Last week, Judge Sue Myerscough declined to certify a class of employees whose personal information was disclosed when Driveline Retail Merchandising fell prey to a phishing scam. While nearly 16,000 employees were allegedly affected, “issues of causation and injury” were insufficiently common to satisfy the requirements for class certification.

The factual background will resonate with anyone who has ever participated in information security training. In January 2017, a scammer — posing as Driveline’s CFO — asked an untrained payroll employee to email him 2016 W-2s for all Driveline’s employees. The payroll employee complied, sending the phisher 15,878 forms, each of which contained an employee’s name, address, Social Security number, and wage information.

A former Driveline employee, plaintiff Lynn McGlenn, sought to hold Driveline liable for the security breach and for the harm she suffered when her illegally obtained personal information was allegedly used to open a Capital One credit card account. She filed a putative class action suit in the U.S. District Court for the Central District of Illinois. In January 2020, McGlenn asked Judge Myerscough to certify a class of “all current and former Driveline employees” whose personal information was compromised by the scam. One year later, her motion was denied under Rule 23(a)’s commonality prong because her claims require individual, not classwide, causation and damages inquiries.

Even though the need for individual causation and damages inquiries defeated the motion for class certification, Judge Myerscough did not stop there. Instead, she analyzed the claim under Rule 23(b)(3)’s “far more demanding” inquiry into whether common issues of law and fact predominated and seemed dubious about the merits of McGlenn’s complaint.

First, Judge Myerscough held the proposed class encountered causation trouble because “several Driveline employees likely had been involved in other data incidents in the two to four years prior to” the phishing scam. Moreover, even employees who could tie their alleged injury to the phishing scam would encounter a significant legal hurdle: there is no common law duty to safeguard information in Illinois, and Driveline’s only legal duty was to notify employees of the data incident. See Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 816 (7th Cir. 2018) (citing Cooney v. Chi. Pub. Sch., 407 Ill. App. 3d 358, 363 (2010)).

Next, regarding injury, all but two members of the proposed class alleged “risk of future harm” as an injury. While risk of future harm may be considered when damages are calculated, it is not an injury that supports Article III standing.

While class certification decisions in data incident cases have been rare, we are beginning to see courts issue decisions. See, e.g., Fero v. Excellus Health Plan, Inc., No. 6:15-cv-06569, 2020 U.S. Dist. LEXIS 219375 (W.D.N.Y Nov. 23, 2020). Cases to date have focused on whether the named plaintiff could establish the required harm for Article III standing or sufficient evidence of damages to state a claim. Now individual inquiries into these same issues have defeated class certification. We may see a new wave of standing challenges after the Supreme Court issues a decision later this term in an FCRA case, TransUnion LLC v. Ramirez, No. 20-297. (Troutman’s reporting on Ramirez can be found here and here.) Until then, maybe we will see other courts denying class certification in data incident cases.

The case is McGlenn v. Driveline Retail Merch. Inc., 2:18-cv-02097 (C.D. Ill.). We will continue to monitor the case for any appeals.