{"id":665,"date":"2023-07-14T14:53:42","date_gmt":"2023-07-14T18:53:42","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=665"},"modified":"2023-07-14T14:53:42","modified_gmt":"2023-07-14T18:53:42","slug":"eleventh-circuit-requests-refined-class-definition-for-data-breach-class-action","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2023\/07\/14\/eleventh-circuit-requests-refined-class-definition-for-data-breach-class-action\/","title":{"rendered":"Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action"},"content":{"rendered":"

\"\"<\/a><\/u><\/b>By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller<\/b><\/p>\n

Duane Morris Takeaways<\/i>: <\/i><\/b>In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated<\/a> the district court\u2019s order certifying a nationwide class and California-only class in a data breach case. In so doing, it remanded the case with instructions to the district court to define the phrase \u201cwho had their data accessed by cybercriminals\u201d and to analyze the viability of the California class.<\/i><\/p>\n

For employers facing data breach claims in class actions, this decision is instructive in terms of what reviewing courts consider in certifying a class, especially when class definition terms or phrases are broad.<\/i><\/p>\n

Case Background<\/b><\/p>\n

Defendant Brinker International, Inc, owner of Chili\u2019s restaurants, faced a cyber-attack between March and April 2018, in which customers\u2019 credit and debit cards were compromised.\u00a0 Id. <\/i>at 2.\u00a0 Hackers targeted Chili\u2019s restaurant systems and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data.\u00a0 Id. <\/i>at 2-3. \u00a0Plaintiffs alleged that 4.5 million cards were accessed by hackers. \u00a0Id. <\/i>at 3.<\/p>\n

The three named plaintiffs – Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident – alleged they used their cards at Chili\u2019s restaurants between March and April in their respective states. \u00a0Id. <\/i>at 3-4.\u00a0 After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, Steinmetz did not experience fraudulent charges. \u00a0Id.<\/i> at 3-4.<\/p>\n

Plaintiffs moved to certify two classes, including a nationwide class and California statewide class, seeking both injunctive and monetary relief. \u00a0Id. <\/i>at 4.\u00a0 <\/i>The district court certified the nationwide class for negligence claims and a separate California class under the state\u2019s unfair competition laws.\u00a0 Id. <\/i>at 5.\u00a0 Brinker appealed the district court\u2019s class certification orders.\u00a0 Id. <\/i><\/p>\n

The Eleventh Circuit\u2019s Decision<\/b><\/p>\n

The Eleventh Circuit held that Plaintiffs alleged a concrete injury that was sufficient to establish Article III standing.\u00a0 Id. <\/i>at 10.\u00a0 Plaintiffs showed both a present injury – by alleging their personal information was taken by hackers and put on the dark web – and a substantial risk of future misuse through future misuse of information associated with the hacked credit card.\u00a0 Id.<\/i> at 9-10.<\/p>\n

The Eleventh Circuit, however, vacated the district court\u2019s order and found Franklin and Steinmetz could not meet the traceability requirement for standing. \u00a0Id. <\/i>at 11. \u00a0Franklin alleged two visits outside the \u201cat-risk timeframe\u201d when Chili\u2019s was compromised in the data breach and therefore his injury was not fairly traceable.\u00a0 Id. \u00a0<\/i>Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili\u2019s on a date outside the affected period and could not \u201cfairly trace\u201d any alleged injury to Brinker\u2019s action.\u00a0 Id. <\/i>at 12-13. \u00a0For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes. \u00a0Id.<\/i> at 13.<\/p>\n

As to the class definitions at issue in the litigation, the Eleventh Circuit ruled that the district court\u2019s phrase \u201cdata accessed by cybercriminals\u201d in both class definitions was too broad and limited the class to \u201ccases of fraudulent charges or posting of credit information on the dark web.\u201d \u00a0Id. <\/i>at 15. \u00a0The Eleventh Circuit determined that the district could need to refine the class definition to include those two categories only and then conduct a new predominance analysis to include uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case.\u00a0 Id. <\/i>at 15-16.\u00a0 The Eleventh Circuit also remanded the case in light of Franklin\u2019s lack of standing to determine the viability of the California-based class.\u00a0 Id. <\/i>at 16.<\/p>\n

Implications For Employers<\/b><\/p>\n

Employers confronted with class certification motions in data breach lawsuits should take note that the Eleventh Circuit relied on the broad phrase \u201cdata accessed by cybercriminals\u201d in remanding the district court\u2019s order.<\/p>\n

Further, from a practical standpoint, employers should carefully evaluate district court\u2019s class definitions for overbroad terms or phrases when preparing an appeal.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller Duane Morris Takeaways: In Steinmetz et al. v. Brinker International, Inc., No. 21-13146, 2023 U.S. App. LEXIS 17539 (11th Cir. July 11, 2023), the Eleventh Circuit vacated the district court\u2019s order certifying a nationwide class and California-only class in a data breach case. … <\/p>\n

Continue reading “Eleventh Circuit Requests Refined Class Definition For Data Breach Class Action”<\/span><\/a><\/p>\n","protected":false},"author":583,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[91],"tags":[],"ppma_author":[30],"class_list":["post-665","post","type-post","status-publish","format-standard","hentry","category-data-breach-class-actions"],"authors":[{"term_id":30,"user_id":583,"is_guest":0,"slug":"classactiondefense","display_name":"Class Action Defense","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2020\/10\/dmlogo.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/users\/583"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/comments?post=665"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/665\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/media?parent=665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/categories?post=665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/tags?post=665"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/ppma_author?post=665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}