Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action – Class Action Defense
Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action
By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller
Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court’s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase “who had their data accessed by cybercriminals” and to analyze the viability of the California class.
For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.
Case Background
Defendant Brinker International, Inc, owner of Chili’s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised. Id. at 2. Hackers targeted Chili’s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at 2-3. Plaintiffs alleged that 4.5 million cards were accessed by hackers. Id. at 3.
The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili’s restaurants between March and April in their respective states. Id. at 3-4. After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges. Id. at 3-4.
Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief. Id. at 4. The district court certified the nationwide class for negligence claims and a separate California class under the state’s unfair competition laws. Id. at 5. Brinker appealed the district court’s class certification orders. Id.
The Eleventh Circuit’s Decision
The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing. Id. at 10. Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card. Id. at 9-10.
The Eleventh Circuit, however, vacated the district court’s order and found Franklin and Steinmetz could not meet the traceability requirement for standing. Id. at 11. Franklin alleged two visits outside the “at-risk timeframe” when Chili’s was compromised in the data breach and therefore his injury was not fairly traceable. Id. Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili’s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker’s action. Id. at 12-13. For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes. Id. at 13.
As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court’s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at 15. The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case. Id. at 15-16. The Eleventh Circuit also remanded the case in light of Franklin’s lack of standing to determine the viability of the California-based class. Id. at 16.
Implications For Employers
Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase “data accessed by cybercriminals” in remanding the district court’s order.
Further, from a practical standpoint, employers should carefully evaluate district court’s class definitions for overbroad terms or phrases when preparing an appeal.
By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller
Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court’s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase “who had their data accessed by cybercriminals” and to analyze the viability of the California class.
For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.
Case Background
Defendant Brinker International, Inc, owner of Chili’s restaurants, faced a cyber-attack between March and April 2018, in which customers’ credit and debit cards were compromised. Id. at 2. Hackers targeted Chili’s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at 2-3. Plaintiffs alleged that 4.5 million cards were accessed by hackers. Id. at 3.
The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili’s restaurants between March and April in their respective states. Id. at 3-4. After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges. Id. at 3-4.
Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief. Id. at 4. The district court certified the nationwide class for negligence claims and a separate California class under the state’s unfair competition laws. Id. at 5. Brinker appealed the district court’s class certification orders. Id.
The Eleventh Circuit’s Decision
The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing. Id. at 10. Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card. Id. at 9-10.
The Eleventh Circuit, however, vacated the district court’s order and found Franklin and Steinmetz could not meet the traceability requirement for standing. Id. at 11. Franklin alleged two visits outside the “at-risk timeframe” when Chili’s was compromised in the data breach and therefore his injury was not fairly traceable. Id. Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili’s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker’s action. Id. at 12-13. For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes. Id. at 13.
As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court’s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at 15. The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case. Id. at 15-16. The Eleventh Circuit also remanded the case in light of Franklin’s lack of standing to determine the viability of the California-based class. Id. at 16.
Implications For Employers
Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase “data accessed by cybercriminals” in remanding the district court’s order.
Further, from a practical standpoint, employers should carefully evaluate district court’s class definitions for overbroad terms or phrases when preparing an appeal.