Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023). The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.
In March and April of 2018, hackers stole customer card data and personally identifiable information from Chili’s restaurant systems. Discovery indicated that different locations were targeted at different times. Hackers then posted the stolen information on an online marketplace for stolen payment data. Three plaintiffs moved to certify injunctive relief and damages classes, which the district court granted. The certified classes were defined in relevant part to include persons who had made credit or debit card purchases at affected Chili’s locations and “had their data accessed by cybercriminals.”
On appeal, the Eleventh Circuit held that two plaintiffs lacked Article III standing because their Chili’s visits fell outside the dates those locations were affected, which the court viewed as a “fatal causation issue.” The third plaintiff, however, visited a Chili’s location during the period that location was affected; the Eleventh Circuit held that her injuries were fairly traceable to the breach.
The Eleventh Circuit also held that the third plaintiff adequately alleged a concrete injury. In a prior case, it held that a data breach plaintiff can establish a concrete injury if, as a result of the breach, she experiences “misuse” of her data in some way. See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021). Here, the court held that an allegation that credit card information was exposed for sale on the dark web constituted “misuse,” giving rise to Article III standing.
Finally, the Eleventh Circuit remanded for the district court to reconsider its class certification ruling. The Eleventh Circuit reasoned that the phrase “had their data accessed by cybercriminals” was broader than the “misuse” required by its precedent, yet the district court’s analysis assumed the terms were synonymous. It thus instructed the district court to either limit the class definition to customers whose data was misused or to perform its predominance analysis again, taking the broader class definition into account.