InfoBytes Blog
11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”