Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023).  The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.

In March and April of 2018, hackers stole customer card data and personally identifiable information from Chili’s restaurant systems.  Discovery indicated that different locations were targeted at different times.  Hackers then posted the stolen information on an online marketplace for stolen payment data.  Three plaintiffs moved to certify injunctive relief and damages classes, which the district court granted.  The certified classes were defined in relevant part to include persons who had made credit or debit card purchases at affected Chili’s locations and “had their data accessed by cybercriminals.”

On appeal, the Eleventh Circuit held that two plaintiffs lacked Article III standing because their Chili’s visits fell outside the dates those locations were affected, which the court viewed as a “fatal causation issue.”  The third plaintiff, however, visited a Chili’s location during the period that location was affected; the Eleventh Circuit held that her injuries were fairly traceable to the breach.

The Eleventh Circuit also held that the third plaintiff adequately alleged a concrete injury.  In a prior case, it held that a data breach plaintiff can establish a concrete injury if, as a result of the breach, she experiences “misuse” of her data in some way.  See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021).  Here, the court held that an allegation that credit card information was exposed for sale on the dark web constituted “misuse,” giving rise to Article III standing.

Finally, the Eleventh Circuit remanded for the district court to reconsider its class certification ruling.  The Eleventh Circuit reasoned that the phrase “had their data accessed by cybercriminals” was broader than the “misuse” required by its precedent, yet the district court’s analysis assumed the terms were synonymous.  It thus instructed the district court to either limit the class definition to customers whose data was misused or to perform its predominance analysis again, taking the broader class definition into account.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Amy Heath Amy Heath

Amy Heath is a class action and commercial litigator who helps the world’s leading companies in the technology, consumer products, and other sectors navigate their most significant disputes. She has delivered extraordinary results, winning multiple cases involving billions of dollars in claims. Amy…

Amy Heath is a class action and commercial litigator who helps the world’s leading companies in the technology, consumer products, and other sectors navigate their most significant disputes. She has delivered extraordinary results, winning multiple cases involving billions of dollars in claims. Amy has had exceptional success with early dispositive motions, distilling complex arguments to show why claims should not proceed. A former intelligence analyst, Amy brings the same sound strategic judgment, analytical rigor, attention to detail, efficiency, and commitment to client service to her practice of law.

Amy frequently litigates matters involving privacy, wiretap, contract, consumer protection, fraud, unfair competition, antitrust, and intellectual property claims. She has significant experience throughout the litigation lifecycle, including:

  • developing strategies to coordinate litigation across jurisdictions, including multidistrict litigation;
  • briefing dismissal, class certification, and summary judgment motions;
  • taking depositions and managing discovery;
  • effectively navigating joint defense groups; and
  • drafting and arguing appeals.

Amy also regularly counsels clients on the strategic considerations related to arbitration agreements. She drafts and revises arbitration clauses and class action waivers in terms of service, including to mitigate mass arbitration risk.

Before joining the firm, Amy clerked for the Honorable Michelle T. Friedland of the United States Court of Appeals for the Ninth Circuit and the Honorable Lucy H. Koh, then of the United States District Court for the Northern District of California. Amy maintains an active pro bono practice that focuses on direct services for individual clients.

Before practicing law, Amy served as an intelligence analyst at CIA, where she was a regular contributor to the President’s Daily Brief.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.