Green-Cooper et al v. Brinker International, Inc.
Filing
167
ORDER granting in part and deferring in part 131 Motion to Certify Class; denying 142 Daubert Motion; denying as moot 159 Motion to Strike Late-Filed Exhibits; setting deadlines as follows: optional filing from plaintiffs due 5/21/2021; other filings due 6/21/2021. Signed by Judge Timothy J. Corrigan on 4/14/2021. (SRW)
UNITED STATES DISTRICT COURT
MIDDLE DISTRICT OF FLORIDA
JACKSONVILLE DIVISION
In re Brinker Data Incident
Litigation
Case No. 3:18-cv-686-TJC-MCR
ORDER
This data breach class action is again before the Court, this time in the
context of a motion for class certification and a related motion to exclude expert
opinions and testimony. Three Named Plaintiffs bring this class action after
their payment card and personal information was stolen from Defendant
Brinker International, Inc. by hackers.
I. FACTS AND PROCEDURAL POSTURE
A. Facts
The Court has detailed the facts of this case in prior orders (Docs. 65, 92,
122), but several new facts have come to light with additional discovery. In
short, Brinker, the parent company that owns Chili’s restaurants, experienced
a data breach where customers’ personal and payment card information was
stolen. (Doc. 95 ¶¶ 1–2). Three Named Plaintiffs, Shenika Theus, Michael
Franklin, and Eric Steinmetz, seek to represent themselves and those similarly
situated in a class action against Brinker. Id. at 1. Plaintiffs seek compensation
for the inability to use payment cards, lost time, and other out-of-pocket
expenses associated with the breach. Id. ¶¶ 9–12.
In December 2017, hackers breached Brinker’s back office systems
through a vulnerable access point earlier identified in an informal risk
assessment conducted by Brinker. (Doc. 131-3 ¶ 7). In March 2018, using the
previously breached access point, hackers placed malware on Brinker’s
systems. Id. Between March 2018 and April 2018, hackers stole both customer
payment card data and personally identifiable information. (Doc. 131 at 1–2).
This will hereafter be referred to as “the Data Breach.” Different Chili’s
restaurants were affected at different times. (Doc. 141 at 13). In May 2018,
Brinker was notified that “card data had been leaked from their corporateowned Chili’s restaurants and sold on Joker Stash, a known marketplace for
stolen payment card data.” (Docs. 95 ¶ 2; 146-6 at 8). Plaintiffs represent that
all of the up to 4.5 million cards stolen from Brinker were found on Joker Stash.
(Doc. 165 at 26:6–12, 27:4–9).
Shenika Theus is a resident of Texas, where she used her payment card
on or about March 31, 2018 at a Chili’s in Garland, Texas. (Doc. 95 ¶¶ 17, 31).
Theus incurred five unauthorized charges on her account, after which she
contacted her bank, cancelled her card, and disputed the charges. Id. ¶ 32.
Theus was also charged a fee “when her account had insufficient funds to satisfy
a [utility] bill.” (Doc. 141 at 16).
2
Michael Franklin is a resident of California, where he used his payment
card to make two separate purchases at Chili’s restaurants: once on March 17,
2018 in Carson, California and again on April 22, 2018 in Lakewood, California.
(Doc. 95 ¶¶ 18, 36). Franklin incurred two unauthorized charges on his account,
after which he cancelled his card, spent between five and six hours speaking to
bank representatives, and visited the Chili’s locations to request receipts.
Id. ¶¶ 37–40.
Eric Steinmetz is a resident of Nevada, where he used his payment card
on or about April 4, 2018 at a Chili’s in North Las Vegas, Nevada. Id. ¶¶ 19, 42.
Steinmetz spent time speaking with the Chili’s location, Chili’s national office,
credit reporting agencies, and his bank. Id. ¶¶ 43–44.
B. Procedural Posture
Plaintiffs filed suit on May 24, 2018 (Doc. 1), after which the Court
consolidated two related cases on October 30, 2018 (Doc. 31). Plaintiffs filed a
Second Amended Consolidated Class Action Complaint (Doc. 39), which Brinker
moved to dismiss (Doc. 48). The Court issued an order holding that all Plaintiffs
had standing except those alleging only future injuries. (Doc. 65 at 15–18). The
Court also requested briefing on choice of law and deferred ruling on Brinker’s
Rule 12(b)(6) motion. Id. at 19–20. The parties submitted a Joint Notice of
Choice of Law Briefing Preference, but the parties were unable to agree on what
law governed. (Doc. 68). The Court then issued an order granting in part and
3
denying in part Brinker’s Rule 12(b)(6) motion to dismiss. (Doc. 92).
Plaintiffs filed a Third Amended Complaint (Doc. 95), and Brinker moved
to dismiss the new claims and Plaintiffs’ requests for injunctive relief (Doc. 99).
The Court dismissed the new claims and again affirmed that Plaintiffs had
standing but held that any future injuries were too speculative; thus, the Court
dismissed any requests for injunctive relief. (Doc. 122 at 10–11). The surviving
claims include (1) breach of implied contract, (2) negligence, (3) violation of
California’s Unfair Competition Law (“UCL”) Unlawful Business Practices (for
alleged violations of the FTC Act and California Civil Code § 1798.81.5), and (4)
violation of California’s UCL Unfair Business Practices. (Doc. 92 at 6–7, 59–60).
This case is now before the Court on Plaintiffs’ Motion for Class
Certification (Doc. 131) and Brinker’s Motion to Exclude Expert Opinions and
Testimony of Daniel J. Korczyk (Doc. 142). On February 25, 2021, the Court
held a hearing on the motions, the record of which is incorporated herein. (Doc.
165). Plaintiffs seek to certify two classes: (1) a Nationwide Class for the breach
of implied contract and negligence claims and (2) a California Statewide Class
for the California consumer protection claims. (Doc. 131 at 1). Because Brinker’s
Motion to Exclude Expert Opinions and Testimony is critical to Plaintiffs’
Motion for Class Certification, the Court will begin its discussion there.
II. DAUBERT MOTION
Plaintiffs’ expert, Daniel J. Korczyk, is offered to show that a common
4
method of calculating class members’ damages exists for purposes of
predominance under Federal Rule of Civil Procedure 23(b)(3). (Doc. 132-1 ¶ 16).
Brinker filed a Daubert motion to exclude Korczyk’s testimony (Doc. 142), to
which Plaintiffs responded (Doc. 152), and Brinker replied (Doc. 154).
Under Federal Rule of Evidence 702, an expert witness may testify if (1)
the expert’s “specialized knowledge will help the trier of fact to understand the
evidence or to determine a fact in issue;” (2) “the testimony is based on sufficient
facts or data;” (3) “the testimony is the product of reliable principles and
methods;” and, (4) “the expert has reliably applied the principles and methods
to the facts of the case.” The party offering the expert witness carries the burden
of proof to satisfy the elements by a preponderance of the evidence. Rink v.
Cheminova, Inc., 400 F.3d 1286, 1292 (11th Cir. 2005). District courts serve as
gatekeepers to ensure juries hear only reliable and relevant information. See
Daubert v. Merrell Dow Pharm., Inc., 509 U.S. 579, 597 (1993). However,
exclusion is not done lightly: “[v]igorous cross-examination, presentation of
contrary evidence, and careful instruction on the burden of proof are the
traditional and appropriate means of attacking shaky but admissible [expert]
evidence.” Daubert, 509 U.S. at 596.
Korczyk graduated from Notre Dame and has a Master of Finance from
DePaul University. (Doc. 132-1 ¶ 2). Korczyk is a Certified Public Accountant
and holds several accreditations including one in business valuations and
5
another in financial forensics from the American Institute of Certified Public
Accountants. Id. Korczyk has almost forty years’ experience in public
accounting, including serving as a lead case analyst 1 in other data breach
actions where he was also tasked with finding a common method to calculate
damages. (Docs. 132-1 ¶ 2; 152-5 ¶ 43). To create his damages methodology,
Korczyk solicited assistance from other professionals at his financial advisory
services firm, with whom he worked on the other data breach cases. (Doc. 1321 ¶¶ 1, 3, 14–15).
Brinker argues Korczyk has no expertise in this area because he has only
worked on data breach cases involving financial institution plaintiffs (Doc. 142
at 5–6); however, the calculations required in the financial institution cases are
similar to those needed here as they also included the valuation of replacing
compromised cards and reimbursing fraudulent charges, see In re Sonic Corp.
Customer Data Breach Litig., No. 1:17-md-02807-JSG, 2020 WL 6701992, at *7
(N.D. Ohio Nov. 13, 2020) (certifying class in which Korczyk served as a lead
case analyst under the damages expert to create a damages model, see (Doc.
152-5 ¶ 43)). Further, Korczyk’s expertise would be helpful to a jury because it
provides a starting point to decide damages in a context unfamiliar to many.
The Court finds that Korczyk possesses “specialized knowledge” that “will help
According to Korczyk, a lead case analyst works under the testifying
expert. (Doc. 152-5 at 14 n.52).
1
6
the trier of fact to understand the evidence or to determine a fact in issue.” Fed.
R. Evid. 702; see also Daubert, 509 U.S. at 589–90.
Brinker spends most of its time disputing the reliability of Korczyk’s
methodology, first arguing that it is not based on sufficient facts or data because
it is “predicated on his review of random, unverified, non-peer reviewed internet
articles that his staff located through basic Google searches.” (Doc. 142 at 13).
However, Korczyk sufficiently supports his decisions; many of his online sources
are government or other reputable websites. (Doc. 132-1 at 32–33).
Brinker also argues that the methodology is (1) overinclusive and is not
based on reliable principles and methods and (2) not accurately applied to the
facts here. (Doc. 142 at 6–8). Under Korczyk’s damages methodology, all class
members would receive a standard dollar amount for lost opportunities to
accrue rewards points (whether or not they used a rewards card), the value of
cardholder time (whether or not they spent any time addressing the breach),
and out-of-pocket damages (whether or not they incurred any out-of-pocket
damages). Id. at 12–13. Korczyk employs an averages method to compute
damages, reasoning that the delta between class members’ damages is minimal
irrespective of the type of card used or time spent. (Doc. 152-5 at 7). As with any
averages calculation, over or under inclusivity is going to be a risk, but the
Supreme Court has approved the use of averages methods to calculate damages.
See Tyson Foods, Inc. v. Bouaphakeo, 577 U.S. 442, 459–61 (2016) (holding that
7
a damages expert testifying to the average time spent donning and doffing
protective equipment was permitted and enough to show predominance, and
that the persuasiveness of the average as a reflection of the time actually
worked was a matter for a jury). Further, as Korczyk states, at this point his
testimony is offered to show that a reliable damages calculation methodology
exists, not to calculate class members’ damages. (Doc. 152-5 ¶¶ 37–38). Korczyk
states he will continue researching and vetting data sources for accurate
numbers to use in the final damages calculation. Id. ¶ 38. At the motion for
class certification stage, Korczyk’s methodology is sufficiently supported by
data, reliable, and reliably applied.
III. CLASS CERTIFICATION
Plaintiffs seek certification of two Rule 23(b)(3) damages classes or in the
alternative, various Rule 23(c)(4) issues classes. (Doc. 131 at 1, 24). Brinker
responded in opposition (Doc. 141), and Plaintiffs replied (Doc. 148). Plaintiffs’
proposed classes are as follows:
All persons residing in the United States who made a
credit or debit card purchase at any affected Chili’s
location during the period of the Data Breach (the
“Nationwide Class”).
All persons residing in California who made a credit or
debit card purchase at any affected Chili’s location
during the period of the Data Breach (the “California
Statewide Class”).
(Doc. 131 at 1).
8
All class actions must meet the prerequisites found in Federal Rule of
Civil Procedure 23(a), which are (1) numerosity, (2) commonality, (3) typicality,
and (4) adequacy of representation and one of the three requirements in 23(b).
Rule 23(c)(4) also allows class certification with respect to particular issues. A
district court must conduct a “rigorous analysis” to determine whether the
requirements of Rule 23 have been met. Brown v. Electrolux Home Prod., Inc.,
817 F.3d 1225, 1234 (11th Cir. 2016) (quoting Wal-Mart Stores, Inc. v. Dukes,
564 U.S. 338, 350–51 (2011)). The party seeking class certification has the
burden of proof and must affirmatively show compliance with Rule 23. WalMart, 564 U.S. at 350. A court should only consider the merits of the underlying
claim to the extent “that they are relevant to determining whether the Rule 23
prerequisites for class certification are satisfied.” Amgen Inc. v. Connecticut
Ret. Plans & Tr. Funds, 568 U.S. 455, 466 (2013).
A. Standing
Despite the Court addressing standing in this case twice now (Docs. 65,
122), it must engage in the inquiry again. See Griffin v. Dugger, 823 F.2d 1476,
1482 (11th Cir. 1987) (“[A]ny analysis of class certification must begin with the
issue of standing . . . .”). Standing requires a plaintiff to have “(1) suffered an
injury in fact, (2) that is fairly traceable to the challenged conduct of the
defendant, and (3) that is likely to be redressed by a favorable judicial decision.”
Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as revised (May 24, 2016)
9
(citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)). Plaintiffs bear
the burden of establishing the elements of standing “in the same way as any
other matter on which the plaintiff bears the burden of proof, i.e., with the
manner and degree of evidence required at the successive stages of the
litigation.” Lujan, 504 U.S. at 561. Plaintiffs must “affirmatively demonstrate
[their] compliance with [Rule 23];” therefore, Plaintiffs must demonstrate that
at least one Plaintiff for both the Nationwide and California Classes possesses
standing. Wal-Mart, 564 U.S. at 350; see also Cordoba v. DIRECTV, LLC, 942
F.3d 1259, 1273 (11th Cir. 2019); Fla. Pediatric Soc’y/ Fla. Chapter of Am. Acad.
of Pediatrics v. Benson, No. 05-23037-CIV-JORDAN, 2009 WL 10668660, at *2
n.3 (S.D. Fla. Sept. 30, 2009) (“At the class certification stage, the plaintiffs need
only make an allegation, supported by ‘factual proffers’ such as affidavits, that
a plaintiff has standing.” (citing Prado-Steiman ex rel. Prado v. Bush, 221 F.3d
1266, 1280 (11th Cir. 2000))).
Further, the Eleventh Circuit recently issued a decision regarding
standing in the data breach context. See Tsao v. Captiva MVP Rest. Partners,
LLC, 986 F.3d 1332 (11th Cir. 2021). In Tsao, the plaintiff used his payment
card at two PDQ restaurants during a time when PDQ was subject to a data
breach by hackers. Id. at 1335. The plaintiff did not allege that he incurred
fraudulent charges, but after PDQ announced the breach, he cancelled his
payment cards and spent time speaking with his bank. Id. at 1335–36. The
10
Eleventh Circuit first held that any future risk of identity theft was too
speculative to confer standing. Id. at 1344. The Eleventh Circuit then held that
without evidence or alleged facts showing that there was some misuse of the
plaintiff’s data, the plaintiff did not have standing because “[t]he mitigation
costs [the plaintiff] allege[d] are inextricably tied to his perception of the actual
risk of identity theft following the . . . data breach.” Id. at 1344–45. The
Eleventh Circuit reasoned that the plaintiff could not “conjure standing . . . by
inflicting injuries on himself to avoid an insubstantial, non-imminent risk of
identity theft.” Id. at 1345.
Consistent with the Eleventh Circuit’s view, the Court, in previous
orders, already dismissed Named Plaintiffs who alleged only future injuries
(Doc. 65), but the Court is considering the issue of potential “manufactured
injuries” for the first time here. Given the timing of the Tsao decision, the
parties did not have an opportunity to address the case in their briefs, but they
were able to argue the case at the hearing.
Brinker’s primary argument is that Plaintiffs have not met their
evidentiary burden to establish standing. (Doc. 141 at 18–20). Plaintiffs state
that they have demonstrated standing in their responses to Brinker’s Motion to
Dismiss. (Doc. 131 at 6). In their Reply in Support of Class Certification,
Plaintiffs point to Brinker’s evidence to establish standing (Doc. 148 at 3), and
at the hearing, Plaintiffs further supported their standing arguments with
11
additional evidence (Doc. 165).
Under Tsao, while Plaintiffs need not show actual misuse of their data,
Plaintiffs must show some misuse to justify their injuries. See Tsao, 986 F.3d
at 1344. The Eleventh Circuit did not clarify what constitutes “some misuse,”
but it seemed to acknowledge that non-conclusory specific allegations of
unauthorized charges would meet this standard. Id. at 1343. Here, Theus and
Franklin have met the Tsao standard because they both allege and testify that
they experienced unauthorized charges on their accounts after the Data Breach.
(Docs. 95 ¶¶ 32, 39–40; 146-2 at 90:11–25; 146-7 at 91:9–19). Steinmetz does
not allege that he experienced any fraudulent charges, and in a deposition, he
confirmed he had no unauthorized charges on his account. (Doc. 146-4 at 144:6–
14). However, Plaintiffs assert that all of the payment card information taken
in the Data Breach is on the dark web. (Doc. 165 at 26:6–12, 27:4–9). Evidence
of Plaintiffs’ information being posted on the dark web is likely enough to show
actual misuse and it certainly meets the standard of some misuse. See Tsao,
986 F.3d at 1344. Because Plaintiffs have shown evidence of some misuse,
Plaintiffs’ alleged actual injuries as a result of the Data Breach are not
manufactured. See id. at 1345.
In addition, all Plaintiffs allege and have testified that they experienced
actual injuries including late fees due to insufficient funds or time spent
replacing cards and traveling to the bank. (Docs. 146-2 at 42:10–14; 146-4 at
12
160:20–161:7; 146-7 at 46:5–9; 148 at 3); see also Lujan, 504 U.S. at 560–61.
These injuries are fairly traceable to the Data Breach and could be redressed
by a favorable judicial decision. See Lujan, 504 U.S. at 560–61. Thus, Plaintiffs
have met their burden to establish standing. Cf. In re Checking Account
Overdraft Litig., 275 F.R.D. 666, 670–71 (S.D. Fla. 2011) (“In making the
decision, the Court . . . may consider the factual record in deciding whether the
requirements of Rule 23 are satisfied.” (citing Valley Drug Co. v. Geneva
Pharms., Inc., 350 F.3d 1181, 1188 n.15 (11th Cir.2003))).
B. Rule 23 Threshold Requirements
Before a district court may grant a motion for class certification, a
plaintiff seeking to represent a class must establish two threshold
requirements: (1) that the proposed class is “adequately defined and clearly
ascertainable,” Little v. T-Mobile USA, Inc., 691 F.3d 1302, 1304 (11th Cir.
2012), and (2) that the representative plaintiffs are a part of the class, E. Texas
Motor Freight Sys. Inc. v. Rodriguez, 431 U.S. 395, 403 (1977). While many
courts merge these requirements with other Rule 23(a) requirements, the Court
discusses these requirements as a threshold matter to clarify the exact class the
Court is certifying.
13
1. With a few revisions, Plaintiffs’ proposed class is
adequately defined and clearly ascertainable.
A class is ascertainable “if it is adequately defined such that its
membership is capable of determination.” Cherry v. Dometic Corp., 986 F.3d
1296, 1304 (11th Cir. 2021). Plaintiffs can rely on a defendant’s records, but the
records should be “useful for identification purposes,” and identification should
be “administratively feasible.” Karhu v. Vital Pharm., Inc., 621 F. App’x 945,
948 (11th Cir. 2015). However, the Eleventh Circuit has held that
ascertainability does not require administrative feasibility. Cherry, 986 F.3d at
1304. Further, the class definition must be adequately defined. The Eleventh
Circuit has refused to adopt a rule regarding whether a class definition is
overbroad if it includes uninjured plaintiffs. See Cordoba, 942 F.3d at 1275–76
(noting the Seventh Circuit’s rule that a class is properly defined so long as it
is apparent that the class does not contain a “great many” uninjured persons
(quoting Kohen v. Pac. Inv. Mgmt. Co. LLC, 571 F.3d 672, 677 (7th Cir. 2009))).
Instead, the Eleventh Circuit has instructed district courts to address the issue
of potential individualized issues of standing with respect to the class as a whole
in the predominance analysis. Id. at 1277.
Brinker argues that the class is not ascertainable because Plaintiffs’
method of identifying class members relies on an individualized self-
14
identification process and that the definition is overbroad because it includes
possibly many uninjured class members. (Doc. 141 at 21–25). Plaintiffs argue
the class is ascertainable because it does not rely on self-identification, instead
it relies on Brinker’s transaction records and Fiserv’s, the processor of the cards,
records of the cards pulled off the dark web. (Docs. 148 at 4; 165 at 50:1–10).
Brinker and Fiserv’s records are useful for identification purposes and
identification is administratively feasible because Plaintiffs can use Brinker’s
records to identify individuals who used payment cards at affected locations
during affected times and Fiserv’s records to show which cards were on the dark
web. See Karhu, 621 F. App’x at 948. While some individuals identified through
these records may be in the proposed class despite not having experienced any
injuries (overdraft fees, time spent, etc.), a simple modification to the class
definition remedies this issue.
While the class is ascertainable as written, the Court finds that the class
definition should be narrowed to prevent both the definition from being
overbroad, and to prevent predominance issues regarding standing. 7A
CHARLES ALAN WRIGHT & ARTHUR R. MILLER, FEDERAL PRACTICE AND
PROCEDURE § 1760 (3d ed. 2020) (“[A Court] has discretion to limit or redefine
the class in an appropriate manner to bring the action within Rule 23.”). The
Court clarifies that class members’ data must have been “accessed by
cybercriminals” and that class members must have “incurred reasonable
15
expenses or time spent in mitigation of the consequences of the Data Breach,”
such that the new definitions are as follows:
All persons residing in the United States who made a
credit or debit card purchase at any affected Chili’s
location during the period of the Data Breach (March
and April 2018) who: (1) had their data accessed by
cybercriminals and, (2) incurred reasonable expenses
or time spent in mitigation of the consequences of the
Data Breach (the “Nationwide Class”).
All persons residing in California who made a credit or
debit card purchase at any affected Chili’s location
during the period of the Data Breach (March and April
2018) who: (1) had their data accessed by
cybercriminals and, (2) incurred reasonable expenses
or time spent in mitigation of the consequences of the
Data Breach (the “California Statewide Class”).
These clarifiers avoid later predominance issues regarding standing and
the inclusion of uninjured individuals because now individuals are not in the
class unless they have had their data “misused” per the Eleventh Circuit’s Tsao
decision, either through experiencing fraudulent charges or it being posted on
the dark web. See Tsao, 986 F.3d at 1344. Further, under the revised definition,
individuals must have some injury in the form of out-of-pocket expenses or time
spent to be a part of the class. While these clarifiers might make ascertaining
the class more difficult as some self-identification may be required, it does not
make it impossible; thus, ascertainability continues to be satisfied under the
new class definition. See Cherry, 986 F.3d at 1304.
16
2. Named Plaintiffs are in the class.
Another threshold requirement of Rule 23 is that the representative
plaintiffs be a part of the class. E. Texas Motor Freight Sys. Inc., 431 U.S. at
403 (“[A] class representative must be part of the class and possess the same
interest and suffer the same injury as the class members.” (quotation marks
omitted)). Here, Plaintiffs offer as evidence a report conducted by an
independent data investigator which details when each Chili’s restaurant
around the nation was affected by the breach. (Docs. 146-1; 155-3; 165 at 24:10–
15). Individuals who dined at locations within the affected period are likely in
the class; however, the report is imperfect as several of the dates could not be
validated. (Doc. 146-1 at 32). The following table shows when Plaintiffs
allegedly dined at their various restaurants, and the relevant period for those
restaurants:
Name
Theus
Franklin
Franklin
Location
Chili’s
Firewheel
Garland, TX
(Docs. 95 ¶ 30;
146-7 at 76:24–
78:7)
Carson, CA
(Doc. 95 ¶¶ 35–
36)
Lakewood, CA
(Doc. 95 ¶¶ 35–
36)
Date Dined
On or about
March 31, 2018
(Doc. 95 ¶ 31)
Affected Period
March 22, 2018–April 22,
2018
(Doc. 146-1 at 9)
On or about
March 17, 2018
(Doc. 95 ¶¶ 35–
36)
On or about April
22, 2018
(Doc. 95 ¶¶ 35–
36)
March 30, 2018–April 22,
2018 (Doc. 146-1 at 32)
17
March 22, 2018–April 21,
2018 (Doc. 146-1 at 32)
Steinmetz North Las
Vegas, NV
(Docs. 95 ¶ 42;
146-4 at
128:17–129:4)
On or about April
4, 2018
(Doc. 95 ¶ 42)
April 4, 2018– April 21,
2018 (Doc. 146-1 at 25)
Franklin’s first transaction would not qualify him for the class without
additional evidence, as he dined several days outside the affected time range.
Franklin’s second transaction, while currently one day outside the range, is a
“could not validate date” entry. (Doc. 146-1 at 32). Looking at the totality of the
evidence, including the unauthorized charges on Franklin’s account after the
breach (Doc. 95 ¶ 37), and the proximity of the second transaction to the
projected affected period, the Court finds Franklin is a part of the class.
Theus and Steinmetz are in the class because they dined at affected
locations during affected periods. Brinker argues Steinmetz is not in the class
because there is a question of fact as to the exact date he dined. (Doc. 141 at
10). The date alleged in the Third Amended Complaint is the date reflected in
the above chart, but in a deposition, Steinmetz testified that he dined on April
3, 2018, and in an interrogatory, he testified that he dined on April 2, 2018.
(Doc. 146-4 at 130:10, 129:21–23). Regardless of the fact question, the Court
finds that Steinmetz is in the class because the alleged date is within the
affected time frame and the testified-to dates are very close to the affected time
18
frame. 2 If facts showing otherwise arise later, the Court will reevaluate
whether any Named Plaintiffs should be dismissed.
C. Rule 23(a) Requirements
Rule 23(a) requires a class (1) be “so numerous that joinder of all members
is impracticable;” (2) have “questions of law or fact common to the class;” (3)
have representative parties with “claims or defenses” that “are typical of the
claims or defenses of the class;” and, (4) have representative parties that “will
fairly and adequately protect the interests of the class.” These requirements are
commonly known as numerosity, commonality, typicality, and adequacy of
representation; each are discussed in turn below.
1. Numerosity is satisfied.
“Although mere allegations of numerosity are insufficient to meet this
prerequisite, a plaintiff need not show the precise number of members in the
class.” Evans v. U.S. Pipe & Foundry Co., 696 F.2d 925, 930 (11th Cir. 1983).
Here, numerosity is satisfied because evidence shows that the number of
compromised cards could be as high as 4.5 million. (Docs. 131 at 8; 155-2 at 5).
Other district courts have expressed reservations in finding numerosity
in data breach cases. See In re Hannaford Bros. Co. Customer Data Sec. Breach
Litig., 293 F.R.D. 21, 26 (D. Me. 2013) (“I am certainly concerned that if this
If evidence later shows that Steinmetz is not in the class, Theus could
still represent the Nationwide Class.
2
19
case proceeds as a class action, few class members will ultimately be interested
in taking the time to file the paperwork necessary to obtain the very small
amount of money that may be available if there is a recovery.”). While the court
in Hannaford held that numerosity was satisfied, it also expressed its concerns
with another data breach case from Texas, In re Heartland Payment Sys., Inc.
Customer Sec. Breach Litig., 851 F. Supp. 2d 1040 (S.D. Tex. 2012). In
Heartland, there were over 130 million claimants, but after settlement only 290
individuals filed claims, only 11 of which were valid. Hannaford, 293 F.R.D. at
26 (citing Heartland, 851 F. Supp. at 1050). The Hannaford court ultimately
held that since there is no precedent regarding the consideration of potential
class member disinterest, the court would not consider it in deciding
numerosity. Id. The Court agrees that it should not consider how many of the
claimants may not be interested in participating. Thus, the numerosity
requirement is met.
2. Commonality is satisfied.
“Commonality requires the plaintiff to demonstrate that the class
members ‘have suffered the same injury[.]’” Wal-Mart, 564 U.S. at 349–50
(quoting Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 157 (1982)). Plaintiffs must
show that a “common contention” exists that is “capable of classwide resolution”
such that a “determination of its truth or falsity will resolve an issue that is
central to the validity of each one of the claims in one stroke.” Id. at 350.
20
Further, commonality does not require that every question of law or fact be
common, only that common questions exist. Id. at 359 (“We quite agree that for
purposes of Rule 23(a)(2) [e]ven a single [common] question will do.” (quotation
marks omitted) (alterations in original)).
Plaintiffs offer several questions that are common to the class and capable
of classwide resolution, including whether Brinker had a duty to protect
customer data, whether Brinker knew or should have known its data systems
were susceptible, and whether Brinker failed to implement adequate data
security measures to protect customers’ data. (Doc. 131 at 9). In particular, the
final question is common to every claim in both the proposed Nationwide Class
and the proposed California Statewide Class. Commonality is satisfied.
3. Typicality is satisfied.
The commonality and typicality analyses often overlap as they are both
focused on “whether a sufficient nexus exists between the legal claims of the
named class representatives and those of individual class members to warrant
class certification.” Prado-Steiman ex rel., 221 F.3d at 1278. “Traditionally,
commonality refers to the group characteristics of the class as a whole and
typicality refers to the individual characteristics of the named plaintiff in
relation to the class.” Id. at 1279. Typicality is satisfied if “the claims or defenses
of the class and the class representative arise from the same event or pattern
or practice and are based on the same legal theory.” Kornberg v. Carnival
21
Cruise Lines, Inc., 741 F.2d 1332, 1337 (11th Cir. 1984). Further, “[d]ifferences
in the amount of damages between the class representative and other class
members does not affect typicality.” Id.
Here, all Plaintiffs’ injuries arise out of the same series of events, the Data
Breach (Doc. 95 ¶ 9), and all of their stolen information was posted on Joker
Stash (Doc. 165 at 26:6–12, 27:4–9). Further, Plaintiffs all allege the same
claims (Doc. 95 ¶¶ 39, 42, 57, 63, 67), and like each other class member they
must show that Brinker was negligent, breached an implied contract, or
violated California’s UCL, and that Brinker’s conduct caused their damages,
which are alleged to be similar. Because the only difference between Named
Plaintiffs and putative class members is the amount of damages, typicality is
satisfied. See Kornberg, 741 F.2d at 1337.
4. Adequacy of representation is satisfied.
“Adequacy of representation means that the class representative has
common interests with unnamed class members and will vigorously prosecute
the interests of the class through qualified counsel.” Piazza v. Ebsco Indus., Inc.,
273 F.3d 1341, 1346 (11th Cir. 2001) (citations and quotation marks omitted).
This analysis includes two inquiries: “(1) whether any substantial conflicts of
interest exist between the representatives and the class; and (2) whether the
representatives will adequately prosecute the action.” Valley Drug Co., 350 F.3d
at 1189 (quoting In re HealthSouth Corp. Securities Litigation, 213 F.R.D. 447,
22
460–461 (N.D. Ala. 2003)). Plaintiffs request that the Court appoint Theus,
Franklin, and Steinmetz as Class Representatives, and Federman &
Shorewood, Morgan & Morgan Complex Litigation Group, and LippSmith LLP3
as Class Counsel. (Doc. 131 at 13–14).
Adequacy of representation is satisfied because there is no evidence of
any conflicts and the Named Plaintiffs have been actively involved in the
litigation, including engaging in both lengthy interrogatories and depositions.
(Docs. 146-2, 146-3, 146-4, 146-7, 146-8). Further, class counsel is qualified to
prosecute this case. Rule 23(g) requires a court to appoint class counsel that will
“fairly and adequately represent the interests of the class.” Courts must
consider (1) “the work counsel has done in identifying or investigating potential
claims;” (2) “counsel’s experience in handling class actions, other complex
litigation, and the types of claims asserted in the action;” (3) “counsel’s
knowledge of the applicable law;” and, (4) “the resources that counsel will
commit to representing the class . . . .” Fed. R. Civ. P. 23(g)(1). Here, class
counsel is vigorously prosecuting the case and they all have extensive
experience in handling class actions. (Doc. 131-1).
Two of Plaintiffs’ interim class counsel, Graham B. LippSmith and
Jaclyn L. Anderson were formerly associated with Kasdan LippSmith Weber
Turner LLP. (Doc. 151).
3
23
D. Rule 23(b)(3) Damages Class
One of the most compelling justifications for a class action is the
possibility of negative value suits; Rule 23(b)(3) class actions allow the
“vindication of the rights of groups of people who individually would be without
effective strength to bring their opponents into court at all.” Amchem Prod., Inc.
v. Windsor, 521 U.S. 591, 617 (1997) (citations and quotation marks omitted);
see also Rutstein v. Avis Rent-A-Car Sys., Inc., 211 F.3d 1228, 1240 n.21 (11th
Cir. 2000). A Rule 23(b)(3) “damages class” is appropriate if “the court finds that
the questions of law or fact common to class members predominate over any
questions affecting only individual members, and that a class action is superior
to other available methods for fairly and efficiently adjudicating the
controversy.” Fed. R. Civ. P. 23(b)(3) (emphasis added).
1. Predominance is satisfied.
“Even if the court can identify common questions of law or fact, . . . [t]he
predominance
inquiry . . . is
far
more
demanding
than
Rule
23(a)’s
commonality requirement.” Vega v. T-Mobile USA, Inc., 564 F.3d 1256, 1270
(11th Cir. 2009) (citations and quotation marks omitted) (alterations in
original). “[W]here . . . plaintiffs must still introduce a great deal of
individualized proof or argue a number of individualized legal points to
establish most or all of the elements of their individual claims, such claims are
not suitable for class certification under Rule 23(b)(3) . . . .” Id. (quoting Klay v.
24
Humana, Inc., 382 F.3d 1241, 1255 (11th Cir. 2004), abrogated in part on other
grounds by Bridge v. Phoenix Bond & Indem. Co., 553 U.S. 639 (2008)). While
the Court finds that predominance is satisfied, several issues warrant
discussion.4
i. Standing
Whether excessive uninjured persons are included in the class is analyzed
under predominance. See Cordoba, 942 F.3d at 1277. If proving class member
standing will require individualized proof, predominance is likely not satisfied.
See id. at 1277. The Court has narrowed Plaintiffs’ class definition to include
only those individuals who have had their data “accessed by cybercriminals”
and those that have “incurred reasonable expenses or time spent in mitigation
of the consequences of the Data Breach.” These additions eliminate concerns of
a lack of predominance as to standing because individuals are not in the class
unless they have had both their data misused and incurred reasonable expenses
or wasted time. See Tsao, 986 F.3d at 1344. Plaintiffs have also offered a
common method of showing misuse through the use of Brinker and Fiserv’s
In addition to the arguments detailed below, Brinker argues that
whether an implied contract existed between Brinker and class members is an
individualized inquiry that defeats predominance. (Doc. 141 at 30–33). The
cases cited are non-binding and factually dissimilar, and the argument was not
further developed at the hearing. The Court finds this argument meritless.
4
25
records.5
ii. Choice of Law
Choice of law is only an issue for the Nationwide Class as California law
applies to the California Statewide Class. (Doc. 131 at 1). The application of
different states’ laws often precludes a finding of predominance. See e.g.,
Teggerdine v. Speedway, LLC, No. 8:16-CV-03280-T-27TGW, 2018 WL
2451248, at *5–6 (M.D. Fla. May 31, 2018); Shepherd v. Vintage Pharm., LLC,
310 F.R.D. 691, 699–700 (N.D. Ga. 2015). However, the Eleventh Circuit has
held that while “class certification is impossible where the fifty states truly
establish a large number of different legal standards governing a particular
claim” if “a claim is based on a principle of law that is uniform among the states,
class certification is a realistic possibility.” Klay, 382 F.3d at 1261–62. In the
data breach context, the financial institution class actions certified have not
suffered from choice of law issues. See Smith v. Triad of Alabama, LLC, No.
1:14-CV-324-WKW, 2017 WL 1044692, at *13 (M.D. Ala. Mar. 17, 2017), on
reconsideration in part, 2017 WL 3816722 (M.D. Ala. Aug. 31, 2017) (certifying
data breach class action, but only Alabama law applied); In re Sonic Corp., 2020
WL 6701992, at *6–8 (certifying data breach class action, but only Oklahoma
law applied).
5
See the Court’s discussion on ascertainability above.
26
Under Florida choice of law rules, the “most significant relationship” test
applies to tort claims. Green Leaf Nursery v. E.I. DuPont De Nemours & Co.,
341 F.3d 1292, 1301 (11th Cir. 2003). In applying this test, courts consider “(a)
the place where the injury occurred, (b) the place where the conduct causing the
injury occurred, (c) the domicile, residence, nationality, place of incorporation
and place of business of the parties, and (d) the place where the relationship, if
any, between the parties is centered.” Id. (citations and quotation marks
omitted). For contract claims, Florida courts apply the “lexi loci contractus” rule
which states that “issues concerning the validity and substantive obligations of
contracts are governed by the law of the place where the contract is made.”
Trumpet Vine Invs., N.V. v. Union Capital Partners I, Inc., 92 F.3d 1110, 1119
(11th Cir. 1996).
Plaintiffs assert that Florida law applies to the negligence and breach of
implied contract claims and Brinker asserts that Texas law applies to the
negligence claim and all fifty states’ laws apply to the breach of implied contract
claim. (Doc. 165 at 34:11–14, 38:7–19). Either Florida or Texas law will apply
to the negligence claim under the “most substantial relationship” test, so that
claim is not a concern for manageability or predominance.
Plaintiffs base their argument that only Florida law applies to their
breach of implied contract claim on dicta from Singer v. AT & T Corp., 185
F.R.D. 681, 691–92 (S.D. Fla. 1998) (“The case upon which AT & T relies merely
27
stands for the proposition that the forum state cannot automatically apply its
laws if it materially conflicts with the law of another state and there is no
apparent connection to the forum state.”), arguing that because state breach of
implied contract laws do not materially differ and because Brinker has
connections to Florida, Florida law should apply. (Doc. 131 at 18–20). Plaintiffs
fail to clarify how this principle interacts with Florida choice of law rules
including lexi loci contractus. While the Court is not tasked with deciding choice
of law issues at this stage, there is more than a mere a possibility that all fifty
states’ laws will apply to the breach of implied contract claim, so Plaintiffs must
show that the class will be manageable despite the potential application of
multiple states’ laws.
The possibility that all fifty states’ laws will apply to a claim has
concerned other courts considering class certification in the data breach context
with financial institution plaintiffs. See S. Indep. Bank v. Fred’s, Inc., No. 2:15CV-799-WKW, 2019 WL 1179396, at *13–19 (M.D. Ala. Mar. 13, 2019). In S.
Indep. Bank, the court held that the plaintiffs “must prove through an extensive
analysis . . . that there are no material variations among the law of the states
for which certification is sought.” Id. at *14 (citations and quotation marks
omitted); see also Sacred Heart Health Sys., Inc. v. Humana Military
Healthcare Servs., Inc., 601 F.3d 1159, 1180 (11th Cir. 2010) (stating that in
cases where all fifty states’ laws might apply, the party seeking class
28
certification must “provide an extensive analysis of state law variations to
reveal whether these pose insuperable obstacles” (quotation marks omitted)).
The plaintiffs in S. Indep. Bank submitted two tables, one showing that each
jurisdiction recognizes the basic elements of negligence and another
representing one version of each state’s economic loss rule. Id. at *18. The court
held that the plaintiffs failed to meet their burden to conduct an extensive
analysis and that the variations in negligence law and the economic loss
doctrine among the fifty states were unmanageable. Id.
Plaintiffs submitted two charts detailing the differences in states’
negligence and breach of implied contract laws. (Docs. 156-1, 156-2). Similar to
the lackluster tables in S. Indep. Bank, Plaintiffs’ breach of implied contract
chart only details what must be pled to allege the existence of an implied
contract, not what must be proven to show the breach of an implied contract.
See (Doc. 156-1). Plaintiffs have failed to engage in the extensive analysis
required by the Eleventh Circuit to show that a class action adjudicating a
breach of implied contract claim in this case is manageable. See Sacred Heart,
601 F.3d at 1180.
Thus, the Court’s certification of the Nationwide Class will be limited to
Plaintiffs’ negligence claim. If Plaintiffs wish to pursue a Nationwide Class
claim based on their breach of implied contract theory, they must complete a
trial plan detailing how the Court will manage a class action applying all fifty
29
states’ laws to the breach of implied contract claim. The trial plan should
provide an extensive analysis of all fifty states’ laws regarding breach of implied
contract claims so the Court may determine whether there are material
differences among states’ laws. In addition, the trial plan should address the
commonalities and differences among the state laws and propose a method of
grouping the laws so that the Court may apply the state laws effectively and
efficiently if needed. Brinker will be entitled to respond in opposition to the trial
plan. Should the Court find that the trial plan is sufficient, the Court can
determine whether to amend its class certification to include the breach of
implied contract claim.6
On February 2, 2021, five months after the deadline for filing the motion
for class certification (Doc. 102), Plaintiffs’ counsel filed two exhibits
inadvertently left off the initial class certification filing (Doc. 156). The two
exhibits are Plaintiffs’ charts detailing the differences among states’ laws
regarding negligence (Doc. 156-2), and breach of implied contract (Doc. 156-1).
The charts were cited in Plaintiffs’ class certification motion as “Exhibit B” and
“Exhibit C” but in the initial filing, other unrelated exhibits were labeled under
the same names. Id. Plaintiffs noticed their mistake after providing the Court
with other missing documents requested by the Court. Id. at 4. On February 5,
2021, Brinker moved to strike the state law chart exhibits as untimely (Doc.
159), and Plaintiffs responded (Doc. 163).
6
In light of the Court’s ruling on the state law applicability to the
negligence claim, and the requirement that Plaintiffs file a trial plan on state
laws as applied to the breach of implied contract claim, the motion to strike is
moot. The trial plan will subsume the state law charts so they are now
immaterial.
30
iii. Causation and Damages
Issues of causation often lead to predominance concerns, see City of St.
Petersburg v. Total Containment, Inc., 265 F.R.D. 630, 635–36 (S.D. Fla. 2010),
but individual issues of damages typically do not defeat predominance,
Allapattah Servs., Inc. v. Exxon Corp., 333 F.3d 1248, 1261 (11th Cir. 2003),
aff’d sub nom. Exxon Mobil Corp. v. Allapattah Servs., Inc., 545 U.S. 546 (2005).
However, “there are . . . extreme cases in which computation of each
individual’s damages will be so complex, fact-specific, and difficult that the
burden on the court system would be simply intolerable . . . .” Klay, 382 F.3d at
1260.
Causation issues arise here because Franklin used his payment card in
2017 at a Whole Foods during a Whole Foods’ data incident.7 (Doc. 141. at 14).
Franklin experienced fraudulent charges after using his card at Whole Foods,
but he did not cancel the card. Id. at 14–15. The card Franklin used at Whole
Foods was the same card Franklin used at Chili’s during the Data Breach,
calling into question whether the Data Breach caused Franklin’s damages. Id.
at 14. Plaintiffs urge the Court to follow the reasoning of other courts that have
Whether the Data Breach caused Plaintiffs’ damages will largely not be
a concern for predominance because the important common question will be
whether Brinker’s conduct led to the posting of putative class members’
personal and payment card information on Joker Stash. If it has, class members
then just have to show that they took reasonable measures to mitigate the
consequences of the breach.
7
31
categorized this issue not as a causation issue, but as an amount-of-damages
issue, lowering the relative amount of damages the plaintiff received. See (Doc.
148 at 6–7); see also S. Indep. Bank, 2019 WL 1179396, at *11, *19–21 (stating
that “[d]efendant’s causation arguments [regarding plaintiff’s data being
subject to multiple breaches] are ultimately damages arguments” but denying
class certification because the damages issue required individualized proof).
The Court is partially persuaded by the S. Indep. Bank court, but it
acknowledges that the line between causation and damages in this context is
blurry. As hackers become more advanced, the number of data breaches will
likely increase, which means the likelihood that customers will be subject to
multiple data breaches is also increasing. See 140 AM. JUR. Trials § 327
(February 2021 update) (“Data breaches are an increasing problem for all
businesses and a significant concern for consumers and others whose data is in
the hands of these companies.”). Labeling the multiple breach issue as only a
causation issue or only an amount-of-damages issue creates a false dichotomy
and “is not a particularly useful method for deciding predominance.” See In re
Hannaford Bros., 293 F.R.D. at 31. At this stage, the Court finds the multiple
breach issue not a disqualifying causation issue, but rather to be determined at
the damages phase.
Plaintiffs’ expert, Korczyk, offers a common method of calculating
damages that allows the Court to determine individual class members’ damages
32
in a non-complex and non-burdensome way. See (Doc. 132-1 at 5). In his
Rebuttal Declaration, Korczyk states that his damages methodology properly
includes payment cards that may have been breached prior to the Data Breach
because “Card-Issuing Financial Institutions, without exception, have told [him
that] they work diligently to remove data breach compromised cards from
circulation.” (Doc 152-5 ¶ 41). While this statement is one that likely would be
heavily debated on cross-examination and may be discredited by a jury, it shows
for class certification purposes that a common method of addressing causation
and damages exists. In addition, if a jury decides that Korczyk’s methodology is
not an accurate reflection of multiple-breach class members’ damages, other
common methods of calculating damages exist, including using an average
relative reduction in damages. Most data breaches are very similar to one
another, such that a jury may find that a relative average reduction in damages
for every class member that has been subjected to other data breaches is
appropriate. As discussed above, the Supreme Court has approved the use of
averages methods to calculate damages, see Tyson Foods, 577 U.S. 459–61, and
the same rationale could apply here.
At this stage, causation and damages do not require significant
individualized proof such that individual questions predominate over common
ones. While the specifics of the damages calculation will be left to later
proceedings, if it becomes obvious at any time that the calculation of damages
33
(including accounting for multiple data breaches) will be overly burdensome or
individualized, the Court has the option to decertify the class.
2. Superiority is satisfied.
Rule 23(b)(3) provides four factors pertinent to a superiority discussion:
(1) “the class members’ interests in individually controlling the prosecution or
defense of separate actions;” (2) “the extent and nature of any litigation
concerning the controversy already begun by or against class members;” (3) “the
desirability or undesirability of concentrating the litigation of the claims in the
particular forum;” and (4) “the likely difficulties in managing a class action.”
The factors create a balancing test such that no one factor is dispositive. See
Cherry, 986 F.3d at 1304–05. The manageability inquiry should focus “on
whether a class action ‘will create relatively more management problems than
any of the alternatives,’ not whether it will create manageability problems in
an absolute sense.” Id. at 1304 (quoting Klay, 382 F.3d at 1273). The Eleventh
Circuit recently held that whether class members can be identified in an
administratively feasible manner should be considered under manageability.
See id. “‘Administrative feasibility’ means ‘that identifying class members is a
manageable process that does not require much, if any, individual inquiry.’”
Bussey v. Macon Cty. Greyhound Park, Inc., 562 F. App’x 782, 787 (11th Cir.
2014) (quoting Newberg on Class Actions § 3.3 at 164 (5th ed. 2012)). The
Eleventh Circuit has also held that the manageability factor should consider
34
the potential quantum of evidence each unknown class member will need to
bring if significant individualized issues exist. See Vega, 564 F.3d at 1278.
Further, when weighing the superiority factors, the Eleventh Circuit has
considered whether the case is a negative value case. See Carriuolo v. Gen.
Motors Co., 823 F.3d 977, 989 (11th Cir. 2016) (finding superiority when over
1,000 individuals had individual cases of low economic value).
Here, the first three factors all weigh in favor of superiority being
satisfied because significant litigation has proceeded, and allowing class
members to bring claims as one class will provide an efficient method of
adjudication while continuing to move along this almost three-year-old case.
Further, manageability is satisfied because identification of class members will
be administratively feasible given Brinker and Fiserv’s records, and despite
that some individual proof may be required to establish causation and damages,
the majority of issues will be subject to common proof.8 This class action will be
far easier to manage than individual trials because a class action will allow for
the sharing of resources and rendering of uniform decisions that cannot be
achieved through individual trials. Most importantly, class members’ claims,
similar to the claims in Carriuolo, are numerous and of low value. See
Carriuolo, 823 F.3d at 989. This case is the classic negative value case; if class
8
See the Court’s discussion regarding predominance above.
35
certification is denied, class members will likely be precluded from bringing
their claims individually because the cost to bring the claim outweighs the
potential payout. Thus, not only is a class action a superior method of bringing
Plaintiffs’ claims, it is likely the only way Plaintiffs and class members will be
able to pursue their case. See Smith, 2017 WL 1044692, at *15. Superiority is
satisfied.
E. Rule 23(c)(4) Issues Class
In the alternative to a Rule 23(b)(3) certification, Plaintiffs request
certification of various Rule 23(c)(4) issues classes. (Doc. 131 at 24–25). Given
that the Court is certifying the class under Rule 23(b)(3), a Rule 23(c)(4) class
is unnecessary.
V. CONCLUSION
Though this class action is not perfectly composed, on balance, the Court
finds it to be an appropriate (and perhaps the only) vehicle for adjudication of
the claims of Chili’s customers whose personal data was stolen. The Court
acknowledges it may be the first to certify a Rule 23(b)(3) class involving
individual consumers complaining of a data breach involving payment cards,
but it is also one of the first to consider the issue as many individual data breach
cases do not reach this point either due to settlement or other disposition. See
In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 485, 490
(D. Minn. 2015) (certifying financial institution data breach case, but noting
36
that the consumer class action settled); Tsao, 986 F.3d at 1345 (dismissing
consumer data breach class action for lack of standing). Plaintiffs have satisfied
all of the requirements of Rule 23.
Accordingly, it is hereby
ORDERED:
1. The Court DENIES Defendant Brinker International Inc.’s Motion to
Exclude Expert Opinions and Testimony of Daniel J. Korczyk. (Doc. 142).
2. Plaintiffs’ Motion for Class Certification is GRANTED in part and
DEFERRED in part. (Doc. 131).
a. The Court CERTIFIES the following class for Plaintiffs’
negligence claim only:
All persons residing in the United States who
made a credit or debit card purchase at any
affected Chili’s location during the period of the
Data Breach (March and April 2018) who: (1) had
their data accessed by cybercriminals and, (2)
incurred reasonable expenses or time spent in
mitigation of the consequences of the Data
Breach (the “Nationwide Class”).
b. The Court CERTIFIES the following class for all the California
state Unfair Competition Law claims:
All persons residing in California who made a
credit or debit card purchase at any affected
Chili’s location during the period of the Data
Breach (March and April 2018) who: (1) had their
data accessed by cybercriminals and, (2) incurred
reasonable expenses or time spent in mitigation
37
of the consequences of the Data Breach (the
“California Statewide Class”).
c. The Court DEFERS ruling on class certification with respect to
Plaintiffs’ breach of implied contract claim.
d. The Court GRANTS Plaintiffs’ Motion to Appoint Shenika
Theus,
Michael
Franklin,
and
Eric
Steinmetz
as
Class
Representatives, and Plaintiffs’ Motion to Appoint Federman &
Sherwood, Morgan & Morgan Complex Litigation Group, and
LippSmith LLP as Class Counsel.
3. If Plaintiffs wish to pursue a Nationwide Class claim on their breach of
implied contract theory, Plaintiffs shall file a trial plan no later than May 21,
2021. The trial plan should provide: (1) an extensive analysis of the
commonalities and differences among state breach of implied contract laws; (2)
a proposed method of grouping the laws so that the Court may apply the state
laws effectively and efficiently if needed; and (3) an analysis of any other trial
management issues associated with Plaintiffs’ breach of implied contract claim.
4. No later than June 21, 2021, Brinker may file a response to Plaintiffs’
trial plan.
5. The Court DENIES as moot Brinker’s Motion to Strike Late-Filed
Exhibits. (Doc. 159).
38
6. No later than June 21, 2021, the parties shall jointly file a Case
Management Report detailing how the Court should proceed.
DONE AND ORDERED in Jacksonville, Florida the 14th day of April,
2021.
cm
Copies:
Counsel of record
39
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?