Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Southern Independent Bank v. Fred's Inc.

United States District Court, M.D. Alabama, Northern Division

March 13, 2019

SOUTHERN INDEPENDENT BANK, Plaintiff,
v.
FRED'S, INC., Defendant.

          MEMORANDUM OPINION AND ORDER

          W. KEITH WATKINS UNITED STATES DISTRICT JUDGE

         This putative class action is about a harm that is becoming all too common in modern technological society: a data-security breach. Defendant Fred's, Inc. (“Fred's” or “Defendant”), a retail chain selling general goods, found this out the hard way when hackers gained access to two servers carrying its customers' payment information, potentially resulting in thousands of cases of identity theft. Those customers are not the plaintiffs here, though. The plaintiffs are those customers' banks - the banks who issued the credit and debit cards the hackers pilfered (“issuing banks”) - about 2, 500 banks. Those banks, which Plaintiff Southern Independent Bank (“SIB” or “Plaintiff”) seeks to represent as a nationwide class, claim damages in the form of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs that they say stemmed from Fred's negligent failure to maintain adequate cybersecurity.

         But this is no straightforward negligence claim. Four things make this negligence claim more complicated than normal. First, Alabama's choice-of-law rules mandate that the laws of each potential plaintiff's home state govern the negligence claim. With about 2, 500 potential plaintiffs, the parties agree that the laws of all fifty-one United States jurisdictions (the fifty states plus the District of Columbia) are in play. Second, Plaintiffs do not claim any kind of property or personal injury damages, only economic losses, i.e., lost money. This would lead some state courts to bar Plaintiffs' negligence claim entirely. Third, there is no direct contractual relationship between Plaintiffs and Defendant, although the parties are connected indirectly through the network of contracts that makes up the payment industry. This nuance would lead some state courts to evaluate Plaintiffs' negligence claim under a slightly different rubric. Fourth, proving damages for a nationwide class of banks is not easy. There are questions as to whether some of SIB's customers had their cards stolen elsewhere. There are questions as to whether SIB incurred unreasonable costs in response to the Fred's breach. These questions apply to most, if not all, other banks in the putative class. As explained more fully below, these four considerations counsel against class action treatment of this case.

         Before the court are Plaintiff's motion for class certification (Doc. # 41) and two Daubert motions (Docs. # 44, 46) to exclude expert testimony regarding issues raised by the motion for class certification. Those Daubert motions are: (1)

         Defendant's motion to exclude Plaintiff's expert Ian Ratner's testimony on the issues of causation and reasonableness of damages (Doc. # 44); and (2) Plaintiff's motion to exclude Defendant's expert Tony Emrick's testimony on the issue of the reasonableness of Plaintiff's incurred costs in the wake of the data breach (Doc. # 46). Related to the class-certification motion are Defendant's motion for leave to file an instanter sur-reply brief opposing certification (Doc. # 50), and Plaintiff's objection to that motion (Doc. # 57). For the following reasons, both Daubert motions will be denied; the motion for class certification will be denied; and Defendant's motion for leave to file a sur-reply will be granted. The court has considered both Defendant's sur-reply and Plaintiff's response in its review of the class-certification motion.

         I. JURISDICTION AND VENUE

         Subject-matter jurisdiction is proper under the Class Action Fairness Act, 28 U.S.C. § 1332(d). The putative class consists of over 100 members, the amount in controversy is over $5, 000, 000, and there is minimal diversity between the parties. The parties do not contest personal jurisdiction or venue.

         II. BACKGROUND

         A. The Parties

         Plaintiff Southern Independent Bank is a community bank located in south Alabama. SIB issues debit cards to its customers. Defendant Fred's is a retail chain selling discount general merchandise and is located primarily in the Southeast. Fred's accepts debit and credit cards, including cards issued by SIB, as payment at its stores. When a card is swiped, that card information is transmitted from the store to Fred's servers at its headquarters in Memphis, then routed to Fred's acquiring bank, Bank of America Merchant Services. (Doc. # 41-41, at 21.)

         B. Overview of the Payment Card Industry

          SIB and Fred's are part of “payment card networks, ” which Visa and MasterCard use to facilitate transactions between sellers and buyers. Financial institutions that make up these networks can be “issuing” or “acquiring” banks, or both. An issuing bank like SIB issues credit or debit cards to its customers with the Visa or MasterCard logo. The logo allows the holder to use the card at any merchant like Fred's where Visa or MasterCard is accepted. Acquiring banks are on the other side of the transaction. Acquiring banks get merchants into the payment networks. They contract with merchants so that the merchants may accept debit and credit cards as payment. Merchants do not have a direct relationship with Visa or MasterCard; they need an acquiring bank to sponsor them into the payment networks.

         Both kinds of banks, issuing and acquiring, are bound by Visa and MasterCard's extensive rules by contract with the card brands. Among those rules is the payment card industry's data security standard (“PCI-DSS”). When a merchant like Fred's comes into the payment network through an acquiring bank, the contract between the merchant and the acquiring bank also binds the merchant to Visa and MasterCard's rules, including the PCI-DSS. (See Docs. # 45-1, 45-11, at 11-12.)

         When a customer presents a card to make a purchase, the cashier swipes the card, and certain information is collected from the card and transmitted through the acquiring bank to the issuing bank. The issuing bank then approves or declines the transaction based on an automated series of rules, including whether the customer has enough money in his account or enough credit. If approved, the merchant is reimbursed for the charge by the acquiring bank. The acquiring bank receives a fee from the merchant for each transaction, called a “merchant discount.” The issuing bank then reimburses the acquiring bank. In doing so, the issuing bank collects a portion of the merchant discount called an “interchange fee.” Interchange fees are intended to compensate issuing banks for card processing costs and losses due to fraudulent charges. (See Doc. # 45-1, at 7, 9-10.)

         Thus, payment card networks are built on a web of contractual arrangements, containing incentives and allocations of risk. Below is an illustration of how the parties to these networks are related, based on diagrams the United States District Court for the District of Colorado and the Seventh Circuit used in similar cases[1]:

         (Image Omitted)

         The vertical lines with arrows starting from Visa and MasterCard and moving downward represent the series of contractual relationships that parallel the two sides of the payment card networks. The horizontal line at the bottom connecting cardholders and merchants represents the connection between the two sides when cardholders transact with merchants. Finally, the diagonal line represents the relationship this lawsuit is about: the one between a merchant (Fred's) and an issuing bank (SIB). The Seventh Circuit explained that the theory of recovery represented by the diagonal line would be a “new form of liability . . . in addition to the remedies already provided by the contracts governing the card payment systems.” Cmty. Bank of Trenton, 887 F.3d at 808.

         C. The Fred's Breach and Aftermath

          On March 23, 2015, hackers, using malware installed on Fred's servers, gained access to those servers and began harvesting payment data from the cards that were used at Fred's. (Doc. # 45-11, at 49.) Their malware captured only the card number, not the cardholder's name, expiration date, or printed security code. (See Docs. # 45-11, at 49, 45-2, at 8-9.) Hackers had access to the servers until April 24, 2015 - a breach window of about a month. (Doc. # 45-11, at 49.) But Fred's did not find out about the breach until May 29, 2015. (See Doc. # 41-18.) Whether Fred's was in compliance with the PCI-DSS when the breach occurred is a disputed issue, but is not relevant for class-certification purposes.

         Fred's hired cybersecurity firm Mandiant to do a forensic investigation of the data breach and issue a report, which was given to Visa and MasterCard. (Doc. # 41-19.) The report confirmed that the malware could access payment data on Fred's servers from March 23 to April 24, 2015. (See Doc. # 41-19.) Accordingly, Visa and MasterCard issued what are known as compromised account management system (CAMS) alerts to any issuing bank whose customers used their cards at Fred's during that timeframe. (Doc. # 45-1, 12-13.) CAMS alerts do not say whether fraudulent activity occurred on a card; they merely give notice that payment data has been exposed. (Doc. # 45-1, 12-13.) About 2, 500 banks received CAMS alerts related to the Fred's breach. (See Doc. # 45-13.)

         SIB was one of those banks. CAMS identified 402 SIB-issued payment cards that were exposed by the Fred's breach. (Doc. # 41-40, at 15.) Fifty of those cards suffered fraudulent charges. (Doc. # 41-40, at 15.) SIB responded by contacting all those cardholders by phone and asking whether they would like to receive a new card. (Doc. # 41-40, at 15.) SIB eventually reissued just over half of the cards. (Doc. # 45-5, at 4.) Whether these actions were reasonable, and thus whether SIB's claimed damages are appropriate, is hotly disputed, and is relevant both at the class-certification stage and at trial.

         D. This Lawsuit

         SIB filed this class-action complaint on October 30, 2015, asserting two theories of recovery against Fred's: (1) negligence for maintaining inadequate data security; and (2) negligent misrepresentation for saying that it had adequate data security when in fact it did not. (See Doc. # 1.) Fred's estimates, without dispute, that the putative class consists of approximately 2, 500 issuing banks who issued about 1 million cards that were used at Fred's during the breach window. (Doc. # 45, at 23.) SIB summarizes damages for all these banks as consisting of actual fraud losses, card reissuance costs, lost revenue, and ancillary costs. (Doc. # 41, at 34.)

         Fred's moved to dismiss both counts under Alabama law only. (See Doc. # 14.) The case was reassigned from a senior district judge of this court to a visiting judge assisting this district during a judicial emergency. (Doc. # 23.) That judge granted Fred's motion to dismiss as to the negligent misrepresentation claim but denied it as to the negligence claim, reasoning that SIB had made out a claim for negligence against Fred's under Alabama law. (See Doc. # 24.) Fred's sought reconsideration of the motion with respect to the surviving negligence claim or, in the alternative, for the court to certify the question to the Alabama Supreme Court. (See Doc. # 28.) That motion was denied after being fully briefed, (Doc. # 37), and the case proceeded to discovery in anticipation of the motion for class certification. After the parties briefed the pending motions, including the class-certification motion, the case was reassigned to the original senior district judge, (Doc. # 59), and then to the undersigned on August 17, 2018, (Doc. # 60).

         III. STANDARD OF REVIEW A.

         Rule 702 and Daubert Standard

         The admissibility of expert testimony is governed by Federal Rule of Evidence 702 and Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1999), and its progeny. Rule 702 provides:

         A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) The expert's scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) The testimony is based on sufficient facts or data;
(c) The testimony is the product of reliable principles and methods; and
(d) The expert has reliably applied the principles and methods to the facts of the case.

Fed. R. Evid. 702.

         In Daubert, the Supreme Court emphasized that Rule 702 assigns the trial court a gatekeeping role to “ensure that any and all scientific testimony or evidence admitted is not only relevant, but reliable.” 509 U.S. at 589, 597; see also Kumho Tire Co. v. Carmichael, 526 U.S. 137, 141 (1999) (“[T]he Federal Rules of Evidence ‘assign to the trial judge the task of ensuring that an expert's testimony rests both on a reliable foundation and is relevant to the task at hand.'” (quoting Daubert, 509 U.S. at 596)). This gatekeeping responsibility is the same when the trial court is considering the admissibility of testimony based upon “‘technical' and ‘other specialized knowledge.'” Kumho Tire, 526 U.S. at 141 (quoting Fed.R.Evid. 702).

         In light of Daubert's “gatekeeping requirement, ” the Eleventh Circuit requires district courts to engage in a “rigorous three-part inquiry” for assessing the admissibility of expert testimony under Rule 702:

Trial courts must consider whether: “(1) [T]he expert is qualified to testify competently regarding the matters he intends to address; (2) the methodology by which the expert reaches his conclusions is sufficiently reliable as determined by the sort of inquiry mandated in Daubert; and (3) the testimony assists the trier of fact, through the application of scientific, technical, or specialized expertise, to understand the evidence or to determine a fact in issue.”

United States v. Frazier, 387 F.3d 1244, 1260 (11th Cir. 2004) (quoting City of Tuscaloosa v. Harcros Chems., Inc., 158 F.3d 548, 562 (11th Cir. 1999)). These requirements are known as the “qualifications, ” “reliability, ” and “helpfulness” prongs. See Id. “The burden of establishing qualification, reliability, and helpfulness rests on the proponent of the expert opinion, ” id., and the proponent must meet its burden by a preponderance of the evidence. Boca Raton Cmty. Hosp., Inc. v. Tenet Health Care Corp., 582 F.3d 1227, 1232 (11th Cir. 2009); see also Allison v. McGhan Med. Corp., 184 F.3d 1300, 1306 (11th Cir. 1999) (“The burden of laying the proper foundation for the admission of expert testimony is on the party offering the expert, and the admissibility must be shown by a preponderance of the evidence.” (citing Daubert, 509 U.S. at 592, n.10)).

         As to qualifications, “experts may be qualified in various ways, ” including by scientific training, education, and experience. Frazier, 387 F.3d at 1260. “Whether a proposed expert's experience is sufficient to qualify the expert to offer an opinion on a particular subject depends on the nature and extent of that experience.” United States v. Cunningham, 679 F.3d 335, 379 (6th Cir. 2012). “If the witness is relying solely or primarily on experience, then the witness must explain how that experience leads to the conclusion is reached, why that experience is a sufficient basis for the opinion, and how that experience is reliably applied to the facts.” Fed.R.Evid. 702 advisory committee note (2000 amends.). Courts must also be mindful that “[e]xpertise in one field does not qualify a witness to testify about others.” Lebron v. Sec'y of Fla. Dept. of Children & Families, 772 F.3d 1352, 1368 (11th Cir. 2014).

         But “so long as the expert is at least minimally qualified, gaps in his qualifications generally will not preclude admission of his testimony, as this relates more to witness credibility and thus the weight of the expert's testimony, than to its admissibility.” Henderson v. Goodyear Dunlop Tires N. Am., Ltd., Nos. 3:11-CV-295-WKW, 3:12-CV-510-WKW, 2013 WL 5729377, at *6 (M.D. Ala. Oct. 22, 2013) (quoting Trilink Saw Chain, LLC v. Blount, Inc., 583 F.Supp.2d 1293, 1304 (N.D.Ga. 2008)).

         As to reliability, trial courts retain “considerable leeway in deciding in a particular case how to go about determining whether particular expert testimony is reliable.” Kumho Tire, 526 U.S. at 152. The focus of reliability “must be solely on principles and methodology, not on the conclusions they generate.” Daubert, 509 U.S. at 595. After all, “Daubert does not require certainty; it requires only reliability.” Hendrix ex rel. G.P. v. Evenflo Co., 609 F.3d 1183, 1198 n.10 (11th Cir. 2010). But district courts may reject expert testimony that is based on sound methodology when “there is simply too great an analytical gap between the data and the opinion proffered.” Gen. Elec. Co. v. Joiner, 522 U.S. 136, 146 (1997).

         Finally, whether the expert testimony will assist the trier of fact in understanding the evidence or a fact in issue “goes primarily to relevance.” Daubert, 509 U.S. at 591. “Expert testimony which does not relate to any issue in the case is not relevant and, ergo, non-helpful.” Id. (citation and internal quotation marks omitted).

         The court's gatekeeping role under Daubert “is not intended to supplant the adversary system or the role of the jury.” Allison v. McGhan, 184 F.3d 1300, 1311 (11th Cir. 1999). “Once an expert opinion has satisfied Daubert, a court may not exclude the opinion simply because it believes that the opinion is not - in its view - particularly strong or persuasive. The weight to be given to admissible expert testimony is a matter for the jury.” Seamon v. Remington Arms Co., LLC, 813 F.3d 983 (11th Cir. 2016). Where the basis of expert testimony satisfies Rule 702, “[v]igorous cross-examination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence.” Daubert, 509 U.S. at 596.

         B. Rule 23 Standard

          “The class action is ‘an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only.'” Comcast Corp. v. Behrend, 133 S.Ct. 1426, 1432 (2013) (quoting Califano v. Yamasaki, 442 U.S. 682, 700-01 (1979)). To avail himself of this exception, a plaintiff seeking class certification bears the burden of proving that he has satisfied the four Rule 23(a) prerequisites - often shorthanded as numerosity, commonality, typicality, and adequacy - and that the class action will meet one of the three requirements of 23(b). Fed.R.Civ.P. 23(a), (b); see Brown v. Electrolux Home Prods., Inc., 817 F.3d 1225, 1233 (11th Cir. 2016) (“All else being equal, the presumption is against class certification because class actions are an exception to our constitutional tradition of individual litigation.”). The burden is one of proof, not pleading, Brown, 817 F.3d at 1233, and requires the district court to undertake a “rigorous analysis” to determine the propriety of certification, Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 161 (1982). Although this rigorous analysis frequently “entail[s] some overlap with the merits of the plaintiff's underlying claim, ” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 351 (2011), “the district court can consider the merits ‘only' to the extent ‘they are relevant to determining whether the Rule 23 prerequisites for class certification are satisfied, '” Brown, 817 F.3d at 1234 (quoting Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S.Ct. 1184, 1195 (2013)).

         Plaintiff seeks certification of a damages class under Rule 23(b)(3). As a result, along with the Rule 23(a) prerequisites, it must also prove predominance and superiority - that is, “that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3). The court must determine any facts supporting Rule 23 findings by a preponderance of the evidence.[2] Stein v. Monterey Fin. Servs., Inc., No. 2:13-CV-1336-AKK, 2017 WL 412874, at *4 (N.D. Ala. Jan. 31, 2017); In re Delta/AirTran Baggage Fee Antitrust Litig., 317 F.R.D. 675, 679 (N.D.Ga. 2016).

         III. DISCUSSION

         “[W]hen an expert's report or testimony is critical to class certification, ” the court must resolve any Daubert objections before ruling on the motion for class certification. Sher v. Raytheon Co., 419 Fed.Appx. 887, 890 (11th Cir. 2011) (quoting American Honda Motor Co. v. Allen, 600 F.3d 813, 815-16 (7th Cir. 2010)). The court finds that the challenged experts' testimony is critical to class certification. As discussed more fully below, Plaintiff must show that causation and damages are provable on a classwide basis. Ian Ratner's expert testimony purports to do just that by utilizing the CAMS alert system. And Defendant argues that Plaintiff acted unreasonably in responding to the Fred's breach, making Plaintiff an atypical and inadequate class representative and creating individualized damages questions that affect predominance. Tony Emrick's testimony puts meat on the bones of that argument by explaining how Plaintiff used more resources dealing with the Fred's breach than it should have. The court therefore finds it necessary to resolve the Daubert objections to Ratner and Emrick's testimony before turning to the motion for class certification.

         A. The Daubert Motions

         The parties filed cross Daubert motions to exclude the testimony of one of the other side's experts. For the reasons discussed below, each of those motions is denied, and the court has considered both experts' testimony in addressing the motion for class certification.

         1. Ian Ratner's Testimony Is an ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.