CPW has been covering data breach litigations for quite some time, including dismissal of defective data breach complaints and the ongoing federal circuit split regarding Article III standing. Yesterday, for the first time, a court certified a Rule 23(b)(3) class action of individual consumers complaining of a data breach involving payment cards. See In re Brinker Data Incident Litig., 2021 U.S. Dist. LEXIS 71965 (M.D. Fla. Apr. 14, 2021). According to the court, “[t]hough this class action is not perfectly composed, on balance, the Court finds it to be an appropriate (and perhaps the only) vehicle for adjudication of the claims of Chili’s customers whose personal data was stolen.” The Court here was obviously concerned that class members’ claims would not be pursued without the class vehicle, but the proposed classes must nonetheless satisfy Rule 23’s requirements. And while the Court made some revisions to address the obvious deficiencies with the proposed classes, the question remains whether the revised classes satisfy Rule 23.
In this case, Brinker, the parent company that owns Chili’s restaurants, experienced a data breach where customers’ personal and payment card information was stolen and placed on Joker Stash, a known marketplace for stolen payment card data. The three named plaintiffs were all Chili’s customers who alleged their information was posted on the dark web. In addition, they alleged that they had to pay late fees or spent time replacing cards and traveling to the bank. Two of the three also alleged unauthorized charges on their payment cards.
Although the court had twice conducted a standing analysis, it engaged in yet another standing analysis in the context of the class certification motion. The court distinguished this case from the Eleventh Circuit’s recent decision in Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021) because the plaintiffs here had alleged, at a minimum, some misuse of their data, including posting their information on the dark web. These injuries could be fairly traceable to the data breach and could be redressed with a favorable decision, so the Court once again found that the named plaintiffs had standing. Plaintiffs sought certification of a nationwide class for negligence and breach of contact claims and a California class for California statutory unfair practice claims.
Before looking at the Rule 23 prerequisites, the Court considered whether plaintiffs had established two threshold requirements: (1) that the proposed class was adequately defined; and (2) the named plaintiffs were part of the class. As to the first threshold requirement, the Court noted that the Eleventh Circuit recently held that ascertainability does not require administrative feasibility, but it does require an adequately defined class. See Cherry v. Dometic Corp., 986 F.3d 1296, 1304 (11th Cir. 2021). While plaintiffs argued that class members could be identified through defendant’s records, the Court recognized that such a class could be overbroad and include uninjured class members. Thus, it modified the proposed definitions to clarify that class members’ data must have been “accessed by cybercriminals” and class members must have “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.” According to the Court, those clarifiers remedied “later predominance issues regarding standing and the inclusion of uninjured individuals because now individuals are not in the class unless they have had their data ‘misused’ per the Eleventh Circuit’s Tsao decision.” The Court acknowledged that the clarifiers may make ascertaining the class more difficult “as some self-identification may be required,” but according to the Court, ascertainability was still satisfied because it was not “impossible” to identify the class. Significantly, the Court did not elaborate further on this point, nor did it address how these “self-identification” procedures would impact the predominance inquiry.
As to Rule 23(a)’s requirements, the Court determined that numerosity, commonality, typicality and adequacy of representation were easily satisfied. As to Rule 23(b)(3), the Court found that it must find that questions of law or fact common to the class predominate over individual questions and that a class action is superior. The Court found that in light of its tweaks to the class definitions, predominance was satisfied because only individuals with standing were part of the classes, but the Court more or less assumed that standing could be established from Defendant’s records using a common method and did not address how the “self-identification” by class members impacted the predominance inquiry. As to whether common questions of law predominated, the Court found that because the laws of 50 states may apply to the implied breach of contract claim and because plaintiffs had failed to engage in the extensive analysis required by the Eleventh Circuit to show that such a class action would be manageable, certification of the nationwide class should be limited to the negligence claim. The Court further concluded that “[a]t this stage, causation and damages do not require significant individualized proof such that individual questions predominate over common ones.”
In its superiority analysis, the Court revealed the real driver behind its decision: “This case is the classic negative value case; if class certification is denied, class members will likely be precluded from bringing their claims individually because the cost to bring the claim outweighs the potential payout. Thus, not only is a class action a superior method of bringing Plaintiffs’ claims, it is likely the only way Plaintiffs and class members will be able to pursue their case.”
While the court’s conclusion may be right, it is important to note that such a conclusion alone is an insufficient ground for certifying a class under Rule 23(b)(3) – common issues of fact and law must predominate. And, here, there are serious questions about whether that is the case with the court’s revised class definitions.
This case is a potential game changer in the realm of data breach litigations-recall that only a handful of such cases have ever made it to the all-important question of class cert (and even fewer have been found to satisfy Rule 23’s requirements for certification). For more developments on this front, stay tuned.