Paul Karlsgodt, David Carney, Casie Collignon, and Christopher Wiech of BakerHostetler write, in part:
…. There remains a dearth of case law surrounding the appropriateness of class certification in litigation arising out of a data breach. The reasons for the lack of authority on the class certification issue include that most data breach cases are either dismissed on the pleadings or settle before they reach a decision on a contested motion for class certification. In 2019, there were at least two class certification decisions. In Adkins v. Facebook, Inc., No. 3:18-cv-05982 (N.D. Cal., Nov. 26, 2019), the Northern District of California certified an injunctive relief class under Rule 23(b)(2) but declined to certify a damages class.
On the other end of the spectrum, a Georgia state court judge denied class certification based on lack of commonality under Rule 23(a)(2) in Buice v. Piedmont Athens Regional Hospital, which involved alleged widescale misuse of PHI by a former hospital employee. In particular, the trial judge determined that allegations that all putative class members’ HIPAA rights were violated did not establish common injuries among the class.
Read more on Data Privacy Monitor.