Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023).  The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.

In March and April of 2018, hackers stole customer card data and personally identifiable information from Chili’s restaurant systems.  Discovery indicated that different locations were targeted at different times.  Hackers then posted the stolen information on an online marketplace for stolen payment data.  Three plaintiffs moved to certify injunctive relief and damages classes, which the district court granted.  The certified classes were defined in relevant part to include persons who had made credit or debit card purchases at affected Chili’s locations and “had their data accessed by cybercriminals.”

On appeal, the Eleventh Circuit held that two plaintiffs lacked Article III standing because their Chili’s visits fell outside the dates those locations were affected, which the court viewed as a “fatal causation issue.”  The third plaintiff, however, visited a Chili’s location during the period that location was affected; the Eleventh Circuit held that her injuries were fairly traceable to the breach.

The Eleventh Circuit also held that the third plaintiff adequately alleged a concrete injury.  In a prior case, it held that a data breach plaintiff can establish a concrete injury if, as a result of the breach, she experiences “misuse” of her data in some way.  See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021).  Here, the court held that an allegation that credit card information was exposed for sale on the dark web constituted “misuse,” giving rise to Article III standing.

Finally, the Eleventh Circuit remanded for the district court to reconsider its class certification ruling.  The Eleventh Circuit reasoned that the phrase “had their data accessed by cybercriminals” was broader than the “misuse” required by its precedent, yet the district court’s analysis assumed the terms were synonymous.  It thus instructed the district court to either limit the class definition to customers whose data was misused or to perform its predominance analysis again, taking the broader class definition into account.

Tags: Article III Standing, data breach, Data Privacy, Eleventh Circuit, privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Amy Heath Amy Heath

Amy Heath is a class action and commercial litigator who helps the world’s leading companies in the technology, consumer products, and other sectors navigate their most significant disputes. She has had exceptional success with early dispositive motions, distilling complex arguments to show why…

Amy Heath is a class action and commercial litigator who helps the world’s leading companies in the technology, consumer products, and other sectors navigate their most significant disputes. She has had exceptional success with early dispositive motions, distilling complex arguments to show why claims should not proceed. A former intelligence analyst, Amy brings the same sound strategic judgment, analytical rigor, attention to detail, efficiency, and commitment to client service to her practice of law.

Amy frequently litigates matters involving privacy, wiretap, contract, consumer protection, fraud, unfair competition, antitrust, and intellectual property claims. She has significant experience throughout the litigation lifecycle, including developing strategies to coordinate litigation across jurisdictions, including multidistrict litigation; briefing dismissal, class certification, and summary judgment motions; effectively navigating joint defense groups; and drafting and arguing appeals.

Amy also regularly counsels clients on the strategic considerations related to arbitration agreements. She drafts and revises arbitration clauses and class action waivers in terms of service, including to mitigate mass arbitration risk.

Before joining the firm, Amy clerked for the Honorable Michelle T. Friedland of the United States Court of Appeals for the Ninth Circuit and the Honorable Lucy H. Koh, then of the United States District Court for the Northern District of California. Amy maintains an active pro bono practice that focuses on direct services for individual clients.

Before practicing law, Amy served as an intelligence analyst at CIA, where she was a regular contributor to the President’s Daily Brief.

Read more about Amy HeathEmail
Show more Show less
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.

Read more about Kathryn CahoyEmail
Show more Show less