Data breach class actions: M.D. Fla. threads the Rule 23 needle in certifying the first consumer payment card class action

Takeaway:  Judge Timothy Corrigan of the Middle District of Florida recently found a way to certify a class action where consumers alleged the theft of payment card data, acknowledging he “may be the first to certify a Rule 23(b)(3) class” in such a case.  In re Brinker Data Incident Litigation, No. 3:18-cv-686-TJC-MCR, 2021 WL 1405508, at *14 (M.D. Fla. Apr. 14, 2021).  Treating the Rule 23 analysis as a type of preliminary review of the relevant legal and factual issues, the court minimized the individual issues identified by the class defendant and ruled that the class plaintiffs could address a number of important issues at a later time.  Indeed, the ruling in the nearly three-year-old case only granted class certification in part and deferred ruling in part.  Judge Corrigan appeared to be swayed towards granting certification because he viewed the data breach claim as “a classic negative value case,” such that “if class certification is denied, class members will likely be precluded from bringing their claims individually because the cost to bring the claim outweighs the potential payout.”  2021 WL 1405508, at *13.  He concluded:  “Though this class action is not perfectly composed, on balance, the Court finds it to be an appropriate (and perhaps the only) vehicle for adjudication of the claims of Chili’s customers whose personal data was stolen.”  Id. at *14.  The opinion serves as a case study of the issues implicated in a data breach class action and a reminder that, despite the many barriers such class claims face, class certification remains a risk for defendants.      

Three named plaintiffs – Shenika Theus, Michael Franklin, and Eric Steinmetz – sued the company that owns Chili’s restaurants (Brinker) for the theft of their payment card and personal information in a data breach orchestrated by cybercriminals.  The plaintiffs used payment cards at Chili’s restaurants during a relatively brief period of time in 2018, when the hackers had installed malware on Brinker’s back office systems.  All three of them alleged that their payment card information had been placed on “the dark web,” and all three of them testified to suffering actual injuries in the form of “late fees due to insufficient funds or time spent replacing cards and traveling to the bank.”  Id. at *5.  Also, two of them testified that fraudulent charges had been made on their payment card accounts.

The plaintiffs asserted claims for breach of implied contract, negligence, and California consumer protection claims under California’s Unfair Competition Law (UCL).  They sought the certification of a nationwide class for the implied contract and negligence claims and a California statewide class for the UCL claims.

Brinker moved on Daubert grounds to exclude the testimony of plaintiffs’ damages expert, who offered to show a method for calculating class-wide damages for purposes of Rule 23’s predominance requirement.  The expert used an “averages method” to calculate damages for each class member, regardless of whether each class member suffered a category of damages or not.  The method calculated damages for “lost opportunities to accrue rewards points (whether or not [class members] used a rewards card), the value of cardholder time (whether or not they spent any time addressing the breach), and out-of-pocket damages (whether or not they incurred any out-of-pocket damages).”  Id. at *3.  The district court found the expert’s methodology sufficiently reliable at the class certification stage, stating:  “As with any averages calculation, over or under inclusivity is going to be a risk, but the Supreme Court has approved the use of averages methods to calculate damages.”  Id. (citing Tyson Foods, Inc. v. Bouaphakeo, 577 U.S. 442, 459–61 (2016)).  The court credited the expert’s testimony that, rather than calculating damages, his model only “show[ed] that a reliable damages calculation methodology exists,” as well as his testimony that he would “continue researching and vetting data sources for accurate numbers to use in the final damages calculation.”  Id.  The court concluded:  “At the motion for class certification stage, [the expert’s] methodology is sufficiently supported by data, reliable, and reliably applied.”  Id.

Moving on to the requirements for class certification, the district court first addressed the issue of standing, addressing the Eleventh Circuit’s recent decision in Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021).  In Tsao, the Eleventh Circuit ruled “that any future risk of identity theft was too speculative to confer standing” and that a plaintiff could not “‘conjure standing ... by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.’”  2021 WL 1405508, at *4 (quoting Tsao, 986 F.3d at 1345).  But (according to the district court) the Tsao court ruled that a data breach plaintiff has standing where “there was some misuse of the plaintiff’s data.”  Id.  The district court ruled that because all three plaintiffs’ payment card information had been placed on the dark web, “the standard of some misuse” had been satisfied, further ruling that “[b]ecause Plaintiffs have shown evidence of some misuse, Plaintiffs’ alleged actual injuries as a result of the Data Breach are not manufactured.”  Id. at *5.       

The district court next addressed the ascertainability requirement.  Stating that “[t]he Eleventh Circuit has refused to adopt a rule regarding whether a class definition is overbroad if it includes uninjured plaintiffs,” the district court rejected Brinker’s arguments that plaintiffs’ class definitions included class members who suffered no injury at all, and modified the proposed nationwide and California statewide classes to specify “that class members’ data must have been ‘accessed by cybercriminals’ and that class members must have ‘incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.’”  Id. at *6.  The district court concluded that these modifications to the class definitions sufficiently addressed the ascertainability issues raised by Brinker, stating:  “While these clarifiers might make ascertaining the class more difficult as some self-identification may be required, it does not make it impossible . . . .”  Id.  

The district court then turned its attention to the named plaintiffs’ membership in the defined classes.  Despite a number of factual issues raised by Brinker as to whether certain class representatives actually dined at Chili’s restaurants during the time those locations had been impacted by the data breach, the court found the evidence good enough at the class certification stage to qualify them as class members, stating it would reevaluate whether any representatives claims should be dismissed “[i]f facts showing otherwise arise later.”  Id. at *7.

The district court easily found the Rule 23(a) requirements of numerosity, commonality, typicality, and adequacy satisfied.  Id. at *7-9.  Turning to the requirements for a Rule 23(b)(3) damages class, the court again addressed standing, as well as choice of law, causation, and damages.  While recognizing that predominance will not be satisfied where “proving class member standing will require individualized proof,” the district concluded that its modifications of the class definitions satisfied the predominance requirement, while failing to address the self-identification difficulties created by those modifications (which the court itself had previously acknowledged).  Compare id. at *10 with id. at *6 (acknowledging difficulties).

Regarding the choice-of-law issues implicated by the breach of implied contract nationwide class (the parties agreed that the laws of a single state applied to the negligence claim), the district court recognized that class plaintiffs must engage in an “extensive analysis” showing the absence of “material variations” between the laws of various states on the elements of a breach of implied contract claim.  Id. at *11 (citations omitted).  But the district court largely punted on this issue.  It first remarked that it “[was] not tasked with deciding choice of law issues at this stage, …”  Id. at *10.  It then concluded that “Plaintiffs have failed to engage in the extensive analysis required by the Eleventh Circuit to show that a class action adjudicating a breach of implied contract claim in this case is manageable.”  Id. at *11.  While the court certified a nationwide class for the negligence claim, it said that the plaintiffs could satisfy the “extensive analysis” requirement later through the completion of a post-certification trial plan showing that a nationwide implied contract class would be manageable.  Id. at *11 & n.6.

On the issue of causation and damages, the district court likewise found ways to skirt the difficult issues.  Recognizing that “[i]ssues of causation often lead to predominance concerns” but nevertheless noting that “individual issues of damages typically do not defeat predominance,” the court essentially found that the factual issues raised by Brinker – including the issue of whether the alleged harms suffered by one class member were the result of another data breach and not the Chili’s data breach – should not be viewed as causation issues but instead as individual damages issues that did not impact the predominance requirement.  Id. at *12.  In a footnote, the court remarked that individual proof of causation and damages would “largely not be a concern” assuming the plaintiffs established that Brinker’s conduct resulted in plaintiffs’ data being posted on the dark web.  Id. at *12 n.7.  In such event, said the court, “class members then just have to show that they took reasonable measures to mitigate the consequences of the breach.”  Id.  The court did not explain how such a showing could be made on a class-wide, non-individualized basis.     

Finally, the court found the superiority requirement satisfied, ruling most of the fact issues susceptible to common proof “despite that some individual proof may be required to establish causation and damages.”  Id. at *13.  In this analysis the court emphasized that it viewed class treatment as superior because the class action constituted “the classic negative value case.”  Id.

Given the Brinker court’s deft dodging of numerous individualized issues, it is not surprising that Brinker recently filed a Federal Rule 23(f) petition seeking interlocutory review by the Eleventh Circuit.  The Eleventh Circuit may be willing to examine the decision, particularly its rulings on the standing issues that the Court of Appeals just addressed in Tsao, its collapsing of the causation and damages issues, and its endorsement of an “averaging” damages theory that almost certainly would result in uninjured class members being compensated.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their