[BreachExchange] Superior Court of Pennsylvania Denies Data Breach Class Certification

[Audrey McNeil]

http://www.jdsupra.com/legalnews/superior-court-of-pennsylvania-denies-30918/

In an encouraging development for data breach defendants, the Superior
Court of Pennsylvania recently affirmed a trial court decision rejecting
class certification in a suit filed against two Medicare programs for
losing a flash drive containing personal information of 286,000
subscribers. The appellate court found that since the Philadelphia Court of
Common Pleas “carefully considered the numerosity, typicality, adequacy of
representation, and fair and efficient method of adjudication requirements
for class certification,” it had not abused its discretion by denying class
certification in March 2015.  More broadly, the decision (Baum v. Keystone
Mercy Health Plan, et al., No. 1250 EDA 2015 (Pa. Super. April 26, 2016))
indicates a resistance to permitting class claims to move forward where
members have not suffered an ascertainable loss and where individual issues
predominate, which may be the case in many data breach suits.

In the opinion, the Superior Court took a close look at Pa.R.C.P. 1702,
which defines Pennsylvania’s prerequisites to class certification.
Ultimately, the Superior Court found that the claim, alleging deceptive
conduct under the catch-all provision of Pennsylvania’s Unfair Trade
Practices and Consumer Protection Law, fell short on three of the five Rule
1702 factors.

At the trial court and on appeal, plaintiff, suing on behalf of his minor
child, urged that class treatment was appropriate for the individuals whose
information—including member identification numbers, social security
numbers, and lab results—was contained on a flash drive that was misplaced
and never recovered.

According to the Superior Court, it was proper for the trial court to
conclude that the claims failed to meet the typicality requirement of Pa.
R.C.P. 1702(3), where the information on the flash drive would not identify
plaintiff’s daughter, because plaintiff couldn’t claim to represent class
members who could be identified via the lost data. Additionally, the
Superior Court noted that plaintiff did not suffer an ascertainable loss.

The Superior Court also approved of the trial court’s finding that in this
context, individual issues would predominate over a common one, so
plaintiff could not fairly and adequately assert and protect a class
interest as required by Pa. R.C.P. 1702(4).

Finally, considering Pa. R.C.P. 1702(5), the Superior Court found that a
class action would not be a fair and efficient means of resolving the suit,
given that “individual concerns predominate over any common issues of
liability” in the case.

Given the size of many putative data breach classes, the predominance of
individual issues and presence of members without ascertainable losses are
not uncommon occurrences. In Pennsylvania, the Baum decision provides
valuable insight as to what litigants can expect in similar circumstances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160516/a8892fc3/attachment.html>