One issue that can impede class certification in data breach class action litigation is the inability to calculate damages on a classwide basis. When there is a large data breach, only a fraction of those in the class are likely to ever have had their data misused, so how can actual damages be awarded for the entire class? This is one of the reasons why class certification in data breach litigation is extremely rare. The Eleventh Circuit recently weighed in on this issue, however, and it accepted the plaintiffs’ methodology for calculating damages in a class action alleging the defendant failed to protect customer credit card data, resulting in a 2018 data breach. The court did this even though that methodology merely assigns an average amount to each class member for three categories of damages, regardless of whether the class member
s suffered such damages. See Green-Cooper v. Brinker Int’l, Inc., 73 F.4th 883 (11th Cir. 2023). The Eleventh Circuit recognized that the jury would need to determine actual damages at trial, but it held that individualized damages claims did not predominate and thus were not an obstacle to class certification.
That said, the practical impact of this holding may be limited because the court simultaneously (a) vacated in part the District Court’s order granting class certification on the grounds that two of the named plaintiffs lacked standing, and (b) remanded for further proceedings on issues of class definitions and predominance, as the classes may include individuals who did not suffer any injury.
Underlying District Court ruling
On April 14, 2021, the Middle District of Florida issued a rare class certification ruling in a data breach action. The defendant, a parent company of a national restaurant chain, experienced a data incident when customers’ payment card information was allegedly compromised and sold on the black market. Three named plaintiffs sought compensation on a classwide basis for alleged inability to use their cards, lost time and various out-of-pocket expenses. The District Court certified a nationwide class and a California subclass but narrowed the class definitions to persons whose data was “accessed by cybercriminals” and who “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.”
Eleventh Circuit found two plaintiffs’ injuries were not fairly traceable to the data breach
On appeal, the Eleventh Circuit found that only one of the named plaintiffs had standing to sue. Although the Eleventh Circuit held that the plaintiffs’ allegation that their personal information was posted for sale on the dark web constituted a “misuse of personal information” sufficient to establish both a present injury (i.e., credit card information available on the dark web) and a substantial risk of future injury (i.e., future misuse of exposed credit card information), the Eleventh Circuit also held that the injuries of two named plaintiffs were not fairly traceable to the data breach because discovery showed that they dined at the restaurants outside the time period during which the data breach occurred.
Court remanded for revisions of class definitions
Quoting TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2208 (2021), the court noted that it is axiomatic that “‘every class member must have Article III standing in order to recover individual damages’ because a district court must ultimately weed out plaintiffs who do not have Article III standing before damages are awarded to a class.”
To meet this requirement and avoid later predominance issues regarding standing, the District Court interpreted the class definitions to include individuals who (1) experienced fraudulent charges or whose credit card information was posted to the dark web and (2) incurred expenses or spent time mitigating consequences of the data breach.
Believing this was too narrow an interpretation of the term “accessed by cybercriminals,” the Eleventh Circuit remanded the case to give the District Court the opportunity to clarify its predominance finding. The Eleventh Circuit held that the District Court could either refine the class definition and conduct a more thorough predominance analysis or conduct a new predominance analysis with the same class definitions but a broader interpretation of the term accessed by cybercriminals, understanding “that the class definitions as they now stand may include uninjured individuals ... who have simply had their data accessed by cybercriminals and canceled their cards as a result.”
Eleventh Circuit accepted the plaintiffs’ damages methodology
The Eleventh Circuit then addressed the defendant’s argument that individualized damages claims predominate over any issues common to the class. The Eleventh Circuit held that “all that the named plaintiffs had to prove was that a reliable damages methodology existed, not the actual damages plaintiffs sustained.” The court emphasized that “each Chili’s customer fitting within the class definitions experienced a similar injury of a compromised card combined with some effort to mitigate the harm caused by the compromise.” To that end, the Eleventh Circuit accepted the plaintiffs’ methodology of assigning an average amount to each class member for three categories of damages, regardless of whether the class member
s suffered such damages, yet also clarified that a jury would need to decide actual damages at trial.
Judge Elizabeth Branch disagreed with the majority’s predominance holding
Branch concurred in part and dissented in part. In particular, she disagreed with the majority’s predominance holding because “[plaintiffs’] methodology impermissibly permits plaintiffs to receive an award based on damages that they did not suffer … .” Other courts have denied class certification on the same basis.
For companies facing data breach class actions, the Brinker decision appears to (a) favor narrower class definitions in the standing and predominance contexts (which the District Court is expected to further analyze) and (b) encourage defendants to raise standing arguments on class certification, yet (c) promote a broad-brush damages model of “averages” that may survive class certification but will undoubtedly be tested at trial.