502 F.Supp.3d 724
W.D.N.Y.2020Background
- Excellus Health Plan suffered a cyberattack beginning Dec. 23, 2013 that exposed PII/PHI of ~10 million individuals; plaintiffs are persons whose data was stored on Excellus systems.
- Plaintiffs filed a consolidated putative class action asserting negligence, breach of contract, unjust enrichment, and New York Gen. Bus. Law § 349 claims (and related state-law claims), including a proposed nationwide injunctive class and multiple damages classes.
- The Court previously dismissed certain claims for lack of standing, then granted reconsideration limited to holding that risk of future identity theft can support standing (citing Whalen).
- Plaintiffs moved for class certification of multiple classes (both Rule 23(b)(3) damages classes and a Rule 23(b)(2) injunctive class); defendants opposed on predominance, causation/exposure, ascertainability, statute of limitations, and other grounds.
- The Court denied certification of all proposed Rule 23(b)(3) (damages) classes—finding predominance problems (statute of limitations, individualized causation/exposure, contract/ascertainment issues)—but certified a nationwide Rule 23(b)(2) injunctive class limited to individuals whose PII/PHI remains on Excellus systems.
- The Court denied as moot the parties’ Daubert motions (expert exclusion) and denied Plaintiffs’ motion to strike an Excellus declaration and for sanctions.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Predominance of Rule 23(b)(3) damages classes | Classwide proof available to resolve liability and damages; common issues predominate. | Individualized issues (statutes of limitation, causation, contract terms) predominate; cannot be resolved classwide. | Denied—Rule 23(b)(3) classes fail predominance due to individualized statute-of-limitations and causation/contract inquiries. |
| GBL § 349 causation/exposure | Liability under § 349 can be shown by generalized proof of deceptive omissions about cybersecurity; reliance not required. | § 349 requires that plaintiffs were exposed to the deceptive acts; many class members never dealt with Excellus or were unaware—individualized exposure inquiries. | Denied for damages class—causation/exposure inquiries are individual and defeat predominance. |
| Statute of limitations for GBL, breach, unjust enrichment classes | Plaintiffs contend accrual doesn't bar class members; injury relates to the breach event. | Many putative class members’ claims accrued well before the limitations periods; no reliable classwide method to identify time-barred claims. | Denied—classes include members whose claims are facially time-barred; individualized accrual inquiries defeat predominance. |
| Unjust enrichment vs. contract / directness of benefit | Plaintiffs may plead unjust enrichment in the alternative; classwide resolution possible. | Where valid contracts govern data privacy, unjust enrichment is precluded; relationships vary—individualized inquiries required. | Denied—unjust enrichment class fails because contracts bar recovery for many and relationship directness is individualized. |
| Federal (BCBSA) GBL § 349 class commonality | BCBSA issued uniform NOPPs and engaged in uniform deceptive conduct toward federal enrollees. | Plaintiffs offer no classwide evidence that BCBSA engaged in uniform deceptive acts; no proof of exposure or uniform NOPPs for relevant period. | Denied—fails commonality and predominance; plaintiffs provided insufficient evidence of classwide conduct/exposure by BCBSA. |
| Rule 23(b)(2) injunctive class (ongoing risk) | Injunctive relief is appropriate for members whose PII/PHI still resides on Excellus systems; conduct and remedies are indivisible. | Defendants challenge standing and ongoing risk, but these are merits issues. | Granted—certified a nationwide Rule 23(b)(2) class limited to impacted individuals whose PII/PHI currently remains on Excellus systems; class representatives and counsel appointed. |
Key Cases Cited
- Amchem Prods., Inc. v. Windsor, 521 U.S. 591 (1997) (predominance/cohesion inquiry for class certification)
- Comcast Corp. v. Behrend, 569 U.S. 27 (2013) (district court must scrutinize predominance and damages model)
- Wal‑Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011) (commonality and nature of (b)(2) classes)
- McLaughlin v. Am. Tobacco Co., 522 F.3d 215 (2d Cir. 2008) (need reliable method to determine time‑barred class claims)
- Gaidon v. Guardian Life Ins. Co. of Am., 96 N.Y.2d 201 (N.Y. 2001) (accrual principles for GBL § 349 claims)
- Whalen v. Michaels Stores, Inc., [citation="689 F. App'x 89"] (2d Cir. 2017) (future risk of identity theft can support standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (constitutional standing doctrine)
- Daubert v. Merrell Dow Pharm., Inc., 509 U.S. 579 (1993) (Rule 702 gatekeeping for expert testimony)
- Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999) (Daubert principles apply to all expert testimony)
- Goshen v. Mutual Life Ins. Co. of N.Y., 98 N.Y.2d 314 (N.Y. 2002) (scope of GBL § 349: misrepresentation/omission must be to consumer)