Recently, a California federal court certified customer-specific subclasses seeking nominal damages for a data breach under a “disclosure of private information” theory of harm. In re Accellion, Inc. Data Breach Litig., No. 5:21-CV-01155-EJD, 2025 WL 2799102 (N.D. Cal. Sept. 30, 2025).

In In re Accellion, the class plaintiffs alleged that hackers were able to exploit vulnerabilities within Accellion, Inc.’s File Transfer Appliance (“FTA”) product in two major data breaches, leading to the exposure of the personal information of millions of individuals. 2025 WL 2799102, at *1. After the district court resolved Rule 12 motions, the plaintiffs proceeded on claims for negligence and violations of the Washington Consumer Protection Act. Id.

For their negligence claim, the plaintiffs proposed two sets of subclasses in the alternative: (1) subclasses for each Accellion customer that was impacted by the data breach; or (2) three state-specific subclasses for California, Oklahoma, and Washington. Id. at *4-5.

The district court certified customer-specific subclasses seeking nominal damages under a “disclosure of private information” theory of harm, for the following reasons: 

• Numerosity: because even the smallest proposed class had over 1,000 members, the court found the plaintiffs had demonstrated numerosity. Id. at *5.

 

• Commonality: the court quickly dispensed with the commonality requirement, finding that whether Accellion acted reasonably was a common question that depended solely on Accellion’s knowledge and actions. Id.

 

• Typicality: the district court concluded that because the named plaintiffs were injured by the same course of conduct – exposure of personal data due to the breach – they were typical of the class. Id. at *6. The court rejected Accellion’s argument that several named plaintiffs were atypical because they lacked Article III standing, finding that the plaintiffs had sufficiently alleged a concrete injury from the disclosure of their private information, even if they could not show any risk of future harm. Id. at *7-8. The district court also rejected Accellion’s argument that certain plaintiffs were atypical because they had also served as named plaintiffs in lawsuits filed directly against Accellion’s customers, finding that there was no issue with having multiple joint tortfeasors liable for the same injury. Id. at *8.

 

• Adequacy: While the court concluded that most plaintiffs possessed sufficient knowledge about the case, the court found that one plaintiff, Dawes, was inadequate to represent the damages class because he disclaimed his representation of any class members outside of his home state during his deposition. Id. at *9-10. The district court also found another named plaintiff inadequate based on text messages showing that the plaintiff was “uncommonly motivated by the service award.” Id. at *10. The court rejected Accellion’s remaining arguments as to adequacy, concluding that (1) the fact that the plaintiffs declined to pursue certain theories of recovery does not render them inadequate, and (2) one named plaintiff’s minor criminal conviction thirty years ago did not render that plaintiff inadequate.  Id.

 

• Predominance: because the district court found that individual issues would predominate if the class was certified as a whole, it divided the negligence class into subclasses by customer, as proposed in the alternative by the plaintiffs. Id. at *11. The court then found that the disclosure of private information was a viable theory of injury on a classwide basis. Id. at *12-13. The district court, however, rejected the plaintiffs’ proposed damages models based on the value of time spent, cost of credit monitoring, and lost value of personally identifiable information as dependent on individual circumstances and concluded that the only damages theory the plaintiffs could pursue was for nominal damages. Id. at *14. 

The district court also partially struck the report of one of the plaintiffs’ accounting experts, holding that while he had the necessary credentials to qualify as an expert in accounting, valuation, and adjacent fields, and had participated in eighteen prior data breach cases, he nonetheless did not have the necessary qualifications to opine regarding the risk of identity theft. Id. at *2-4.

Takeaway: In re Accellion, Inc. Data Breach Litigation serves as a cautionary tale to defense counsel that, even when individualized damages issues predominate and a class is not sufficiently cohesive as a whole, certain courts remain willing to splice-and-dice putative classes into more viable subclasses, even when those subclasses are only eligible for nominal damages.