On The Brink(er): In Appeal Of Closely-Watched Data Breach Class Certification, Eleventh Circuit Vacates In Part And Remands For Further Proceedings

• Jurisdiction: United States,Federal,Florida
• Law Firm: Polsinelli LLP
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions, Trials & Appeals & Compensation, Personal Injury
• Author: Mr Mark A. Olthoff and Shundra Crumpton Manning
• Published date: 24 July 2023

The Eleventh Circuit's recent ruling in In re Brinker Data Incident Litigation ("Brinker") is the first time that a federal circuit court has ruled on a lower court's grant of class certification in a data breach class action case. The Eleventh Circuit, in a 2-1 split panel decision, vacated in part the District Court's class certification order finding that two out of three named plaintiffs did not have Article III standing. The Eleventh Circuit then remanded the case and instructed the District Court to clarify the class definitions and revisit its predominance analysis. The Eleventh Circuit's ruling provides additional clarity on what constitutes "misuse" of data that would inform the scope and structure of class definitions and approve a damages model based on potential average class member recoveries. The ruling also recognizes that district courts should consider the facts developed during discovery rather than relying solely on allegations set forth in the complaint at the class certification stage. The Eleventh Circuit's new ruling will play a pivotal role in shaping how class action data breach cases are litigated including discovery on named plaintiffs earlier in the litigation to establish the legitimacy and timing of alleged injuries.

The Middle District of Florida's Rare Grant of Class Certification in a Data Breach Case

On April 14, 2021, the Middle District of Florida issued one of the few class certification rulings in a data breach action. In fact, the court acknowledged that "it may be the first to certify a Rule 23(b)(3) class involving individual consumers complaining of a data breach involving payment cards."

Brinker, the parent company that owns Chili's restaurants, experienced a data incident where customers' personal and payment card information was allegedly stolen by hackers who allegedly breached back-office systems in December 2017 and placed malware on Brinker's system in March 2018. In May 2018, Brinker was notified that its card data had been compromised and was being sold on a marketplace for stolen payment card data. Three named plaintiffs - Eric Steinmetz ("Steinmetz"), Michael Franklin ("Franklin"), and Shenika Theus ("Theus") - on behalf of themselves and a putative class, sought compensation for the inability to use payment cards, lost time, and other out-of-pocket expenses associated with the breach. After discovery, the District Court certified a nationwide class and a separate California class.

The District Court...