United States District Court, M.D. Alabama, Northern Division
MEMORANDUM OPINION AND ORDER
W.
KEITH WATKINS UNITED STATES DISTRICT JUDGE
This
putative class action is about a harm that is becoming all
too common in modern technological society: a data-security
breach. Defendant Fred's, Inc. (“Fred's”
or “Defendant”), a retail chain selling general
goods, found this out the hard way when hackers gained access
to two servers carrying its customers' payment
information, potentially resulting in thousands of
cases of identity theft. Those customers are not the
plaintiffs here, though. The plaintiffs are those
customers' banks - the banks who issued the credit and
debit cards the hackers pilfered (“issuing
banks”) - about 2, 500 banks. Those banks, which
Plaintiff Southern Independent Bank (“SIB” or
“Plaintiff”) seeks to represent as a nationwide
class, claim damages in the form of actual fraud losses, card
reissuance costs, lost revenue, and ancillary costs that they
say stemmed from Fred's negligent failure to maintain
adequate cybersecurity.
But
this is no straightforward negligence claim. Four things make
this negligence claim more complicated than normal. First,
Alabama's choice-of-law rules mandate that the laws of
each potential plaintiff's home state govern the
negligence claim. With about 2, 500 potential plaintiffs, the
parties agree that the laws of all fifty-one United States
jurisdictions (the fifty states plus the District of
Columbia) are in play. Second, Plaintiffs do not claim any
kind of property or personal injury damages, only economic
losses, i.e., lost money. This would lead some state
courts to bar Plaintiffs' negligence claim entirely.
Third, there is no direct contractual relationship
between Plaintiffs and Defendant, although the parties are
connected indirectly through the network of contracts that
makes up the payment industry. This nuance would lead some
state courts to evaluate Plaintiffs' negligence claim
under a slightly different rubric. Fourth, proving damages
for a nationwide class of banks is not easy. There are
questions as to whether some of SIB's customers had their
cards stolen elsewhere. There are questions as to whether SIB
incurred unreasonable costs in response to the Fred's
breach. These questions apply to most, if not all, other
banks in the putative class. As explained more fully below,
these four considerations counsel against class action
treatment of this case.
Before
the court are Plaintiff's motion for class certification
(Doc. # 41) and two Daubert motions (Docs. # 44, 46)
to exclude expert testimony regarding issues raised by the
motion for class certification. Those Daubert
motions are: (1)
Defendant's
motion to exclude Plaintiff's expert Ian Ratner's
testimony on the issues of causation and reasonableness of
damages (Doc. # 44); and (2) Plaintiff's motion to
exclude Defendant's expert Tony Emrick's testimony on
the issue of the reasonableness of Plaintiff's incurred
costs in the wake of the data breach (Doc. # 46). Related to
the class-certification motion are Defendant's motion for
leave to file an instanter sur-reply brief opposing
certification (Doc. # 50), and Plaintiff's objection to
that motion (Doc. # 57). For the following reasons, both
Daubert motions will be denied; the motion for class
certification will be denied; and Defendant's motion for
leave to file a sur-reply will be granted. The court has
considered both Defendant's sur-reply and Plaintiff's
response in its review of the class-certification motion.
I.
JURISDICTION AND VENUE
Subject-matter
jurisdiction is proper under the Class Action Fairness Act,
28 U.S.C. § 1332(d). The putative class consists of over
100 members, the amount in controversy is over $5, 000, 000,
and there is minimal diversity between the parties. The
parties do not contest personal jurisdiction or venue.
II.
BACKGROUND
A.
The Parties
Plaintiff
Southern Independent Bank is a community bank located in
south Alabama. SIB issues debit cards to its customers.
Defendant Fred's is a retail chain selling discount
general merchandise and is located primarily in the
Southeast. Fred's accepts debit and credit cards,
including cards issued by SIB, as payment at its stores. When
a card is swiped, that card information is transmitted from
the store to Fred's servers at its headquarters in
Memphis, then routed to Fred's acquiring bank, Bank of
America Merchant Services. (Doc. # 41-41, at 21.)
B.
Overview of the Payment Card Industry
SIB
and Fred's are part of “payment card networks,
” which Visa and MasterCard use to facilitate
transactions between sellers and buyers. Financial
institutions that make up these networks can be
“issuing” or “acquiring” banks, or
both. An issuing bank like SIB issues credit or debit cards
to its customers with the Visa or MasterCard logo. The logo
allows the holder to use the card at any merchant like
Fred's where Visa or MasterCard is accepted. Acquiring
banks are on the other side of the transaction. Acquiring
banks get merchants into the payment networks. They contract
with merchants so that the merchants may accept debit and
credit cards as payment. Merchants do not have a direct
relationship with Visa or MasterCard; they need an acquiring
bank to sponsor them into the payment networks.
Both
kinds of banks, issuing and acquiring, are bound by Visa and
MasterCard's extensive rules by contract with the card
brands. Among those rules is the payment card industry's
data security standard (“PCI-DSS”). When a
merchant like Fred's comes into the payment network
through an acquiring bank, the contract between the merchant
and the acquiring bank also binds the merchant to Visa and
MasterCard's rules, including the PCI-DSS. (See
Docs. # 45-1, 45-11, at 11-12.)
When a
customer presents a card to make a purchase, the cashier
swipes the card, and certain information is collected from
the card and transmitted through the acquiring bank to the
issuing bank. The issuing bank then approves or declines the
transaction based on an automated series of rules, including
whether the customer has enough money in his account or
enough credit. If approved, the merchant is reimbursed for
the charge by the acquiring bank. The acquiring bank receives
a fee from the merchant for each transaction, called a
“merchant discount.” The issuing bank then
reimburses the acquiring bank. In doing so, the issuing bank
collects a portion of the merchant discount called an
“interchange fee.” Interchange fees are intended
to compensate issuing banks for card processing costs and
losses due to fraudulent charges. (See Doc. # 45-1,
at 7, 9-10.)
Thus,
payment card networks are built on a web of contractual
arrangements, containing incentives and allocations of risk.
Below is an illustration of how the parties to these networks
are related, based on diagrams the United States District
Court for the District of Colorado and the Seventh Circuit
used in similar cases[1]:
(Image
Omitted)
The
vertical lines with arrows starting from Visa and MasterCard
and moving downward represent the series of contractual
relationships that parallel the two sides of the payment card
networks. The horizontal line at the bottom connecting
cardholders and merchants represents the connection between
the two sides when cardholders transact with merchants.
Finally, the diagonal line represents the relationship this
lawsuit is about: the one between a merchant (Fred's) and
an issuing bank (SIB). The Seventh Circuit explained that the
theory of recovery represented by the diagonal line would be
a “new form of liability . . . in addition to the
remedies already provided by the contracts governing the card
payment systems.” Cmty. Bank of Trenton, 887
F.3d at 808.
C.
The Fred's Breach and Aftermath
On
March 23, 2015, hackers, using malware installed on
Fred's servers, gained access to those servers and began
harvesting payment data from the cards that were used at
Fred's. (Doc. # 45-11, at 49.) Their malware captured
only the card number, not the cardholder's name,
expiration date, or printed security code. (See
Docs. # 45-11, at 49, 45-2, at 8-9.) Hackers had access to
the servers until April 24, 2015 - a breach window of about a
month. (Doc. # 45-11, at 49.) But Fred's did not find out
about the breach until May 29, 2015. (See Doc. #
41-18.) Whether Fred's was in compliance with the PCI-DSS
when the breach occurred is a disputed issue, but is not
relevant for class-certification purposes.
Fred's
hired cybersecurity firm Mandiant to do a forensic
investigation of the data breach and issue a report, which
was given to Visa and MasterCard. (Doc. # 41-19.) The report
confirmed that the malware could access payment data on
Fred's servers from March 23 to April 24, 2015.
(See Doc. # 41-19.) Accordingly, Visa and MasterCard
issued what are known as compromised account management
system (CAMS) alerts to any issuing bank whose customers used
their cards at Fred's during that timeframe. (Doc. #
45-1, 12-13.) CAMS alerts do not say whether fraudulent
activity occurred on a card; they merely give notice that
payment data has been exposed. (Doc. # 45-1, 12-13.) About 2,
500 banks received CAMS alerts related to the Fred's
breach. (See Doc. # 45-13.)
SIB was
one of those banks. CAMS identified 402 SIB-issued payment
cards that were exposed by the Fred's breach. (Doc. #
41-40, at 15.) Fifty of those cards suffered fraudulent
charges. (Doc. # 41-40, at 15.) SIB responded by contacting
all those cardholders by phone and asking whether they would
like to receive a new card. (Doc. # 41-40, at 15.) SIB
eventually reissued just over half of the cards. (Doc. #
45-5, at 4.) Whether these actions were reasonable, and thus
whether SIB's claimed damages are appropriate, is hotly
disputed, and is relevant both at the class-certification
stage and at trial.
D.
This Lawsuit
SIB
filed this class-action complaint on October 30, 2015,
asserting two theories of recovery against Fred's: (1)
negligence for maintaining inadequate data security; and (2)
negligent misrepresentation for saying that it had adequate
data security when in fact it did not. (See Doc. #
1.) Fred's estimates, without dispute, that the putative
class consists of approximately 2, 500 issuing banks who
issued about 1 million cards that were used at Fred's
during the breach window. (Doc. # 45, at 23.) SIB summarizes
damages for all these banks as consisting of actual fraud
losses, card reissuance costs, lost revenue, and ancillary
costs. (Doc. # 41, at 34.)
Fred's
moved to dismiss both counts under Alabama law only.
(See Doc. # 14.) The case was reassigned from a
senior district judge of this court to a visiting judge
assisting this district during a judicial emergency. (Doc. #
23.) That judge granted Fred's motion to dismiss as to
the negligent misrepresentation claim but denied it as to the
negligence claim, reasoning that SIB had made out a claim for
negligence against Fred's under Alabama law.
(See Doc. # 24.) Fred's sought reconsideration
of the motion with respect to the surviving negligence claim
or, in the alternative, for the court to certify the question
to the Alabama Supreme Court. (See Doc. # 28.) That
motion was denied after being fully briefed, (Doc. # 37), and
the case proceeded to discovery in anticipation of the motion
for class certification. After the parties briefed the
pending motions, including the class-certification motion,
the case was reassigned to the original senior district
judge, (Doc. # 59), and then to the undersigned on August 17,
2018, (Doc. # 60).
III.
STANDARD OF REVIEW A.
Rule
702 and Daubert Standard
The
admissibility of expert testimony is governed by Federal Rule
of Evidence 702 and Daubert v. Merrell Dow
Pharmaceuticals, Inc., 509 U.S. 579 (1999), and its
progeny. Rule 702 provides:
A
witness who is qualified as an expert by knowledge, skill,
experience, training, or education may testify in the form of
an opinion or otherwise if:
(a) The expert's scientific, technical, or other
specialized knowledge will help the trier of fact to
understand the evidence or to determine a fact in issue;
(b) The testimony is based on sufficient facts or data;
(c) The testimony is the product of reliable principles and
methods; and
(d) The expert has reliably applied the principles and
methods to the facts of the case.
Fed. R. Evid. 702.
In
Daubert, the Supreme Court emphasized that Rule 702
assigns the trial court a gatekeeping role to “ensure
that any and all scientific testimony or evidence admitted is
not only relevant, but reliable.” 509 U.S. at 589, 597;
see also Kumho Tire Co. v. Carmichael, 526 U.S. 137,
141 (1999) (“[T]he Federal Rules of Evidence
‘assign to the trial judge the task of ensuring that an
expert's testimony rests both on a reliable foundation
and is relevant to the task at hand.'” (quoting
Daubert, 509 U.S. at 596)). This gatekeeping
responsibility is the same when the trial court is
considering the admissibility of testimony based upon
“‘technical' and ‘other specialized
knowledge.'” Kumho Tire, 526 U.S. at 141
(quoting Fed.R.Evid. 702).
In
light of Daubert's “gatekeeping
requirement, ” the Eleventh Circuit requires district
courts to engage in a “rigorous three-part
inquiry” for assessing the admissibility of expert
testimony under Rule 702:
Trial courts must consider whether: “(1) [T]he expert
is qualified to testify competently regarding the matters he
intends to address; (2) the methodology by which the expert
reaches his conclusions is sufficiently reliable as
determined by the sort of inquiry mandated in
Daubert; and (3) the testimony assists the trier of
fact, through the application of scientific, technical, or
specialized expertise, to understand the evidence or to
determine a fact in issue.”
United States v. Frazier, 387 F.3d 1244, 1260 (11th
Cir. 2004) (quoting City of Tuscaloosa v.
Harcros Chems., Inc., 158 F.3d 548, 562 (11th Cir.
1999)). These requirements are known as the
“qualifications, ” “reliability, ”
and “helpfulness” prongs. See Id.
“The burden of establishing qualification, reliability,
and helpfulness rests on the proponent of the expert opinion,
” id., and the proponent must meet its burden
by a preponderance of the evidence. Boca Raton Cmty.
Hosp., Inc. v. Tenet Health Care Corp., 582 F.3d 1227,
1232 (11th Cir. 2009); see also Allison v. McGhan Med.
Corp., 184 F.3d 1300, 1306 (11th Cir. 1999) (“The
burden of laying the proper foundation for the admission of
expert testimony is on the party offering the expert, and the
admissibility must be shown by a preponderance of the
evidence.” (citing Daubert, 509 U.S. at 592,
n.10)).
As to
qualifications, “experts may be qualified in various
ways, ” including by scientific training, education,
and experience. Frazier, 387 F.3d at 1260.
“Whether a proposed expert's experience is
sufficient to qualify the expert to offer an opinion on a
particular subject depends on the nature and extent of that
experience.” United States v. Cunningham, 679
F.3d 335, 379 (6th Cir. 2012). “If the witness is
relying solely or primarily on experience, then the witness
must explain how that experience leads to the conclusion is
reached, why that experience is a sufficient basis for the
opinion, and how that experience is reliably applied to the
facts.” Fed.R.Evid. 702 advisory committee note (2000
amends.). Courts must also be mindful that “[e]xpertise
in one field does not qualify a witness to testify about
others.” Lebron v. Sec'y of Fla. Dept. of
Children & Families, 772 F.3d 1352, 1368 (11th Cir.
2014).
But
“so long as the expert is at least minimally qualified,
gaps in his qualifications generally will not preclude
admission of his testimony, as this relates more to witness
credibility and thus the weight of the expert's
testimony, than to its admissibility.” Henderson v.
Goodyear Dunlop Tires N. Am., Ltd., Nos.
3:11-CV-295-WKW, 3:12-CV-510-WKW, 2013 WL 5729377, at *6
(M.D. Ala. Oct. 22, 2013) (quoting Trilink Saw Chain, LLC
v. Blount, Inc., 583 F.Supp.2d 1293, 1304 (N.D.Ga.
2008)).
As to
reliability, trial courts retain “considerable leeway
in deciding in a particular case how to go about determining
whether particular expert testimony is reliable.”
Kumho Tire, 526 U.S. at 152. The focus of
reliability “must be solely on principles and
methodology, not on the conclusions they generate.”
Daubert, 509 U.S. at 595. After all,
“Daubert does not require certainty; it
requires only reliability.” Hendrix ex rel. G.P. v.
Evenflo Co., 609 F.3d 1183, 1198 n.10 (11th Cir. 2010).
But district courts may reject expert testimony that is based
on sound methodology when “there is simply too great an
analytical gap between the data and the opinion
proffered.” Gen. Elec. Co. v. Joiner, 522 U.S.
136, 146 (1997).
Finally,
whether the expert testimony will assist the trier of fact in
understanding the evidence or a fact in issue “goes
primarily to relevance.” Daubert, 509 U.S. at
591. “Expert testimony which does not relate to any
issue in the case is not relevant and, ergo,
non-helpful.” Id. (citation and internal
quotation marks omitted).
The
court's gatekeeping role under Daubert “is
not intended to supplant the adversary system or the role of
the jury.” Allison v. McGhan, 184 F.3d 1300,
1311 (11th Cir. 1999). “Once an expert opinion has
satisfied Daubert, a court may not exclude the
opinion simply because it believes that the opinion is not -
in its view - particularly strong or persuasive. The weight
to be given to admissible expert testimony is a matter for
the jury.” Seamon v. Remington Arms Co., LLC,
813 F.3d 983 (11th Cir. 2016). Where the basis of expert
testimony satisfies Rule 702, “[v]igorous
cross-examination, presentation of contrary evidence, and
careful instruction on the burden of proof are the
traditional and appropriate means of attacking shaky but
admissible evidence.” Daubert, 509 U.S. at
596.
B.
Rule 23 Standard
“The class action is ‘an exception to the usual
rule that litigation is conducted by and on behalf of the
individual named parties only.'” Comcast Corp.
v. Behrend, 133 S.Ct. 1426, 1432 (2013) (quoting
Califano v. Yamasaki, 442 U.S. 682, 700-01 (1979)).
To avail himself of this exception, a plaintiff seeking class
certification bears the burden of proving that he has
satisfied the four Rule 23(a) prerequisites - often
shorthanded as numerosity, commonality, typicality, and
adequacy - and that the class action will meet one of the
three requirements of 23(b). Fed.R.Civ.P. 23(a), (b); see
Brown v. Electrolux Home Prods., Inc., 817 F.3d 1225,
1233 (11th Cir. 2016) (“All else being equal, the
presumption is against class certification because class
actions are an exception to our constitutional tradition of
individual litigation.”). The burden is one of proof,
not pleading, Brown, 817 F.3d at 1233, and requires
the district court to undertake a “rigorous
analysis” to determine the propriety of certification,
Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 161
(1982). Although this rigorous analysis frequently
“entail[s] some overlap with the merits of the
plaintiff's underlying claim, ” Wal-Mart
Stores, Inc. v. Dukes, 564 U.S. 338, 351 (2011),
“the district court can consider the merits
‘only' to the extent ‘they are relevant to
determining whether the Rule 23 prerequisites for class
certification are satisfied, '” Brown, 817
F.3d at 1234 (quoting Amgen Inc. v. Conn. Ret. Plans
& Trust Funds, 133 S.Ct. 1184, 1195 (2013)).
Plaintiff
seeks certification of a damages class under Rule 23(b)(3).
As a result, along with the Rule 23(a) prerequisites, it must
also prove predominance and superiority - that is,
“that the questions of law or fact common to class
members predominate over any questions affecting only
individual members, and that a class action is superior to
other available methods for fairly and efficiently
adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3).
The court must determine any facts supporting Rule 23
findings by a preponderance of the evidence.[2] Stein v.
Monterey Fin. Servs., Inc., No.
2:13-CV-1336-AKK, 2017 WL 412874, at *4 (N.D. Ala. Jan. 31,
2017); In re Delta/AirTran Baggage Fee Antitrust
Litig., 317 F.R.D. 675, 679 (N.D.Ga. 2016).
III.
DISCUSSION
“[W]hen
an expert's report or testimony is critical to class
certification, ” the court must resolve any
Daubert objections before ruling on the motion for
class certification. Sher v. Raytheon Co., 419
Fed.Appx. 887, 890 (11th Cir. 2011) (quoting American
Honda Motor Co. v. Allen, 600 F.3d 813, 815-16 (7th Cir.
2010)). The court finds that the challenged experts'
testimony is critical to class certification. As discussed
more fully below, Plaintiff must show that causation and
damages are provable on a classwide basis. Ian Ratner's
expert testimony purports to do just that by utilizing the
CAMS alert system. And Defendant argues that Plaintiff acted
unreasonably in responding to the Fred's breach, making
Plaintiff an atypical and inadequate class representative and
creating individualized damages questions that affect
predominance. Tony Emrick's testimony puts meat on the
bones of that argument by explaining how Plaintiff
used more resources dealing with the Fred's breach than
it should have. The court therefore finds it necessary to
resolve the Daubert objections to Ratner and
Emrick's testimony before turning to the motion for class
certification.
A.
The Daubert Motions
The
parties filed cross Daubert motions to exclude the
testimony of one of the other side's experts. For the
reasons discussed below, each of those motions is denied, and
the court has considered both experts' testimony in
addressing the motion for class certification.
1.
Ian Ratner's Testimony Is an ...