and stole both customer data and personally identifiable information, and posted that information on an online market place for stolen payment data. Id. at *2-3. The plaintiffs alleged that 4.5 million cards were accessed by hackers. Id. at *3. The three named plaintiffs - Shenika Theus, a Texas resident, Michael Franklin, a California resident, and Eric Steinmetz, a Nevada resident - alleged they used their cards at Chili ’ s restaurants between March and April in their respective states. Id. at *3-4. After their visits, Theus and Franklin had unauthorized charges on their cards requiring them to cancel their cards, while Steinmetz did not experience fraudulent charges. Id. The plaintiffs moved to certify two classes, including a nationwide class and California statewide class, which sought both injunctive and monetary relief. Id. at *4 . The district court certified the nationwide class for negligence claims and a separate California class under the state ’ s unfair competition laws. Id. at 5. On the defendant ’ s appeal, the Eleventh Circuit vacated the district court ’ s ruling. The Eleventh Circuit held that the plaintiffs alleged a concrete injury that was sufficient to establish Article III standing. Id. at *10. The plaintiffs showed both a present injury - by alleging their personal information was taken by hackers and put on the dark web - and a substantial risk of future misuse through future misuse of information associated with the hacked credit card. Id. at *9-10. The Eleventh Circuit, however, vacated the district court ’ s class certification order and found Franklin and Steinmetz could not meet the traceability requirement for standing. Id. at *11. It reasoned that Franklin alleged two visits outside the “at-risk timeframe” when Chili ’ s was compromised in the data breach and therefore his injury was not fairly traceable. Id. Steinmetz similarly stated in responses to interrogatories and his deposition that he visited Chili ’ s on a date outside the affected period and could not “fairly trace” any alleged injury to Brinker ’ s action. Id. at *12-13. For these reasons, the Eleventh Circuit opined that Theus did meet traceability for standing purposes. Id. at *13. As to the class definitions at issue, the Eleventh Circuit ruled that the district court ’ s phrase “data accessed by cybercriminals” in both class definitions was too broad and limited the class to “cases of fraudulent charges or posting of credit information on the dark web.” Id. at *15. The Eleventh Circuit determined that the district could needed to refine the class definition to include those two categories only and then conduct a new predominance analysis as to uninjured individuals who simply had their data accessed. As a result of the problems with the class definition, the Eleventh Circuit remanded the case. Id. at *15-16. The Eleventh Circuit also remanded in light of Franklin ’ s lack of standing to determine the viability of the California-based class. Id. at *16. In Attias, et al. v. Carefirst, Inc., 344 F.R.D. 38 (D.D.C. Mar. 28, 2023), the plaintiffs filed a class action alleging that the defendant, a health insurance company, suffered a data breach in 2014, which exposed the names, birth dates, email addresses, and subscriber identification numbers for over a million of the company ’ s insureds. The plaintiffs filed a class action alleging claims for breach of contract and violations of the consumer protection laws of Maryland and Virginia. The plaintiffs subsequently filed a motion for class certification pursuant to Rule 23, and the court denied the motion. The plaintiffs sought to certify three classes, including: (i) a Contract Class composed of all CareFirst members residing in the District of Columbia, Maryland, and Virginia whose personally identifiable information, personal health information, sensitive personal information, and other financial information was breached as a result of the CareFirst data breach; and (ii) two separate consumer classes for Maryland and Virginia of members whose information was exposed as a result of the data breach. Id. at 44. The court found that the plaintiffs met the requirements for Rule 23(a), but it expressed concerns about predominance. The court stated that there were potential individualized issues related to demonstrating class-wide injury in fact, particularly if the injuries for some class members were only future speculative injuries. Regarding reliance for MCPA and VCPA claims, the court found that the plaintiffs failed to provide any evidence that the defendant ’ s alleged misrepresentations about privacy were of the sort that could justify a class-wide inference of reliance. For these reasons, the court ruled that the plaintiffs failed to meet the predominance requirement of Rule 23, and denied the motion for class certification. In another Eleventh Circuit ruling, Green-Cooper, et al. v. Brinker International, Inc., 73 F.4th 883 (11th Cir. 2023), the plaintiffs, a group of Chili ’ s customers, filed a class action alleging their credit and debit card information was compromised following a data breach. Specifically, in the spring of 2018, Chili ’ s was hit with a cyberattack in which customers’ credit and debit card information was accessed and published on
18
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online