Class certification denied for data breach claim brought by bank against retailer

Last week, the U.S. District Court for the Middle District of Alabama denied Southern Independent Bank’s (“Southern Independent’s”) motion for class certification following a data breach which allegedly affected over 2,000 financial institutions across the country. Southern Independent, a community bank located in south Alabama, brought a class action complaint against Fred’s in response to a data breach in which hackers, using malware installed on servers, harvested payment data from consumer debit cards used at Fred’s stores.

As the district court’s opinion outlines, the data breach not only caused damage to the consumers, but also to the financial institutions that initially issued the debit cards to their customers. Southern Independent and over 2,000 financial institutions encompassed in Southern Independent’s motion for class certification serve as issuing banks when they provide credit or debit cards to their customers. A company such as Fred’s then relies on an acquiring bank in order to access the payment networks between Visa, Mastercard, and issuing banks like Southern Independent.  In order to participate in this complex payment network and accept credit or debit cards from its customers, Fred’s is contractually bound to comply with the payment card industry’s data security standards (“PCI-DSS”).  The court summarized the relationship between the financial institutions and merchants succinctly, observing that payment card networks are “built on a web of contractual arrangements.”

As such, when a merchant such as Fred’s suffers a data breach, the financial institutions operating as issuing banks also experience the ripple effect of damages from the infiltration. Southern Independent claims that it, along with a class of 2,500 “financial institutions including, but not limited to banks and credit unions in the United States” suffered damages including actual fraud losses, card reissuance costs, lost revenue, and ancillary costs stemming from Fred’s negligent failure to maintain adequate cybersecurity in compliance with the PCI-DSS.

In his opinion, U.S. District Court Judge Watkins acknowledged that the 2,500 financial institutions in Southern Independent’s proposed class were sufficient to satisfy the numerosity requirement under Federal Rule of Civil Procedure 23(a). Judge Watkins also agreed with the parties that all of the financial institutions in the proposed class would have common questions of fact as to whether Fred’s maintained adequate cybersecurity features. While Southern Independent may be entitled to a different amount of damages than the other issuing banks, the district court found that Southern Independent’s claims would be typical of those in the class because the negligence claims would all arise out of the same event, pattern or practice.  Finally, Southern Independent was also held to be an adequate class representative based on the lack of any conflicts between Southern and the rest of the class as well as Southern Independent’s interest in prevailing in litigation against Fred’s.

Despite the court’s conclusion that Southern satisfied the elements for class certification under Federal Rule of Civil Procedure 23(a), it could not ultimately support a grant of class certification. Southern Independent sought certification under Federal Rule of Civil Procedure 23(b)(3) which, in addition to the requirements outlined above, also mandates that adjudication as a class must be superior to other available methods and that common questions of law and fact predominate.  Alabama’s choice of law rules would necessitate adjudicating claims of negligence under the laws of each plaintiff’s jurisdiction.  The court concluded that doing so for over 2,000 financial institutions would require trying a negligence case under the laws of all fifty-one United States jurisdictions.  That immense logistical burden, coupled with factual disputes as to whether Southern Independent’s customers may have had their financial data compromised elsewhere and whether Southern Independent incurred unreasonable costs in response to the data breach, led the court to advance the case as an individual negligence action brought by Southern Independent against Fred’s.

While this opinion is instructive for those litigating class actions on behalf of financial institutions such as Southern Independent, it also serves as a cautionary tale to banks and credit unions whose payment cards are used in these payment networks and are subject to the PCI-DSS. As consumers’ dependence on technology as a form of payment increases, data breaches such as that experienced by Fred’s will only become more prevalent. It is of paramount importance for financial institutions to confirm compliance with PCI-DSS, to monitor consumer accounts closely for potentially fraudulent activity, and to act quickly upon notification of a cyber attack in order to prevent or mitigate potential damages in similar claims, whether as a class or an individual action.