Eleventh Circuit Affirms Approval of Largest Data Breach Settlement in U.S. History

King & Spalding

On June 3, 2021, the Eleventh Circuit affirmed a district court’s final approval of the settlement of more than 300 class action suits filed against Equifax following the company’s 2017 data breach. As the district court pointed out, the settlement is “the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.” And as the Eleventh Circuit observed, the case “highlights the role objectors play in the settlement of class actions.”

  • In September 2017, Equifax announced a data breach that affected approximately 147 million Americans. The breach compromised the names, dates of birth, and Social Security numbers of most of the affected population. More than 300 class actions against Equifax followed, and all of those cases were consolidated into a multidistrict litigation before then-Chief Judge Thomas Thrash in the Northern District of Georgia. [Disclosure: King & Spalding represents Equifax in the litigation stemming from the 2017 data breach, including the appeal discussed here.]
  • In July 2019, the parties presented a class settlement to the district court for approval. The terms of the settlement included the creation of a $380.5 million fund by Equifax to benefit consumer class members, Equifax’s payment of $77.5 million in attorney’s fees, and Equifax’s provision of credit monitoring and identity protection and restoration services for several years, among other things.
  • Following notice to the class, 388 individuals objected to the settlement. Despite those objections, the district court found that the settlement was fair, reasonable, and adequate. It directed plaintiffs’ counsel to prepare a written order summarizing its rulings, which it would then consider entering. After the district court formally entered its order and finally approved the settlement the next month, several different groups of objectors appealed. The objectors raised “a wide array of issues” in the Eleventh Circuit.
  • One appealing objector challenged the approval of the settlement on standing grounds. But the court had “no hesitation in holding that” the plaintiffs suffered an injury in fact because of the large amount “of sensitive data stolen” in the Equifax breach and the “damage that can be done with th[e] type of data” that was stolen. The court noted that the plaintiffs’ injuries were redressable via the settlement because, though the settlement would not prevent any identity theft the plaintiffs might suffer, it would help mitigate that identity theft should it occur.
  • Several objectors challenged various procedures that the district court used to manage the settlement approval process, including (1) its requirement that objectors provide certain information and potentially sit for depositions, (2) its order that objectors post appeal bonds before their appeals could proceed, and (3) its direction to plaintiffs’ counsel to prepare a proposed order approving of the settlement.
    • On the discovery issue, the Eleventh Circuit emphasized that Rule 23 gives the district courts “broad discretion to manage class actions” and highlighted the district court’s desire to “expose objections that are lawyer-driven and filed with ulterior motives”; the Eleventh Circuit found no error in the district court’s actions.
    • On the bond issue, the court focused on the district court’s compliance with the plain language of Federal Rule of Appellate Procedure 7.
    • In discussing the issue concerning the preparation of a proposed order, the court “sharply critiqued the practice of having the prevailing party author court orders” and admonished the Northern District of Georgia for having a local rule that calls for such a practice. But it ultimately found that “the process by which the District Court adopted the proposed order was not fundamentally unfair” and accordingly declined to overturn the approval of the settlement on this basis.
  • Turning to the merits of the settlement, the court rejected an objector’s argument that the district court failed to take into account the “unique risks associated with stolen Social Security numbers” when considering the settlement’s fairness, reasonableness, and adequacy. The court underscored that the settlement was “in the high range of what could have been obtained had the parties continued to litigate” and that the settlement “includes a ‘lengthy period’ of credit monitoring and ‘identity theft insurance and identity restoration services’” for class members to help them guard against any risk that might accompany the disclosure of their Social Security numbers.
  • The court likewise concluded that certification of a settlement class was proper despite an adequacy challenge from one objector. It reasoned that although some class members may have had statutory damages claims that others did not have, that did not mean that class members had “economic interests that were at odds” with each other such that there was “a fundamental conflict of interest between the class representatives and the class.”
  • And though certain objectors challenged the approval of plaintiffs’ request for $77.5 million in attorney’s fees, the Eleventh Circuit affirmed on this issue as well. The court held the use of the percentage method for calculating fees, as opposed to the lodestar method, was proper for common fund settlements like the one at issue in light of its own precedents and those of the Supreme Court. And since the attorney’s fees represented 20.36% of the overall settlement and “[t]he majority of common fund fee awards fall between 20% to 30% of the fund,” the court concluded there was no abuse of discretion in the approval of the attorney’s fees.
  • Finally, the court found one error with the district court’s decision—its approval of incentive awards for the class representatives. The court explained that such incentive awards are prohibited by its 2020 decision in Johnson v. NPAS Sols., LLC, which came down after the district court approved of the Equifax settlement (and which was covered in a previous issue of Predominant Issues). Because the Eleventh Circuit’s disapproval of the incentive awards did nothing to “infect[] the entire settlement,” the court affirmed the approval of the settlement on all other grounds and remanded the cases to the district court “solely for the limited purpose of vacating those awards.”
    • On July 29, 2021, the Eleventh Circuit denied the objectors’ petitions for panel rehearing and rehearing en banc.
  • Overall, the Eleventh Circuit’s decision provides guidance on the types of challenges objectors could make to future settlements in data breach class actions. Additionally, although the court’s analysis of the district court’s judgment was rigorous, the court noted that a “degree of deference to a decision approving a class action settlement makes sense” and that “settlements are ‘highly favored in the law,’” and these principles supported the court’s affirmance of the district court’s approval order.
  • The case is Huang et al. v. Equifax Inc. et al., and you can read the Eleventh Circuit’s full opinion here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide