ESO's Motion to Strike Class Claims in Data Breach Suit Are 'Meritless,' Say Plaintiffs
ESO Solutions’ motion to strike the class allegations in a consolidated class action complaint (CCAC) involving its September data breach is “premature and meritless,” said the plaintiffs’ memorandum of law Tuesday (docket 1:23-cv-01557) in U.S. District Court for Western Texas in Austin in opposition to ESO’s March 28 motion.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Sept. 17 data breach allegedly affected about 2.7 million individuals whose personally identifiable information (PII) and personal health information was compromised when an unauthorized actor gained access to the software company's network and computer systems (see 2312220025).
ESO moved to strike the class allegations in the CCAC on the basis that plaintiffs in In Re ESO Solutions Inc. Breach Litigation can’t satisfy the class action prerequisites of Rule 23(a) and (b), saying a court “may strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.”
But the U.S. 5th Circuit Appeals Court has cautioned that motions to strike “are generally disfavored,” said the memorandum, citing Kaiser Aluminum & Chemical Sales, Inc. v. Avondale Shipyards, where the court determined that striking portions of pleadings “is a drastic remedy" that's "often sought by a movant simply as a dilatory tactic.”
A motion to strike should be granted only when “the allegations being challenged are so unrelated to plaintiff’s claims as to be unworthy of any consideration as a defense and ... their presence in the pleading throughout the proceeding will be prejudicial to the moving party,” the complaint, said, citing Hobbs v. Kroger Ltd. Partnership.
An order to strike class allegations is “functionally equivalent” to an order “denying class certification,” said the memorandum, citing Microsoft v. Baker. But there’s “a distinction between a motion to strike class allegations at the pleadings stage and the actual class certification analysis,” said the memorandum, citing Maldonado v. Ochsner Clinic Foundation.
Dismissal of a class at the pleading stage is “rare” because class determination typically involves considerations that are “enmeshed in the factual and legal issues comprising the plaintiff’s cause of action,” the memorandum said, citing General Telephone Co. of Southwest v. Falcon. Courts often deny such motions “because the shape and form of a class action evolves only through the process of discovery,” it said, citing Simpson v. Best Western International.
In data breach cases similar to this one, district courts “routinely” reject defendants’ attempts to strike class allegations at the pleading stage, said the memorandum. In McKenzie v. Allconnect, the court denied a motion to strike class allegations without the benefit of discovery because “it is unclear how many potential class members exist, where they are located, and whether the potential class members have suffered common injuries,” it said.
Even if the court doesn’t find that it’s premature to address class certification at this stage in the case, ESO “has not demonstrated from the face of the complaint that it will be impossible to certify the class,” said the memorandum. Plaintiffs satisfy the requirements of Rule 23(a), which states that class certification is appropriate when “(1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class,” it said.
ESO argued that the plaintiffs didn’t sufficiently allege shared legal issues or a common core of salient facts because the type of PII potentially compromised and the severity of the impact varies widely among members, the memorandum said. That contention is “without merit” because commonality “turns on ‘the capacity of a class-wide proceeding to generate common answers apt to drive the resolution of the litigation,’” it said, citing Wal-Mart Stores, Inc. v. Dukes.
The defendant argued that the plaintiffs can’t satisfy the typicality requirement of class certification because of “numerous variables” in the type of PII of each class member and whether it had been “misued,” plus the “disparate and unsupported claims of each class member’s damages.” That argument is “fatally flawed because it focuses on minor variations among Plaintiffs’ claims rather than the similarities between them,” said the memorandum. The typicality requirement “does not demand factual homogeneity,” it said, citing Buford v. H&R Block.
ESO’s contention that the class isn’t ascertainable because of the administrative challenges of determining whether a member is part of the class due to the different forms of PII involved is “wholly without merit,” said the memorandum. The court doesn’t need to know the identity of each class member before certification, only at “some stage of the proceeding,” it said, citing Frey vs. First National Bank Southwest.
In this consolidated action, class members “are ascertainable because ESO is in possession of all their names and addresses, which it has already used to preliminarily identify them and send them notice” of the breach, said the memorandum. “ESO sent the same notice letter to each affected individual; it did not send different notices based on what type of information was disclosed,” it said. Since ESO used its records to identify individuals affected by the breach, the company can’t "now credibly argue that it would not be ‘administratively feasible’ to determine the members of the class.”