The number of data breaches in the United States has increased significantly in the past ten years.  According to an IBM study, more than 4 out of 5 companies have experienced a data breach at least once. These data breaches have generated a corresponding rise in class action litigation against companies. The American Bar Association (“ABA”) is one of the most recent high-profile examples of an organization contending with such a suit.

Tiffany Troy and Eric John Mata, current ABA members, filed a class-action complaint against the ABA on April 21, 2023, for breach of implied contract and violation of consumer protection laws. The complaint alleged that the ABA failed to maintain adequate cyber security and allowed a “hacker” to acquire its 1.5 million members’ names, addresses, email addresses, and phone numbers. Plaintiffs contend that an unknown third party attempted to obtain their credit card information from the data leak. Plaintiffs bring the putative class action on behalf of themselves and all U.S. residents with an ABA account.

The ABA moved to dismiss the complaint for failing to allege that an implied contract existed with its members, any deceptive practice occurred, or plaintiffs suffered damages. The ABA argues that no plausible “meeting of the minds” occurred to form a contract and pled no facts that the data breach caused actual damages. The ABA also argued that Plaintiffs cannot establish a deceptive cyber security practice because they failed to identify any representation about cyber security at all. Finally, the ABA asserted that Plaintiffs articulated no injury beyond mere speculation. Even if the third party obtained financial information, Plaintiffs failed to allege that the breach resulted in actual loss.

The Court has yet to rule on ABA’s motion. Even if the Amended Complaint survives the motion to dismiss, the ABA may still argue the class lacks the necessary elements of commonality, typicality, and predominance to prevent Federal Rule of Civil Procedure 23(a) class certification.

Commonality requires proof that the class members suffered the same injury. Plaintiffs claim that they suffered injury because of a recent uptick in spam messages and an unknown party’s alleged attempt to steal their credit card and financial information. But Plaintiffs’ alleged injuries appear idiosyncratic. They will likely have difficulties proving that all the class members suffered the same injury. This factual issue may also preclude typicality, which requires class representatives’ claims to be similar in kind to those of the entire class. Other class members may have experienced different consequences from the data breach. Finally, Plaintiffs may struggle to establish predominance—whether the same questions of law or fact affect the entire class—given the ABA’s diverse membership.

This case demonstrates how any organization, even a non-profit like the ABA, must contend with the risk of both data breaches and ensuing class action litigation. We will provide an update when the Court issues a ruling.