the dark web. Information for approximately 4.5 million payment cards was posted on a site called Joker Stash, which is an online market place for stolen payment data. The plaintiffs moved for class certification pursuant to Rule 23, and the district court granted the motion. The Eleventh Circuit thereafter granted Brinker ’ s application for immediate appeal under Rule 23(f). Brinker raised three issues on appeal, including: (i) plaintiffs lacked Article III standing; (ii) their claims required individual mini-trials; and (iii) plaintiffs presented no reliable methodology for determining damages on a class-wide basis. On appeal, the Eleventh Circuit remanded the district court ’ s ruling. The plaintiffs alleged that hackers targeted the Chili ’ s restaurant systems and stole both customer card data and personally identifiable information and posted the data on Joker Stash, an online marketplace for stolen payment data. The plaintiffs experienced unauthorized charges on their accounts following the data breach. The district court granted class certification to a negligence class and a California class under state unfair competition laws. The defendant argued that the district court erred because: (i) the class lacked Article III standing; (ii) the class will eventually require individualized mini-trials on class members’ injuries; (iii) there was not a common damages methodology. The Eleventh Circuit found that the plaintiffs had standing to bring their claims because they all suffered an injury-in-fact, i.e., that their credit card and personal information was “exposed for theft and sale on the dark web.” Id. at 890. In coming to this determination, it first looked at whether three named plaintiffs had actual standing to seek injunctive relief, and focused on the requirements for injury-in-fact and causation. All three of the plaintiffs had suffered the necessary concrete injury. Although the Supreme Court in TransUnion LLC v. Ramirez , 141 S. Ct. 2190, 2204, 2210 (2021), held that the mere risk of future harm cannot confer standing, the plaintiffs here showed more than that. The plaintiffs’ information had been “exposed for theft and sale on the dark web” when it was posted on Joker Stash. Id. at 889. The posting of the information constituted the “misuse” that was absent in the court ’ s previous decision in Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332 (11th Cir. 2021), which held that an increased threat of identity theft could not confer standing. Further, the Eleventh Circuit found that, as defined, the class included conflicting phrases including data being “accessed by cybercriminal” and limiting class members to cases of fraudulent charges or posting of credit card information on the dark web. Id. The Eleventh Circuit therefore remanded the ruling to the district court in order for it to clarify its predominance finding, and either redefine the class definitions to only include those two categories or conduct a new predominance analysis. Finally, the Eleventh Circuit rejected the defendant ’ s argument regarding the damage calculation methodology. The Eleventh Circuit found that the plaintiffs’ expert provided the district court with a common methodology for calculating damages which was sufficient to apply on a class-wide basis. Accordingly, the Eleventh Circuit remanded the action to the district court. Finally, the past year saw extensive Rule 23 briefing in the litigation stemming from a widely publicized cybersecurity breach that hit Marriott in November 2018 that resulted in the exposure of nearly 400 million customers’ personally identifying information, making it one of the largest data breaches in United States history. In the case entitled In Re Marriott International Inc. Consumer Data Security Breach Litigation , 78 F.4th 677 (4th Cir. 2023), the Fourth Circuit vacated a class certification order due to potential applicability of class action waiver defense. In November 2018, Marriott experienced a widely publicized cybersecurity breach that resulted in the exposure of nearly 400 million customers’ personally identifying information, making it one of the largest data breaches in United States history. On May 3, 2022, the U.S. District Court for the District of Maryland granted class certification to eight classes of putative plaintiffs, encompassing millions of class members spanning six states, who were purportedly impacted by the breach. Marriott subsequently appealed. On appeal, the Fourth Circuit held that the district court erred by certifying classes against Marriott without first addressing the company ’ s class action waiver defense, which centered on the company ’ s contention
19
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online