaint, he did not buy the score in advance of his search for an auto loan, and “he did not read the TransUnion website content that accompanied the purchase of his VantageScore.”  Id.

In 2014, Plaintiff filed suit against Defendants alleging violations the Fair Credit Reporting Act (“FCRA”) and the Missouri Merchandising Practices Act (“MMPA”).  Id.  Plaintiff sought to represent a nationwide class and a Missouri-based class consisting of all persons “who purchased a VantageScore 1.0 Score through TransUnion Interactive’s website, or its predecessor website, during the period October 1, 2009, to September 1, 2015.”  Id.

The Court’s Decision

The Court held that Plaintiff failed to establish commonality, adequacy of representation, and predominance for both the FCRA and MMPA claims under Rule 23(a) and (b), and denied class certification. Id. at 6.

Rule 23(a)(2) – Commonality

Plaintiffs must demonstrate that “there are questions of law or fact common to the class” to meet the commonality requirement of Rule 23(a)(2).  Id. at 3.  Importantly, Plaintiff is required to “demonstrate that the class members ‘have suffered the same injury,’” and that the claims are “capable of classwide resolution.”  Id. (citing Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011)).   Plaintiff asserted five questions to establish commonality.  Id.  Overall, the Court found Plaintiff’s commonality questions were insufficient because they “merely restate[d] the core elements of statutory violations” and did not demonstrate “to what extent the class members suffered a common injury.”  Id.

Specifically as to the alleged FCRA violations, the “core liability dispute” was whether or not Defendants failed to supply the class “with a credit score . . . that assist[ed] the consumer in understanding the credit scoring assessment of the credit behavior of the consumer and predictions about the future credit behavior of the consumer.”  Id. at 2.  Plaintiff asserted that the VantageScore could not assist consumers in understanding their credit score assessment “because the VantageScore was not similar enough to a FICO score and or widely used by lenders.”  Id. at 4.  The Court disagreed. It held that because Plaintiff failed to present any argument or evidence “independent of a comparison to a FICO score,” Plaintiff’s common questions were not “capable of common answers,” and Rule 23(a)’s commonality requirement was not met.  Id.

Similarly, “[b]ecause [Plaintiff’s] MMPA common question . . . [was] premised on the same logic as the FCRA claim,” the Court found that “commonality was not met.”  Id.

Rule 23(a)(4) – Adequacy of Representation

A named plaintiff must also establish they can adequately serve as a class representative under Rule 23(a)(4).  Id.  A named plaintiff is inadequate if they “have serious credibility problems” or if they have “antagonistic of conflicting” interests to absent class members.  Id.  The Court held that Plaintiff was inadequate to represent the class on both the FCRA and MMPA claims due to Plaintiff’s questionable credibility and the inconsistencies in his deposition testimony.  Id. at 4-5.

Rule 23(b)(3) – Predominance

The plaintiff must also demonstrate that the putative class claims “predominate over any questions affecting only individual members,” and are “sufficiently cohesive to warrant adjudication by representation.”  Id. at 5.  The Court found that the FCRA’s statutory requirement of assisting a consumer in understanding their credit score is “necessarily individualized given the inherently personal nature how credit scores are calculated and consumers’ personal behaviors,” and predominance was not met.  Id.

Implications For Credit Reporting Companies

This ruling provides a straightforward analysis of what elements courts may find persuasive in ruling on a motion for class certification in an FCRA class action. It ought to be a required read for corporate counsel in any FCRA case.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress