The Eleventh Circuit’s recent ruling in In re Brinker Data Incident Litigation (“Brinker”) is the first time that a federal circuit court has ruled on a lower court’s grant of class certification in a data breach class action case. The Eleventh Circuit, in a 2-1 split panel decision, vacated in part the District Court’s class certification order finding that two out of three named plaintiffs did not have Article III standing. The Eleventh Circuit then remanded the case and instructed the District Court to clarify the class definitions and revisit its predominance analysis. The Eleventh Circuit’s ruling provides additional clarity on what constitutes “misuse” of data that would inform the scope and structure of class definitions and approve a damages model based on potential average class member recoveries. The ruling also recognizes that district courts should consider the facts developed during discovery rather than relying solely on allegations set forth in the complaint at the class certification stage. The Eleventh Circuit’s new ruling will play a pivotal role in shaping how class action data breach cases are litigated including discovery on named plaintiffs earlier in the litigation to establish the legitimacy and timing of alleged injuries.

The Middle District of Florida’s Rare Grant of Class Certification in a Data Breach Case

On April 14, 2021, the Middle District of Florida issued one of the few class certification rulings in a data breach action. In fact, the court acknowledged that “it may be the first to certify a Rule 23(b)(3) class involving individual consumers complaining of a data breach involving payment cards.”

Brinker, the parent company that owns Chili's restaurants, experienced a data incident where customers’ personal and payment card information was allegedly stolen by hackers who allegedly breached back-office systems in December 2017 and placed malware on Brinker’s system in March 2018. In May 2018, Brinker was notified that its card data had been compromised and was being sold on a marketplace for stolen payment card data. Three named plaintiffs – Eric Steinmetz (“Steinmetz”), Michael Franklin (“Franklin”), and Shenika Theus (“Theus”) – on behalf of themselves and a putative class, sought compensation for the inability to use payment cards, lost time, and other out-of-pocket expenses associated with the breach. After discovery, the District Court certified a nationwide class and a separate California class.

The District Court held that the plaintiffs had standing to bring the action because each of them showed that there was at least “some misuse” of their data. Further, the court held that plaintiffs’ allegations that they spent time replacing cards and traveling to the bank demonstrated “actual injuries” sufficient to confer standing.

Regarding the Rule 23 threshold requirements, the District Court narrowed the plaintiffs’ original proposed definitions by clarifying that class members’ data must have been “accessed by cybercriminals” and that class members must have “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.” The District Court found each of the Rule 23(a) requirements were met and that predominance and superiority were satisfied under Rule 23(b)(3).

The Eleventh Circuit Vacates in Part on the Ground of Lack of Standing and Remands for Further Proceedings on the Class Definitions and Predominance

With regard to standing, the Eleventh Circuit held that, while all three plaintiffs alleged a concrete injury sufficient for Article III standing, only one plaintiff established that his injuries were “fairly traceable” to the challenged action of the defendant. The court noted that the fact that the hackers took these individuals’ data and posted it on a marketplace for stolen payment card data was a “critical” allegation that established concrete injury sufficient for Article III standing. However, two named plaintiffs – Franklin and Steinmetz – had not visited a Chili’s location during the breach period. The Eleventh Circuit found that Franklin’s and Steinmetz’s injuries were not “fairly traceable” to the challenged action of the defendant. Accordingly, the Eleventh Circuit held that only one named plaintiff – Theus – had Article III standing.

Apart from vacating the certification order as to two of the named plaintiffs’ claims, the Eleventh Circuit remanded the case to give the District Court an opportunity to clarify its predominance findings. In the class definitions, the District Court included the requirements that class members must have had their data “accessed by cybercriminals” and “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.” The District Court explained that it included these phrases to avoid later predominance issues because the only individuals in the class are those who have had their data “‘misused’ . . . either through experiencing fraudulent charges or it being posted on the dark web.” The Eleventh Circuit found that the phrase “accessed by cybercriminals” is broader than the two delineated categories of fraudulent charges or information being posted on the dark web. Accordingly, the Eleventh Circuit ordered the District Court to either “refine the class definitions to only include those two categories and then conduct a more thorough predominance analysis, or the District Court may instead conduct a predominance analysis anew under Rule 23 with the existing class definitions based on the understanding that the class definitions as they now stand may include uninjured individuals under [previous precedent] who have simply had their data accessed by cybercriminals and canceled their cards as a result.”

The Eleventh Circuit also upheld the District Court’s determination that plaintiffs’ damages model was sufficient. The Eleventh Circuit found that, at the class certification stage, all that the named plaintiffs had to prove was that a reliable damages methodology existed, not the actual damages plaintiffs sustained, and the proffered damages model based on averages was enough. The Eleventh Circuit held the plaintiffs’ damages methodology does not “‘enlarg[e] the class members’ substantive rights’” by giving class members an award for an injury they could not otherwise prove in an individual action” because each customer experienced a similar injury combined with some effort to mitigate the harm.

One judge on the panel dissented in part. While Judge Branch agreed that Theus was the only named plaintiff with standing, she disagreed with the majority’s concrete injury analysis. As to the latter point, Judge Branch dissented from the majority’s approval of plaintiffs’ damages methodology, arguing (1) the methodology fails to tie a damages amount to an injury actually suffered by a plaintiff; and (2) the district court improperly relied on Tyson Foods, Inc. v. Bouaphakeo,¹ because the facts in Tyson Foods are distinguishable.

What now?

The Eleventh Circuit’s decision appears to credit narrower class definitions tied to the predominance analysis. Historically, many defendants have defeated class certifications motions on lack of predominance. In Brinker, the Eleventh Circuit has suggested that if all class members have suffered fraudulent charges or if their information has been posted, then predominance is met. Because the Eleventh Circuit remanded the case for further consideration, parties can expect the District Court to revisit its findings as to the class definitions and predominance inquiries.

The Eleventh Circuit’s acceptance of an “averages” damages model is also novel in these types of cases. It remains to be seen how this case may impact future class certification proceeding as the defendants will nonetheless continue to argue individual damages issues persist and predominate.

Finally, as the opinion reflects, defendants are likely to pursue discovery on named plaintiffs earlier in the litigation to establish the legitimacy and timing of alleged injuries. If the discovery findings clearly contradict the allegations in the complaint, this will provide defendants another argument at the class certification stage.