District court pushes class certification over the Brink(er)

Brinker arises out of a cyberattack on the Chili's restaurant chain in 2018 where customer credit and debit card information was stolen and posted for sale on the dark web. Although it is not disputed that some data from the breach was posted on the dark web, the actual card numbers for sale were not identified in the dark web advertisement. Plaintiffs initially proposed a class of all persons that purchased an item from Chili's during the data breach period. The District Court believed this definition included too many individuals who would likely lack standing as a result of a lack of injury or traceability to the cyberattack. To avoid this issue, the District Court modified the class definition to only include individuals that “(1) had their data accessed by cyber criminals and (2) incurred reasonable expenses or time spent in mitigation.” Green-Cooper v. Brinker Int'l, Inc., 73 F.4th 883, 892 (11th Cir. 2023).

The District Court also endorsed a damages model based on calculations of the value of lost time and similar expenses for the average cardholder, noting that plaintiffs need only show that a viable damages model exists at the class cert stage. In re Brinker Data Incident Litig., No. 3:18-cv-686, 2021 WL 1405508, at *3 (M.D. Fla. Apr. 14, 2021). Satisfied that all of the requirements for Rule 23 had been met, the District Court certified the class and Brinker appealed.

On appeal, the Eleventh Circuit upheld plaintiffs’ damages model, noting that average calculations are permitted so long as class members suffered similar injuries. Green-Cooper, 73 F.4th at 894. The Circuit also found that class members had standing because posting personal information for sale on the dark web “establishes both a present injury — credit card data and personal information floating around on the dark web — and a substantial risk of future injury — future misuse of personal information associated with the hacked credit card.” Id. at 890. However, the Circuit noted that the District Court’s revised class definition was insufficient because the phrase “accessed by cybercriminals” was potentially broader than “cases of fraudulent charges” or “posting of credit card information on the dark web.” The Circuit remanded the case to the District Court to clarify the class definition and conduct a more thorough predominance analysis.

The District Court denies class certification

On remand, the District Court first revised the class definition to replace “access by cyber criminals” with “experienced fraudulent charges or had data posted on the dark web in connection with the data breach.” The District Court then held that individual questions predominated under the revised definition. In particular, the Court identified four areas of concern:

1. The details of each class member’s transaction at Chili’s – as this information is necessary to establish that the member’s card information was taken.
2. Whether each class member experienced fraudulent charges.
3. Whether each class member’s data was posted on the dark web – the court noted that plaintiffs never provided any evidence that a particular Chili’s customer’s credit or debit card was posted on the dark web, including the named plaintiff’s.
4. What expenses or time each class member spent mitigating fraudulent charges or any posting on the dark web.

Impact of this decision going forward

Data breach plaintiffs regularly cite Brinker as part of their arguments for Article III standing and as an endorsement of a viable class-wide damages model. On the question of damages, plaintiffs claim that individualized questions of damages can be pushed off until after class certification is complete. While some courts may be inclined to agree, this decision highlights the fact that the existence of damages, not just their valuation, is an individualized question that defeats predominance.

Also, many data breach cases involve data that was exfiltrated but ultimately not shown to have been available on the dark web, either because a defendant paid a ransom, or because plaintiffs never acquired any data via the dark web. Data breach notification regulations and statutes sometimes result in notifying individuals where unauthorized access cannot be ruled out, even when there is no concrete evidence that a particular individual’s data was exfiltrated, let alone made available on the dark web. This decision may be helpful in explaining to judges the importance of evidence (or lack thereof) regarding actual availability of information on the dark web that included plaintiffs and putative class members’ PII.

Critically, the Court noted that even if all cardholders’ data was posted on the dark web, “the outcome is the same” because common questions did not predominate over individual questions regarding whether individuals incurred reasonable expenses or spent time in mitigation of fraudulent charges or data posting.

Authored by Allison Holt Ryan, Adam Cooke, Alicia Paller, and Gregory Kimak.