On May 3, a federal judge in Maryland bucked this trend by certifying a class of Marriott hotel guests whose personal information was potentially exposed in a data breach. See In re Marriott International Customer Data Securities Breach Litigation, No. 19-MD-2879 (D. Md. May 3, 2022). The novel “overpayment theory” of damages at the center of the Marriott class certification analysis cut through many of the problems of individualized harm that have stymied efforts to certify data breach classes in the past. This theory could represent a major change to the landscape of consumer data breach litigation.
Historically, Individualized Harm Issues Blocked Certification in Breach Cases
At first blush, a data breach looks like a perfect fit for the class action model: one specific incident involving thousands of victims, where the harm suffered by each is often too small to justify pursuing a claim individually, and where common issues exist (in particular, the adequacy of a company’s data security measures). In fact, a few data breach cases have resulted in class certification and even in large class settlements.
Yet even the most headline-grabbing data breaches have proven notoriously difficult to certify as a class action for damages. The major hurdle has been the amorphous and variable nature of the harm suffered by consumers whose data is exposed. While all victims of a breach may face a risk of identity theft or other harm, they will often have been concretely injured in different ways—or none at all.
Some consumers can show they suffered identity theft following the breach, but many cannot. Some can show they had to spend hours dealing with their banks to refund fraudulent purchases, but many cannot. Some will have mitigated their damages by promptly canceling credit cards, but many will not.
Even where a consumer can point to a concrete cost incurred or injury suffered, breaches are unfortunately so common it will often be difficult to prove the injury resulted from the particular data breach at issue rather than that their information made its way into the wrong hands by means of some earlier breach.
These problems of individualized standing, damages and causation issues have historically resulted in courts denying class certification based on a failure of data breach claims to satisfy the requirement of Rule 23(b)(3) that “questions of law or fact common to class members predominate over any questions affecting only individual members.” See, e.g., South Independent Bank v. Fred’s, No. 2:15-CV-799 (M.D. Ala. Mar. 13, 2019) (denying certification where “the amount of fraud incurred on each card, and lost revenue necessarily requires an inquiry into the circumstances of each card reissuance and reimbursement”); In re Hannaford Bros. Customer Data Securities Breach Litigation, 293 F.R.D. 21 (D. Me. 2013) (denying certification because while there were common questions of liability, “where things differ is in the actual impact on particular cardholders”).
The ‘Marriott’ Opinion and the ‘Overpayment Theory’ of Harm
The court in Marriott, by contrast, found that common issues predominated and certified a class based on a novel “overpayment theory.” Marriott involved what the court called “one of the largest data breaches in history,” in which hackers were able to access over 133 million records in Marriott’s Starwood guest reservation database (Marriott acquired Starwood Hotels and Resorts in 2016). Plaintiffs sued both Marriott and Accenture, the data security consultant Starwood used, and moved to certify a variety of classes based on breach of contract, negligence, and various states’ consumer protection statutes.
Unlike other consumers suing for a data breach, the plaintiffs in Marriott were not seeking compensation for the class based on actual identity theft, or even having to spend time cancelling cards and dealing with banks. Instead, they offered (in addition to one other theory the court rejected) an “overpayment theory” of harm, i.e., that had Starwood’s allegedly “inadequate data security” been publicly known, it would have decreased demand and resulted in lower prices for the hotel rooms. Consequently, plaintiffs argued, hotel guests “overpaid for their respective hotel stays as a result of Marriott’s alleged data security failures.”
The court acknowledged that it would be “one of the first to certify Rule 23(b)(3) classes involving individual consumers complaining of a data breach,” but found that classes based on the overpayment theory satisfied all the requirements of Rule 23. The court noted that unlike in other breach cases where certification was denied, “overpayment damages are not wrapped up in individualized causation issues like damages related to identity theft, time spent responding to the data breach, or other out-of-pocket losses would be.”
Implications for Future Breach Cases
The Marriott court’s acceptance of the overpayment theory as a basis for certifying a class of damages claims could represent the beginning of a major shift in how data breaches are litigated. If courts accept this theory, potential issues with standing may melt away—everyone who paid the market price for a good or service is arguably injured, regardless of what they did following the breach or whether their personal data was ever misused.
Causation issues may similarly disappear. If the premise is accepted that demand for goods and services will decrease where the company providing them inadequately protects consumer data, then every “overpayment” at the market price is arguably an actionable harm and it may become irrelevant whether a particular consumer’s data was already exposed in some prior breach.
Similarly, damages may be susceptible to classwide proof as plaintiffs may offer a formula for calculating the difference between the market price and the price in a but-for world where a company’s data vulnerabilities are publicly known. Mitigation of damages could also become a non-issue. Unlike the more traditional harms related to a data breach such as identity theft, there is arguably no clear way a consumer can “mitigate” their harm after they have supposedly overpaid for something.
All of these features of the overpayment theory could mean a much clearer path to class certification than other theories of harm in the data breach context, as they remove most of the individualized damages, standing and causation obstacles to satisfying the predominance requirement of Rule 23(b)(3).
Importantly, there is no clear reason this theory of harm would be limited to hotel rooms. Any good or service paid for by consumers who provide personal information as part of the purchase could be amenable to this theory. Accordingly, it seems likely that consumers affected by data breaches in other industries may take a page out of the Marriott plaintiffs’ playbook and start framing their harm less as an increased risk of identity theft and more as having paid more than they would have had they known their data would not be in safe hands.
Should we expect, then, for Marriott to open the floodgates and guarantee class treatment for future data breach claimants? Not necessarily. The overpayment theory would support class-wide damages only where the ultimate victims of the breach directly paid the defendant for something. It would be difficult to apply to, for example, data breaches involving government entities, non-profits, or third parties that handle consumer data (such as on behalf of another company) without directly receiving payment from those consumers.
Notably, the Marriott court carved out of its class definition hotel guests who didn’t actually bear the cost of their rooms, such as because they were reimbursed for work travel—and certified damages classes only as to Marriott, not its data security consultant Accenture. Further, the court only applied the overpayment theory to contract claims and to satisfy the injury element of claims based on consumer protection statutes. The court did not apply it as a theory of harm for the plaintiffs’ negligence claims. The court was also careful to note that the overpayment theory permitted a finding of predominance as to the contract claims because the contract in question was a classic form contract (and so presented no variability among class members), and as to the state consumer protection claims because the relevant statutes did not require individual proof of reliance by each consumer on the alleged omissions about data security risks.
Time will tell whether the Marriott opinion and its novel certification of a class using the overpayment theory proves to be an outlier or a harbinger of things to come. Regardless, even the potential of this theory to remove major roadblocks to class certification suggests companies that handle consumer data would be wise to pay more attention than ever to cybersecurity.
Nick Snavely is a partner with the law firm Redgrave LLP. An experienced litigator, he focuses his practice on complex issues related to data privacy, e-discovery, and information governance. He can be reached at nsnavely@redgravellp.com.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.