In In re Brinker Data Incident Litig., No. 3:18-cv-686-TJC-MCR, 2021 U.S. Dist. LEXIS 71965, at *3-5 (M.D. Fla. Apr. 14, 2021), Judge Corrigan certified a class in a data breach class action. The facts were as follows:
The Court has detailed the facts of this case in prior orders (Docs. 65, 92, 122), but several new facts have come to light with additional discovery. In short, Brinker, the parent company that owns Chili’s restaurants, experienced a data breach where customers’ personal and payment card information was stolen. (Doc. 95 ¶¶ 1-2). Three Named Plaintiffs, Shenika Theus, Michael Franklin, and Eric Steinmetz, seek to represent themselves and those similarly situated in a class action against Brinker. Id. at 1. Plaintiffs seek compensation for the inability to use payment cards, lost time, and other out-of-pocket expenses associated with the breach. Id. ¶¶ 9-12. In December 2017, hackers breached Brinker’s back office systems through a vulnerable access point earlier identified in an informal risk assessment conducted by Brinker. (Doc. 131-3 ¶ 7). In March 2018, using the previously breached access point, hackers placed malware on Brinker’s systems. Id. Between March 2018 and April 2018, hackers stole both customer payment card data and personally identifiable information. (Doc. 131 at 1-2). This will hereafter be referred to as “the Data Breach.” Different Chili’s restaurants were affected at different times. (Doc. 141 at 13). In May 2018, Brinker was notified that “card data had been leaked [*5] from their corporate-owned Chili’s restaurants and sold on Joker Stash, a known marketplace for stolen payment card data.” (Docs. 95 ¶ 2; 146-6 at 8). Plaintiffs represent that all of the up to 4.5 million cards stolen from Brinker were found on Joker Stash. (Doc. 165 at 26:6-12, 27:4-9). Shenika Theus is a resident of Texas, where she used her payment card on or about March 31, 2018 at a Chili’s in Garland, Texas. (Doc. 95 ¶¶ 17, 31). Theus incurred five unauthorized charges on her account, after which she contacted her bank, cancelled her card, and disputed the charges. Id. ¶ 32. Theus was also charged a fee “when her account had insufficient funds to satisfy a [utility] bill.” (Doc. 141 at 16
The District Court certified the class.
Under Tsao, while Plaintiffs need not show actual misuse of their data, Plaintiffs must show some misuse to justify their injuries. See Tsao, 986 F.3d at 1344. The Eleventh Circuit did not clarify what constitutes “some misuse,” but it seemed to acknowledge that non-conclusory specific allegations of unauthorized charges would meet this standard. Id. at 1343. Here, Theus and Franklin have met the Tsao standard because they both allege and testify that they experienced unauthorized charges on their accounts after the Data Breach. (Docs. 95 ¶¶ 32, 39-40; 146-2 at 90:11-25; 146-7 at 91:9-19). Steinmetz does not allege that he experienced any fraudulent charges, and in a deposition, he confirmed he had no unauthorized charges on his account. (Doc. 146-4 at 144:6-14). However, Plaintiffs assert that all of the payment card information taken in the Data Breach is on the dark web. (Doc. 165 at 26:6-12, 27:4-9). Evidence of Plaintiffs’ information being posted on the dark web is likely enough to show actual misuse and it certainly meets the standard of some misuse. See Tsao, 986 F.3d at 1344. Because Plaintiffs have shown evidence of some misuse, Plaintiffs’ alleged actual injuries as a result of the Data Breach are not manufactured. See id. at 1345. In addition, all Plaintiffs allege and have testified that they experienced actual injuries including late fees due to insufficient funds or time spent replacing cards and traveling to the bank. (Docs. 146-2 at 42:10-14; 146-4 at 160:20-161:7; 146-7 at 46:5-9; 148 at 3); see also Lujan, 504 U.S. at 560-61. These injuries are fairly traceable to the Data Breach and could be redressed by a favorable judicial decision. See Lujan, 504 U.S. at 560-61. Thus, Plaintiffs have met their burden to establish standing. Cf. In re Checking Account Overdraft Litig., 275 F.R.D. 666, 670-71 (S.D. Fla. 2011) (“In making the decision, the Court . . . may consider the factual record in deciding whether the requirements of Rule 23 are satisfied.” (citing Valley Drug Co. v. Geneva Pharms., Inc., 350 F.3d 1181, 1188 n.15 (11th Cir.2003))).
The District Court found that the negligence claim could be certified on a 50-state basis.
The possibility that all fifty states’ laws will apply to a claim has concerned other courts considering class certification in the data breach context with financial institution plaintiffs. See S. Indep. Bank v. Fred’s, Inc., No. 2:15-CV-799-WKW, 2019 U.S. Dist. LEXIS 40036, 2019 WL 1179396, at *13-19 (M.D. Ala. Mar. 13, 2019). In S. Indep. Bank, the court held that the plaintiffs “must prove through an extensive analysis . . . that there are no material variations among the law of the states for which certification is sought.” 2019 U.S. Dist. LEXIS 40036, [WL] at *14 (citations and quotation marks omitted); see also Sacred Heart Health Sys., Inc. v. Humana Military Healthcare Servs., Inc., 601 F.3d 1159, 1180 (11th Cir. 2010) (stating that in cases where all fifty states’ laws might apply, the party seeking class certification must “provide an extensive analysis of state law variations to reveal whether these pose insuperable obstacles” (quotation marks omitted)). The plaintiffs in S. Indep. Bank submitted two tables, one showing that each jurisdiction recognizes the basic elements of negligence and another representing one version of each state’s economic loss rule. 2019 U.S. Dist. LEXIS 40036, [WL] at *18. The court held that the plaintiffs failed to meet their burden to conduct an extensive analysis and that the variations in negligence law and the economic loss doctrine among the fifty states were unmanageable. Id. Plaintiffs submitted two charts detailing the differences in states’ negligence and breach of implied contract laws. (Docs. 156-1, 156-2). Similar to the lackluster tables in S. Indep. Bank, Plaintiffs’ breach of implied contract chart only details what must be pled to allege the existence of an implied contract, not what must be proven to show the breach of an implied contract. See (Doc. 156-1). Plaintiffs have failed to engage in the extensive analysis required by the Eleventh Circuit to show that a class action adjudicating a breach of implied contract claim in this case is manageable. See Sacred Heart, 601 F.3d at 1180. Thus, the Court’s certification of the Nationwide Class will be limited to Plaintiffs’ negligence claim. If Plaintiffs wish to pursue a Nationwide Class claim based on their breach of implied contract theory, they must complete a trial plan detailing how the Court will manage a class action applying all fifty states’ laws to the breach of implied contract claim. The trial plan should provide an extensive analysis of all fifty states’ laws regarding breach of implied contract claims so the Court may determine whether there are material differences among states’ laws. In addition, the trial plan should address the commonalities and differences among the state laws and propose a method of grouping the laws so that the Court may apply the state laws effectively and efficiently if needed. Brinker will be entitled to respond in opposition to the trial plan. Should the Court find that the trial plan is sufficient, the Court can determine whether to amend its class certification to include the breach of implied contract claim.
Thus, the District Court concluded
Though this class action is not perfectly composed, on balance, the Court finds it to be an appropriate (and perhaps the only) vehicle for adjudication of the claims of Chili’s customers whose personal data was stolen. The Court acknowledges it may be the first to certify a Rule 23(b)(3) class involving individual consumers complaining of a data breach involving payment cards, but it is also one of the first to consider the issue as many individual data breach cases do not reach this point either due to settlement or other disposition. See In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 485, 490 (D. Minn. 2015) (certifying financial institution data breach case, but noting that the consumer class action settled); Tsao, 986 F.3d at 1345 (dismissing consumer data breach class action for lack of standing). Plaintiffs have satisfied all of the requirements of Rule 23.