As data-breach class actions have become increasingly frequent in recent years, courts continue to grapple with whether, and to what extent, these cases meet the requirements for certification of a damages class under Rule 23(b)(3). In its latest such case, Green-Cooper v. Brinker Int’l, Inc., No. 21-13146, 73 F. 4th 883 (July 11, 2023), the Eleventh Circuit vacated and remanded in part certification of a nationwide class of consumers of Chili’s restaurants when Chili’s suffered a large-scale cyberattack. The court parted ways with the district court on the related issues of standing and predominance, but it affirmed the district court’s determination that the plaintiffs presented an adequate model for calculating damages on a classwide basis.
In the spring of 2018, Chili’s was hit with a cyberattack in which customers’ credit and debit card information was accessed and published on the dark web. Information for approximately 4.5 million payment cards was posted on a site called Joker Stash, which is an online market place for stolen payment data.
Separate putative class actions (later consolidated) were brought against Chili’s owner, Brinker International, by three different plaintiffs: (1) a Texas resident who had five unauthorized charges made on his compromised card, incurred time in disputing them, cancelled her card, and now closely monitors her credit as a result; (2) California resident who had two unauthorized charges on his account, cancelled his card, spent hours on the phone with his bank, and spent time going to Chili’s locations to get his receipts and went to locations to get receipts; and (3) a Nevada resident who experienced no unauthorized charges but cancelled his credit card and spent time calling Chili’s restaurants and corporate office, his bank, and the credit reporting agencies.
The consolidated complaint asked for injunctive relief and damages and sought certification under Rule 23(b)(3) of two damages classes: a nationwide class, with claims for negligence; and a California class for violation of the California consumer-protection statute. The proposed class definition included all consumers who made a credit or debit card purchase at any affected Chili’s location during the period of the data breach.
The district court certified both classes but narrowed the class definition. Under the district court’s order, the classes both were limited to consumers who both had their data accessed and incurred reasonable expenses or spent time spent mitigating the consequences of the data breach.
The Eleventh Circuit granted Brinker’s application for immediate appeal under Rule 23(f). Brinker raised three issues on appeal: plaintiffs lacked Article III standing; their claims will require individual mini-trials; and plaintiffs presented no reliable methodology for determining damages on a classwide basis. The court vacated the decision in part, cutting out the claims of two of the three named plaintiffs for lack of standing and remanding to the district court for further analysis of Rule 23(b)’s predominance requirement, specifically as to the standing of absent class members.
The majority first looked at whether three named plaintiffs had actual standing to seek injunctive relief, focusing on the requirements for injury-in-fact and causation. All three of the plaintiffs had suffered the necessary concrete injury. Although the Supreme Court in TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2204, 2210 (2021), held that the mere risk of future harm cannot confer standing, the plaintiffs here showed more than that. The plaintiffs’ information had been “exposed for theft and sale on the dark web” when it was posted on Joker Stash. The posting of the information constituted the “misuse” that was absent in the court’s previous decision in Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, (11th Cir. 2021), which held that an increased threat of identity theft could not confer standing, because the plaintiff.
But the Article III analysis does not stop at injury. Plaintiffs must show that their injury was “fairly traceable to”—i.e., caused by—the defendant’s conduct. Here, the California and Nevada plaintiffs could not show that their injuries were caused by the data breach, because they each visited Chili’s outside the affected time period for the respective locations. Although the complaint alleged that they had visited during the relevant time, discovery showed otherwise. With one named plaintiff having standing, the injunctive-relief claims could proceed.
Because, however, the plaintiffs also sought classwide damages, they must establish Article III standing as to each absent class member. Standing therefore becomes an element of the Rule 23(b)(3) predominance analysis: the district court must consider whether establishing injury for each class member will require individualized inquiries that would predominate over common ones. This is where the district court erred.
The class definition as certified was too broad and would include class members without standing. To exclude those without a concrete injury, the class must be limited to consumers whose information was posted on the dark web (e.g., on Joker Stash) or had fraudulent charges made on their account. The Eleventh Circuit therefore remanded the case to the district court to clarify its predominance finding. The district could deal with this either by refining the class definition or by analyzing predominance given the current class definition.
Finally, the court affirmed the district court’s finding that individual damages issues did not predominate. As the court explained, individual questions of damages generally will not defeat predominance unless the questions are so complex and fact-specific that answering them would place an intolerable burden on the judicial system, or if the damages would bear on liability.
The plaintiffs’ expert presented a common methodology that would provide a standard amount for each class member based on the average value for three separate types of injuries: lost opportunity for rewards points; cardholder time; and out of pocket damages. The methodology did not provide an average for actual damages sustained by misuse, which would be individualized. The court concluded that this methodology was sufficient because it did not enlarge class members’ substantive rights, so there was no abuse of discretion. Judge Branch dissented in part, disagreeing with the majority’s decision that the plaintiffs presented an adequate model for classwide damages. She concluded that the damages model was not tied to each class member’s injury, because it would award each class member damages for all three types of injuries even if that class member had not sustained each of those injuries. As to standing, Judge Branch concurred but based on a different theory of injury.