Over the years, there have been very few class certification rulings in actions arising from data breach incidents. Of those that have been published, most have favored the defense. However, as we discussed in our 2022 Data Security Incident Response Report, the recent ruling in In re Brinker Data Incident Litigation (“Brinker”)granting class certification has emboldened plaintiffs’ firms, in both the number of their litigation filings and their negotiation tactics during mediations. This article provides more information about this recent class certification ruling.
Data on the Dark Web
Brinker was brought against Chili’s parent company, by several customers of Chili’s restaurants following a data breach. In re Brinker Data Incident Litigation, No. 3:18-cv-686-TJC-MCR, 2021 WL 1405508, at *1 (M.D. Fla. April 14, 2021). Plaintiffs alleged that their personal and payment card information was stolen and placed on Joker Stash, a known marketplace for stolen payment card data. Id. All three named plaintiffs alleged that their personal information was disclosed on Joker Stash and that they spent time or money dealing with the data breach. Id. Two of the named plaintiffs also alleged unauthorized charges on their payment accounts. Id.
Because a standing analysis is a component of a class certification determination, the court first assessed whether each of the three named plaintiffs had standing to bring this action. Id. at *4. In doing so, the court looked at a recent Eleventh Circuit decision holding that future risk of identity theft, without evidence or alleged facts showing that there was some misuse of plaintiff’s data, was too speculative to confer standing. Id. Under the Eleventh Circuit ruling, the Brinker court determined that evidence of plaintiffs’ information on the dark web was “likely enough to show actual misuse and it certainly [met] the standard of some misuse” of plaintiffs’ data sufficient to confer standing to all three named plaintiffs. Id. at *5.
The court then addressed the threshold requirement that a proposed class must be “adequately defined and clearly ascertainable.” Id. Though the court noted that the class was ascertainable, it determined that the class was not adequately defined. Id. at *6. However, instead of denying class certification, the court rewrote the class definition, narrowing it to prevent predominance issues regarding standing. The new class definition stated that “class members’ data must have been ‘accessed by cybercriminals’ and that class members must have ‘incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach[.]’” Id. The court concluded that these “clarifiers” would allow the class to avoid predominance issues regarding standing and prevent the inclusion of uninjured individuals because the class now only included individuals whose data was “misused” as per the Eleventh Circuit’s decision. Id.
As with the Brinker plaintiffs, we have been seeing an increase in plaintiffs’ putative class action complaints containing allegations that their data is or may be on the dark web. In some instances, this allegation has helped plaintiffs persuade courts that they have established standing and damages sufficient to defeat motions to dismiss. In other cases, this allegation, without more, has not been sufficient to prevent dismissal. Brinker, however, is the first instance in which we have seen the impact that these dark web allegations have on class certification.
Predominance Issues Plaguing Multiple-Breach Plaintiffs
Another potential roadblock to class certification comes in the form of predominance concerns related to causation and damages. In Brinker, at least one of the named plaintiffs had a payment card that was involved in a previous data breach. Id. at *12. Brinker argued that because of this, plaintiffs could not prove that this data breach caused the plaintiffs’ damages. Id. Alternatively, plaintiffs maintained that the multiple-breach issue was actually a damages issue and that a previous breach would merely lower the amount of damages, not prevent a causation determination. Id. The court found plaintiffs’ damages argument to be persuasive but noted that “the line between causation and damages in this context is blurry.” Id. Given the increase in data breaches and the increasing likelihood that a putative class member’s information will be subject to multiple breaches, the Brinker court asserted that labeling the multiple-breach issue either a causation or a damages issue “creates a false dichotomy and is not a particularly useful method for deciding predominance.” Id. Thus, the court found that the multiple-breach issue should be determined at the damages phase. Id.
With regard to damages, the court found plaintiff’s expert to be persuasive. Id. The expert asserted that his method of calculating damages included previously breached payment cards because card issuers “work diligently to remove data breach compromised cards from circulation.” Id. The court acknowledged that a jury might find this methodology is not an accurate reflection of multiple-breach class members’ damages, but also determined that it is sufficient at this stage of the case. Id. The court also noted that if a jury found this methodology inaccurate, there are other methods of calculating damages, such as using an average relative reduction in damages, that may apply. Id. Therefore, at this stage of litigation, the court found that damages did not require individualized proof. Id.
In contrast, just three months before Brinker, another federal district court made the opposite determination regarding the issue of multiple-breach class members. There, an employee filed suit against her employer following a phishing attack that resulted in the alleged disclosure of personally identifiable information, including mailing addresses, Social Security numbers and wage information. The court denied the plaintiff’s motion to certify a class, holding that the plaintiff did not satisfy the predominance requirement of Rule 23(b)(3) to certify all questions for class certification.
Defendant argued an individualized inquiry of proximate cause was necessary for plaintiff’s claims. This was needed, in part, defendant argued (and plaintiff’s expert agreed) because several putative class members likely had been involved in other data breaches in the years preceding the data breach. Therefore, any injury, such as the named plaintiff’s allegations that the data breach resulted in a fraudulent attempt to activate a credit card in plaintiff’s name, may have been the result of another data breach — not defendant’s breach. In an attempt to rebut this, plaintiff pointed to the fact that a former named plaintiff and other class members were required by the IRS to verify their identities before receiving tax refunds as evidence of damages. Plaintiff’s expert opined that the jury could infer that the IRS letters resulted from the data breach because there was only a short period of time between the data breach and receipt of the IRS letters. The court, however, found plaintiff’s expert to be too speculative and unpersuasive. Given its considerable concerns relating to individual proof required for causation and damages, the court found that plaintiff failed to establish that common questions would predominate over individual issues.
Key differences between the courts’ treatment of multiple-breach plaintiffs in these two cases were the type of data involved and the courts’ acceptance of plaintiff’s experts. The court in Brinker gave credence to plaintiffs’ expert’s assertion that issuers will replace stolen payment card information and concluded that it was sufficiently likely that any payment card information on the dark web resulted from Brinker’s data breach. In contrast, Social Security numbers and the other personal information that was involved in the second data breach may be more difficult for impacted individuals to change. Therefore, it is more difficult for multiple-breach plaintiffs to show that the information was placed on the dark web because of a specific breach. While we predict that the court’s reasoning in Brinker regarding multiple-breach plaintiffswill not be applied outside the payment card realm, the court’s holding will need to be considered in any litigation strategy because it will almost certainly be cited by plaintiffs.
Despite the court’s decision to grant class certification in Brinker, it repeatedly acknowledged that plaintiffs’ causation and damages arguments were sufficient only “at this stage” of litigation. Id. at *12-13. As the case moves forward, there are significant hurdles that plaintiffs will have to overcome to win at trial. Plaintiffs’ argument that causation does not require the need for individualized proof is necessarily defeated unless plaintiffs can prove that Brinker’s conduct resulted in class members’ data being posted on the dark web. Id. at 12 & n. 7. But even if plaintiffs can prove that, a jury may still reject the “common method” of calculating damages proposed by plaintiffs’ expert. Id. at 12.
Indeed, the court itself recognized the possibility of later decertification: “While the specifics of the damages calculation will be left to later proceedings, if it becomes obvious at any time that the calculation of damages (including accounting for multiple data breaches) will be overly burdensome or individualized, the Court has the option to decertify the class.” Id. at 13. Thus, even with a class certified, an ultimate determination in favor of plaintiffs is certainly not guaranteed.
First and foremost, though, plaintiffs must convince the Eleventh Circuit that these predominance issues are not a concern. Oral argument before the Eleventh Circuit on Brinker’s appeal of the class certification decision was held on June 8, 2022. This will be the first federal appellate court to weigh in on a contested motion for class certification in the data breach context.