From Casetext: Smarter Legal Research

In re Sonic Corp. Customer Data Sec. Breach Litig.

United States District Court, N.D. Ohio
Dec 15, 2021
MDL 2807 (N.D. Ohio Dec. 15, 2021)

Opinion

MDL 2807 1:17-md-2807

12-15-2021

IN RE SONIC CORP. CUSTOMER DATA SECURITY BREACH LITIGATION (FINANCIAL INSTITUTIONS)


OPINION & ORDER [RESOLVING DOC. 466; DOC. 467; DOC. 475; DOC. 476]

JAMES S. GWIN, UNITED STATES DISTRICT COURT JUDGE

In 2017, hackers broke into Sonic customers' payment card data. The hackers stole customer payment card information from more than seven-hundred Sonic franchised Drive-Ins.

Sonic Corporation and its subsidiaries and affiliates Sonic Industries Services, Inc., Sonic Capital LLC, Sonic Franchising LLC, Sonic Industries LLC, and Sonic Restaurants, Inc. (collectively, “Sonic” or “Sonic Defendants” or “Defendants”).

In this class action, Plaintiff Financial Institutions sue Sonic Defendants and say the Sonic Defendants negligently caused the data breach. Now, Sonic Defendants move to exclude two of Plaintiffs' experts: Ian Ratner and Neil Librock. Plaintiffs oppose both motions.

Doc. 475;

Doc. 476.

Plaintiffs offer Expert Ratner's testimony to estimate class-wide damages. Moving to exclude Ratner's testimony, Sonic Defendants argue that Ratner used insufficient data by relying on only six financial institutions' data to calculate damages for 5, 000 potential class members.

Plaintiffs offer Expert Librock's testimony to argue financial institutions spend resources to respond to data breaches. In support of their motion to stop Expert Librock's testimony, Defendants argue that Librock lacks sufficient experience working with data breaches.

With this decision, the Court decides whether to exclude Expert Ratner and Expert Librock's trial testimony under Federal Rule of Evidence 702.

In deciding whether to admit Expert Ratner and Expert Librock's testimony, the Court considers whether their opinions are reliable. For Expert Ratner's statistical analysis, the Court examines whether he relies on sufficient data and applies reliable methods to interpret that data. For Expert Librock's non-scientific opinion, the Court primarily examines whether his experience supplies a sufficient foundation for his testimony.

For the following reasons, the Court GRANTS the motion to exclude Expert Ratner as a witness. The Court DENIES the motion to exclude Expert Librock but holds that his trial testimony will be limited.

I. Background

In 2017, a data breach compromised Sonic customer payment data. Impacted consumers sued Sonic Defendants in multiple lawsuits. Those consumer lawsuits settled.

Doc. 174.

Id.

Id.

In the current case, Plaintiff Financial Institutions sue Sonic Defendants for negligence in creating insecure systems that led to the data breach. Plaintiffs allege that Sonic's negligence required financial institutions to spend resources to respond to the breach.

Doc. 453.

Id. at 1-4.

The Court certified a class action. In certifying a class action, this Court limited the class to financial institutions that reimbursed customer fraud losses or that reissued credit cards as the result of the Sonic data breach. The Court later denied Sonic Defendants' summary judgment motion.

Doc. 343; Doc. 348. The Sixth Circuit denied Sonic Defendants permission to appeal the class certification decision. Doc. 447.

Doc. 348.

Doc. 453.

Now, Sonic moves to exclude trial testimony of two Plaintiffs' experts. First, Sonic moves to exclude Ian Ratner's expert testimony on damages. Expert Ratner, a certified public accountant, has 30 years of public accounting, forensic accounting, and related consulting services experience.

Doc. 475-4 (Ratner Report) at ¶ 13.

In this case, Expert Ratner uses statistical analysis to estimate financial institutions' Sonic data breach damages. Ratner estimates two forms of damages: (1) fraud loss from reimbursing fraudulent charges, and (2) reissuance costs from reissuing compromised cards.Ratner bases his fraud-loss analysis on data from the three named Plaintiffs. Ratner bases his opinion on card reissuance damages on data from the three named Plaintiffs and three other class members. The class has about 5, 000 potential class members.

Id. at ¶ 39-43.

Id.

Id. at ¶ 44.

Id. at ¶ 51.

Doc. 475-6 (Hitt Report) at ¶ 25.

Sonic also moves to exclude Neil Librock's expert testimony on how financial institutions respond to data breaches. Expert Librock formerly worked in higher-level bank management roles. Relying on that experience, Expert Librock offers an opinion that data breaches create financial and reputational risks for financial institutions. Librock says that because of those risks, financial institutions must respond to data breaches.

Doc. 476-2 (Librock Report) at ¶ 1, 3.

Id. at ¶ 42-48.

Id. at ¶ 21-23.

In support of its motions to exclude, Sonic offers two rebuttal expert reports. In the first rebuttal report, Professor Lorain Hitt, a Wharton economics and statistics professor, argues that Expert Ratner uses an unreliable statistical model. Rebuttal Expert Professor Hitt argues that Expert Ratner relies on an unrepresentative sample and inconsistent data, makes incorrect assumptions, and fails to establish a causal relationship between Sonic's actions and financial institution damages. Professor Hitt also challenges Expert Librock's opinion, arguing that it has no empirical basis.

Doc. 475-6 (Hitt Report) at ¶ 1-4, 31.

Id. at ¶ 24-31.

Id. at ¶ 126.

Sonic Defendants' second rebuttal expert, Rebuttal Expert Andrew Richmond, also challenges Expert Ratner's damages model. Rebuttal Expert Richmond, a certified public accountant and economic consultant, argues that Expert Ratner did not collect sufficient data to perform a reliable statistical analysis. Rebuttal Expert Richmond further argues that Expert Ratner draws unsupported assumptions, overlooks contradictory data, and improperly claims statistical significance.

Doc. 475-5 (Richmond Report) at ¶ 4-11, 30.

Id. at ¶ 30.

On November 23, 2021, the Court heard arguments on the Daubert motions.

II. Legal Standard

Federal Rule of Evidence 702 controls the admission of expert testimony. Under Rule 702, opinion testimony based on specialized knowledge is admissible if it is relevant and reliable.

With this decision, the Court applies the reliability standard. Rule 702 guides the reliability inquiry. To testify as an expert, the witness must be qualified “by knowledge, skill, experience, training, or education.” The expert's testimony must also be “based on sufficient facts or data, ” be “the product of reliable principles and methods, ” and be the product of reliable application of those principles and methods to the facts of the case.

Fed. R. Evid. 702.

Id.

Further elaborating the Rule 702 factors, the Supreme Court crafted the Daubert factors, a non-exclusive, flexible list of factors courts may consider on reliability.

Dauber v. Merrell Dow Pharm, Inc., 509 U.S. 579, 593-94 (1993).

While Rule 702 and the Daubert factors suggest certain lines of inquiry, “the law grants a district court the same broad latitude when [the district court] decides how to determine reliability as it enjoys in respect to its ultimate reliability determination.”

Kumho Tire Co., Ltd, v. Carmichael, 526 U.S. 137, 142 (1999).

The proponent of expert testimony shoulders the burden to show the testimony is admissible by a preponderance of evidence.

E.E.O.C. v. Kaplan HigherEduc. Corp., 748 F.3d 749, 752 (6th Cir. 2014).

III. Discussion

A. Motion to Exclude Ian Ratner's Expert Report

a. Expert Ratner's Report

i. Expert Ratner's Data

The Sonic Defendants principally argue that Ratner's testimony was not based upon sufficient data. The Defendants say Ratner then used unreliable methods to analyze this insufficient data on fraud loss and reissuance costs associated with the Sonic data breach.

Expert Ratner's report uses a model for calculating financial institutions' damages caused by the Sonic breach. Ratner uses his model to give opinions on two forms of damages: (1) fraud loss and (2) reissuance costs.

Doc. 475-4 (Ratner Report) at ¶ 39.

Fraud loss results from financial institutions' payments to reimburse customers for unauthorized or fraudulent payment card charges. Fraud loss regularly occurs for many reasons. Plaintiffs say fraud loss increased on the alerted cards because of Sonic's negligence.

Id.

Doc. 436 at 22-28.

To calculate fraud loss, Expert Ratner began with the named Plaintiff Financial Institutions' self-reported customer fraud reimbursements. Ratner does not explain whether he gave the institutions consistent protocols to follow for calculating fraud loss, nor how the institutions arrived at their reported numbers.

Doc. 475-4 (Ratner Report) at ¶ 44.

The named Plaintiffs' data shows that damages differ across institutions.

The three named Plaintiff Financial Institutions vary in size and number of alerted cards. Because of this variation, Plaintiff Redstone FCU supplied a significantly greater part of Ratner's data. Redstone FCU contributed 72% of the fraud loss data. American Airlines FCU and Arkansas FCU each contributed 14% of the fraud loss data.

Doc. 475-6 (Hitt Report) at ¶ 112.

Doc. 475-5 (Richmond Report) at ¶ 43.

Id.

With these fraud loss data contributions, Redstone FCU disproportionately affects the fraud loss calculation.

For unexplained reasons, the Plaintiffs' self-reported fraud rate among alerted cards varied significantly among themselves. Plaintiff Arkansas FCU reported fraud charges for 2% of its alerted cards while Plaintiff Redstone FCU reported 12% of its alerted cards had fraudulent charges. Plaintiff American Airlines FCU reported fraud on 9% of alerted debit cards and 17% of alerted credit cards.

Doc. 475-4 (Ratner Report) at 35 (Schedule 4).

Id.

The Plaintiffs' self-reported fraud dollar loss amounts also differed significantly among themselves. Arkansas FCU reported average gross fraud loss of over $700 for each fraudulently used card while both American Airlines FCU and Redstone FCU each reported average gross fraud loss near $260 for each fraudulently used card.

Id.

In addition to fraud loss damages, Expert Ratner gives an opinion on reissuance cost damages. Reissuance costs result from reissuing payment cards because of the breach. To generate an opinion on reissuance costs, Ratner used the named Plaintiffs' data together with reissuance data from three other class members who responded to an emailed questionnaire.

Id. at ¶ 9.

Id. at ¶ 20-23; Doc. 475-6 (Hitt Report) at ¶ 38-43.

To collect the data for Expert Ratner's analysis, the Plaintiffs did not use a third-party survey company. Instead, American Airlines FCU's in-house attorney circulated a questionnaire to 125 credit unions. The attorney circulated the questionnaire using an earlier-created listserv for “convenience.” Nothing suggests the listserv addressees were representative of the class. Only four class members responded and only three supplied useable responses.

Doc. 475-6 (Hitt Report) at ¶ 38-43; Doc. 475-8 (Class Communications and Responses) at 2; Doc. 475-10 (Young Deposition Transcript) at 10:20-11:10, 12:13-19, 13:12-19.

Doc. 475-10 (Young Deposition Transcript) at 17:4-7.

Doc. 475-6 (Hitt Report) at ¶ 48-52.

Doc. 475-4 (Ratner Report) at ¶ 23; Doc. 475-11 (Credit Union Responses).

ii. Expert Ratner's Calculations

Expert Ratner calculates fraud loss and reissuance costs for each card that appeared on a Sonic data breach alert. Visa, Mastercard, and Discover reported that the Sonic data breach potentially compromised over eight million cards. Multiplying damages per card by that number of alerted cards, Expert Ratner says that class members suffered $79,512,000 in class-wide damages.

Doc. 475-4 (Ratner Report) at ¶ 43.

Id. at ¶ 43.

1. Fraud Loss Calculations

Expert Ratner performed statistical analysis to calculate fraud loss from reimbursing fraudulent payments. After his calculations, Ratner gives the opinion that each financial institution class member suffered $8.95 in fraud loss for each alerted card.

Id. at ¶ 10.

Ratner came to this damage total by accepting the named Plaintiffs' reported fraud loss data and then adjusting the fraud loss total to account for normally occurring fraud on the alerted cards.

Id. at ¶ 40-41.

Because cards suffer fraud losses for any number of reasons not associated with Sonic, Expert Ratner reduced the gross fraud losses to control for unrelated fraud losses. To calculate the unrelated fraud loss, Expert Ratner used two Visa reports. In those reports, Visa quantified the elevated fraud rates associated with the Sonic breach. Visa examined cards used at two hacked Sonic franchisees' restaurants. For one franchisee, Visa reported that 36% more accounts suffered fraud after the Sonic hack. For the other franchisee, 55% more accounts suffered fraud. Averaged across these two franchisee reports, Visa found the Sonic data breach increased the number of accounts reporting fraud by 46%. Unlike Ratner, who analyzed fraud loss in terms of dollars per card, Visa examined the number of accounts reporting fraud.

Id. at ¶ 44.

Id. at ¶ 33-37.

Id. at ¶ 44, 36 n.2 (Schedule 4). Visa calculated this rate by comparing fraud rates on accounts included in the Sonic breach (18.8%) with the fraud rates on accounts not included in the Sonic breach (13.8%).

Id.

Id. at ¶ 44 n.69.

Doc. 475-5 (Richmond Report) at ¶ 49-51.

Expert Ratner averaged the elevated fraud rates that Visa calculated for the two Sonic franchisees. He used that average to calculate “normalized fraud, ” or fraud attributable to sources other than the Sonic breach. Ratner then subtracted this normalized fraud calculation from the fraud loss numbers the Plaintiffs reported. Ratner says this calculation produced a fraud loss total adjusted to subtract fraud unrelated to the Sonic breach.

Doc. 475-4 (Ratner Report) at ¶ 44 n.69.

Id.

Id.

Expert Ratner then used statistical analysis to calculate average fraud loss per card. Ratner calculated average net fraud loss using a statistical sampling technique called bootstrapping. His bootstrapping analysis produced a per-card fraud loss average. This number multiplied by the total number of alerted cards resulted in Ratner's mean fraud loss total of $76,631,000.

Id. at ¶ 45.

Id. at ¶ 50.

Id.

2. Reissuance Cost Calculations

Ratner gives the opinion that each financial institution class member suffered an average of $0.32 in reissuance costs for each alerted card.

Id. at ¶ 43.

To calculate net reissuance costs, or the damages from replacing alerted cards, Expert Ratner began with the gross reissuance costs reported by the three named Plaintiffs and three absent class member credit unions. He then ran a bootstrapping statistical analysis to produce average reissuance costs. Finally, Expert Ratner reduced those numbers by 50% to account for the fact that financial institutions typically replace payment cards periodically as part of regular business.

Id. at ¶ 51.

Id.

Id.

Ratner states that his calculations are “statistically significant at a confidence interval of 95% statistical certainty.”

Id. at ¶ 12.

b. Rule 702 Analysis of Expert Ratner's Testimony

i. Expert Ratner's Qualifications

Under Rule 702, an expert must be “qualified” by “knowledge, skill, experience, training, or education.” The Sixth Circuit takes a “liberal view of what ‘knowledge, skill, experience, training, or education' is sufficient to satisfy” the qualifications requirement.

Fed. R. Evid. 702.

Bradley v Amenstep, Inc., 800 F.3d 205, 209 (6th Cir. 2015).

Expert Ratner, a certified public accountant, has 30 years of public accounting, forensic accounting, and related consulting experience. Ratner has extensive damage expert experience, including in cases involving data breaches and other payment card-related matters. Expert Ratner also earned undergraduate and graduate business degrees, a certified public account certification, and a certified fraud examiner designation.

Doc. 475-4 (Ratner Report) at ¶ 13.

Id. at ¶ 14-15.

Id. at ¶ 16.

Expert Ratner's training and experience qualifies him to testify about data breach damages.

ii. Expert Ratner's Data: Sample Size

To be admissible, an expert's testimony must be “based on sufficient facts or data.”Expert Ratner's testimony does not meet this controlling standard because he did not collect sufficient data from enough financial institutions to support reliable results.

For statistical analysis using sampling, the sample size affects the result reliability. Larger samples reduce random error. Sample size particularly affects reliability where the population-here, the class members-is heterogenous. Heterogenous populations may require larger samples to capture and account for individual variation.

David H. Kaye & David A. Freeman, Fed. Judicial Ctr., Reference Guide on Statistics, in Reference Manual on Scientific Evidence 211, 246 (3d ed. 2011).

Id.

Id.

Expert Ratner's statistical analysis uses data from an extremely small sample of three or six credit unions to estimate damages for the 5, 000 potential financial institution class members.

Doc. 475-6 (Hitt Report) at ¶ 25.

Ratner calculated fraud loss from only the three named Plaintiffs, representing only 0.06% percent of the impacted financial institutions. And from the three Plaintiffs, Ratner received fraud loss data on only 46, 542 alerted cards, or 0.5% of the total alerted cards.

Doc. 475-5 (Richmond Report) at ¶ 80.

Id.

For reissuance cost damages, Expert Ratner used data from six institutions, only 0.12% of the 5, 000 potentially impacted institutions. Ratner received data on only 53, 373 alerted cards, or 0.6% percent of the alerted cards.

Id. at ¶ 82.

Id.

A larger sample size is necessary here for two reasons: financial institution heterogeneity and damage variability.

First, the financial institution class members vary in type, size, and resources. The class includes both banks and credit unions. These institutions have a wide range of assets, customer numbers, and average deposits per account. Expert Ratner's data does not capture this variation. Ratner analyzed only credit union data. He did not analyze commercial banks even though, according to Rebuttal Expert Hitt's report, 41% of the class Plaintiffs are banks. Expert Ratner's unrepresentative sample could affect damage calculations, as an institution with more resources may have greater fraud prevention and monitoring capacity.

Doc. 348 at 1.

Doc. 475-6 (Hitt Report) at ¶ 81-84.

Doc. 475-4 (Ratner Report) at ¶ 20-23.

Doc. 475-6 (Hitt Report) at ¶ 68.

Second, reported damages vary significantly. The six institutions Ratner studied reported widely different fraud losses and reissuance costs. Different financial institution fraud policies may cause this variation. For example, some class members may automatically reissue payment cards that have appeared on fraud alert lists, while other class members may evaluate fraud risk and reissue cards more selectively. An institution that quickly reissues cards could expect to incur higher reissuance costs but lower fraud costs.

Id. at ¶ 98-103.

Id. at ¶ 58-59.

The wide fraud loss and reissuance cost variation require a larger sample size to accommodate the differences.

Expert Ratner gave a class certification declaration that reinforces the conclusion that he uses an insufficient sample size. At the class certification stage, Ratner had collected data on the named Plaintiffs' fraud loss and reissuance costs. In testimony taken earlier in the case, Ratner declared, “To estimate damages on a class-wide basis we would require more information than we currently have.” Yet his final report relied only on the named Plaintiffs' fraud loss data-the same data Expert Ratner earlier declared insufficient.

Doc. 475-2 (Ratner Declaration) at ¶ 15.

Id. at ¶ 76.

iii. Expert Ratner's Data: Representativeness and Bias

Courts may consider sample representativeness when considering expert testimony reliability. Unrepresentative samples reduce reliability.

Kaplan Higher Educ. Corp., 748 F.3d at 753-54.

Id. at 754.

Expert Ratner gives a fraud loss opinion based only upon the named Plaintiffs' data. Expert Ratner calculates reissuance costs based only upon data from the named Plaintiffs and three other class members who responded to a survey. The survey was only circulated to 125 credit unions on a preexisting listserv, not a random class member sample. Only four responded and only three supplied useable results.

Doc. 475-6 (Hitt Report) at ¶ 38-43; Doc. 475-8 (Class Communications and Responses) at 2; Doc. 475-10 (Young Deposition Transcript) at 10:20-11:10, 12:13-19, 13:12-19, 17:4-7.

Doc. 475-4 (Ratner Report) at ¶ 23; Doc. 475-11 (Credit Union Responses).

Rather than a sample designed to be representative of the population, the survey used a convenience sample. Convenience samples occur when the surveyor takes little effort to secure responses from non-volunteers. Convenience samples introduce nonresponse bias.

Doc. 475-6 (Hitt Report) at ¶ 60, 64-65.

David H. Kaye & David A. Freeman, Fed. Jud. Ctr., Reference Guide on Statistics, in Reference Manual on Scientific Evidence 211, 224-26, 285 (3d ed. 2011).

Id. at 224-25.

In general, institutions with greater Sonic breach-related damages have greater motivation to respond to a damages survey. Using data only from the institutions motivated to respond to the survey can introduce self-selection bias, resulting in a less-reliable damages calculation.

Doc. 475-6 (Hitt Report) at ¶ 75-76.

The record here suggests that self-selection influenced the data collection process. For example, one credit union declined to send data, explaining that any fraud related to the Sonic breach was “insignificant.” Another credit union declined to send data because the data-collection time would exceed the claim's value for that institution.

Doc. 475-8 (Class Communications and Responses) at 37.

Id. at 23.

In his report, Expert Ratner does not discuss the possible self-selection bias or describe any efforts to counteract that bias. Expert Ratner also does not argue that he used a representative sample.

Because Expert Ratner's analysis does not sufficiently address data representativeness and data bias, it reduces its reliability.

iv. Expert Ratner's Methodology

Under Rule 702, an expert must use “reliable principles and methods” and reliably apply those principles and methods to the facts.

Expert Ratner began his fraud loss calculations with the fraud loss numbers that the Plaintiff Financial Institutions reported. He does not explain how the institutions arrived at those numbers.

Doc. 475-4 (Ratner Report) at ¶ 44.

To calculate fraud loss and reissuance costs, Expert Ratner used a statistical technique called bootstrapping to create a weighted average of the limited data Ratner received.Sonic Defendants do not challenge this technique itself. Instead, the Sonic Defendants argue that bootstrapping cannot correct the problem of insufficient data.

Id. at ¶ 45, 51.

Doc. 491 at 10-11.

For his fraud loss analysis, Expert Ratner states that the statistical analysis uses “10, 000 random samples . . . based on a database created from the information collected from the Named Plaintiffs.” These 10, 000 samples represent 10, 000 payment cards with fraud alerts. Because all the samples come from the three named Plaintiffs' data, however, Expert Ratner's bootstrapping analysis gives a weighted average for their damages only. That average is representative of class-wide damages only if the named Plaintiffs are a representative sample of the class.

Doc. 475-4 (Ratner Report) at ¶ 45.

Doc. 475-5 (Richmond Report) at ¶ 83-84.

Id.

Plaintiffs argue that Expert Ratner's testimony is dependable because the relevant analysis occurs at the card level, not the institution level. In other words, they argue that because Expert Ratner examined payment card data, it should not matter that those payment cards came from only three financial institutions for the fraud loss damages calculations and six institutions for the reissuance cost calculations.

Doc. 484 at 10.

But Expert Ratner uses insufficient data at the card level as well. Ratner analyzes only 46, 542 alerted cards. Credit card companies linked nine million cards to the Sonic breach. Ratner bases his fraud loss opinion on only 0.5% of the alerted cards.

Doc. 475-5 (Richmond Report) at ¶ 80

Id.

Id.

Plaintiffs' argument also ignores the fact that individual financial institution policies influence fraud loss and reissuance damages. An institution's policy for reissuing cards obviously affects reissuance costs, and an institution's fraud prevention and detection programs affect fraud loss damages.

Ratner limited his fraud loss calculation to data provided by the three named Plaintiffs. But those three Plaintiffs are not typical of most credit unions, and they are significantly smaller than most affected banks.

Doc. 475-6 (Hitt Report) at ¶ 77, 81-84.

Expert Ratner also overlooks information contradicting his damages opinion. As described, Expert Ratner relies upon the Visa Global Compromised Account Recovery (GCAR) reports to measure how fraud increased followed the Sonic data breach. The Visa GCAR study examined fraud reports on cards used at two Sonic franchisees' restaurants.

Doc. 475-4 (Ratner Report) at ¶ 44.

Doc. 475-5 (Richmond Report) at ¶ 59-61.

Taken together, the two Visa GCAR reports examined 333, 281 eligible accounts, more than six times the 46, 542 alerted cards Ratner analyzes from the three named Plaintiffs.

Id.

The Visa GCAR reports give evidence that undercuts the reliability of Expert Ratner's opinion of increased $8.95 fraud on each alerted card.

The Visa GCAR reports found an average loss of only $0.35 for each of the 333, 281 accounts that they examined, less than 5% of the $8.95 fraud loss amount Expert Ratner found. Although the Visa GCAR reports included a $3,000 loss limit for each account, the difference from Expert Ratner's finding is significant.

Id.

Id.

The Visa GCAR reports therefore support finding that Expert Ratner does not use reliable methods.

The Plaintiffs' reported fraud losses also undercut the reliability of Expert Ratner's opinion that each alerted card suffered an average $8.95 fraud loss. Recall, each of the three named Plaintiff reported the fraud they individually suffered. For example, Arkansas FCU reported $24,327 total fraud loss on 6, 393 alerted cards. But if we use Ratner's $8.95 fraud loss per card, Arkansas FCU would receive a $55,108 fraud loss recovery, more than double the fraud loss Arkansas FCU itself claimed. Redstone FCU would receive $33,772 less than Redstone claimed it lost. Other class members reported fraud loss amounts that differed even more from Ratner's $8.95 fraud loss calculation.

Doc. 475-6 (Hitt Report) at 57 (Table 6).

Id.

Id.

Id.

Expert Ratner's analysis includes data from only six financial institutions. Utilizing a statistical technique like bootstrapping to create a weighted average does not overcome the underlying data limitations.

v. Exclusion

Plaintiff Financial Institutions argue that the flaws in Expert Ratner's testimony go to the weight of his testimony, not admissibility. But the Court's gatekeeping function requires excluding Expert Ratner's testimony because it does not satisfy the reliability standard.

“Perceived flaws in an expert's opinion go to weight only if they fall within the accepted norms of the discipline and have a non-speculative basis in fact.” Courts properly exclude testimony outside this standard even where the “flaws stem in part from the expert's efforts to do the best job he could with the limited data his client would provide.”

Mu/timatic, Inc. v. Faurecia Int. Sys. USA, Inc., 358 Fed.Appx. 643, 655 (6th Cir. 2009) (unpublished).

Id.

Here, Expert Ratner's report relies upon an insufficient sample size. Ratner's methodology also does not address the selection bias resulting from the failure to use a random selection process. His bootstrapping sampling technique does not overcome the underlying problem of insufficient and biased data.

Expert Ratner's testimony does not satisfy the Rule 702 reliability standard. The Court excludes his testimony from the trial evidence.

B. Motion to Exclude Neil Librock's Expert Testimony

a. Standard for Non-Scientific Testimony

The trial court has a “gatekeeping” role for all expert testimony, including non-scientific testimony. When considering whether to admit non-scientific testimony, courts may look to the Daubert factors, or may instead “focus upon [the expert's] personal knowledge or experience.”

Kumho Tire Co., 526 U.S. at 141 .

Surles ex rel Johnson v. Greyhound Lines, Inc., 474 F.3d 288, 295 (6th Cir. 2007) (quoting First Tennessee Bank Nat. Ass'n v. Barreto, 268 F.3d 319, 335 (6th Cir. 2001)).

b. Expert Librock's Report

Expert Librock offers general opinions about financial institution responses to data breaches.

Expert Librock says that financial institutions must respond to a data breach. He states that reasonable responses include, but are not limited to: additional fraud monitoring, reissuing payment cards, reimbursing fraudulent charges, notifying customers of the breach, or “deciding to bear the risk of potential losses” and taking no other action. Expert Librock thus gives the noncontroversial opinion that financial institutions can reasonably respond to data breaches in different ways, including by doing nothing.

Doc. 476-2 (Librock Report) at ¶ 21.

Id. at ¶ 22.

Expert Librock states that financial institutions spend time, effort, or money on their data breach responses, and that “it would be highly unusual for a financial institution to have spent no time or effort analyzing or addressing the risk posed by the potential exposure of payment card data.” As part of that opinion, he discusses the reputational and financial risks that data breaches pose to financial institutions.

Id. at ¶ 23.

Id. at ¶ 43-44.

Expert Librock first gave this generalized opinion before the Court decided class certification and the class definition. At the time he gave his opinion, Plaintiffs sought recovery for internal financial institution administrative costs associated with handling notice of the Sonic data breach to customers. This Court later granted class certification and narrowed the class to financial institutions that had reimbursed fraud losses or reissued impacted cards. With the narrowed class, much of Expert Librock's testimony is less consequential.

Doc. 259.

Doc. 348.

c. Rule 702 Analysis of Expert Librock's Testimony

i. Expert Librock's Qualifications

When assessing an expert's qualifications, courts consider “not the qualifications of a witness in the abstract, but whether those qualifications provide a foundation for a witness to answer a specific question.” The Sixth Circuit applies the qualifications standard liberally, allowing testimony by experts with a broad range of knowledge, skill, experience, training, or education.

Rose v. Truck Ctrs, Inc., 388 Fed.Appx. 528, 533 (6th Cir. 2010) (unpublished) (quoting Berry v. City of Detroit, 25 F.3d 1342, 1351 (6th Cir.1994)).

Bradley, 800 F.3d at 209.

Expert Librock's bank management experience qualifies him to testify in this case. Librock worked in senior management roles at Wells Fargo, Bank of America, and Citibank. In his Wells Fargo role, Librock dealt with “identifying and managing corporate reputation risk and financial performance.” At Citibank and Wells Fargo, Librock supervised policymaking to prevent and respond to data breaches. For example, Librock dealt with consumer credit policies and the “reputational risk” and “profitability risk” that data breaches create.

Doc. 476-2 (Librock Report) at ¶ 1, 3.

Id. at ¶ 2.

Id. at ¶ 5, 7-9, 13.

Id. at ¶ 10-11.

Once Expert Librock rose to a higher bank management position in 2008, he dealt less directly with data breach responses, but he still had a policymaking role that indirectly concerned data breaches.

Id. at ¶ 14.

In his current consultant role, Expert Librock has testified in another data breach case at the class certification stage.

In re Target Corp. Customer Data Sec. Breach Litig., MDL 14-2522, 2015 WL 5228637, at *2 (D. Minn. Sept. 8, 2015).

Expert Librock's experience as a banking executive gives sufficient foundation to allow his testimony, in general terms, about the reputational and financial risks data breaches pose to financial institutions. His experience also qualifies him to testify on the reasonableness of various responses to the Sonic data breach.

Sonic Defendants argue that Expert Librock lacks sufficiently extensive or recent data breach experience. These concerns go to the weight of his testimony and are best addressed through trial cross-examination.

United States v. Cunningham, 679 F.3d 355, 379 (6th Cir. 2012).

ii. Expert Librock's Sources and Methods

In addition to challenging Expert Librock's qualifications, Sonic Defendants argue that the Court should exclude Expert Librock's testimony because he relies on media articles rather than academic sources such as surveys or research. This argument does not justify excluding Expert Librock's testimony.

Doc. 476 at 15.

Experts may rely on materials that other experts in the field would reasonably rely upon to form an opinion. Expert Librock bases his opinion on his bank executive experience. Bank executives could rely upon non-academic sources such as media articles to inform their opinions about data breaches. Expert Librock bases his opinion on his experience, and his citations to media articles do not justify excluding his testimony.

d. Limitations on Expert Librock's Testimony

Daubert and Rule 702 do not disqualify Expert Librock's testimony. However, at trial, the Court will limit Librock's testimony to relevant areas. Because much of Librock's report deals with internal financial institution costs resulting from the Sonic data breach, and because the class certification and summary judgment rulings do not allow recovery for these internal costs, this testimony will be limited.

Expert Librock's experience concerns bank management rather than direct data breach responses. His experience does not, therefore, qualify him to testify about the specifics of financial institutions' data breach responses.

Expert Librock may give opinion testimony because he offers high-level and general opinions. His bank management experience qualifies him to testify about the financial and reputational risks of data breaches and how financial institutions may reasonably manage those risks. His trial testimony should be limited to those general matters.

IV. Conclusion

For the reasons stated above, the Court GRANTS the motion to exclude Ian Ratner's expert testimony. The Court DENIES the motion to exclude Neil Librock's expert testimony but holds that the scope of his trial testimony will be limited as described in this opinion.

IT IS SO ORDERED.


Summaries of

In re Sonic Corp. Customer Data Sec. Breach Litig.

United States District Court, N.D. Ohio
Dec 15, 2021
MDL 2807 (N.D. Ohio Dec. 15, 2021)
Case details for

In re Sonic Corp. Customer Data Sec. Breach Litig.

Case Details

Full title:IN RE SONIC CORP. CUSTOMER DATA SECURITY BREACH LITIGATION (FINANCIAL…

Court:United States District Court, N.D. Ohio

Date published: Dec 15, 2021

Citations

MDL 2807 (N.D. Ohio Dec. 15, 2021)

Citing Cases

Pearson v. Deutsche Bank AG

Defendants further contend that Ratner's opinion is based on insufficient facts or data. Id. at 7 n.5…