Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023).  The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.

In March and April of 2018, hackers stole customer card data and personally identifiable information from Chili’s restaurant systems.  Discovery indicated that different locations were targeted at different times.  Hackers then posted the stolen information on an online marketplace for stolen payment data.  Three plaintiffs moved to certify injunctive relief and damages classes, which the district court granted.  The certified classes were defined in relevant part to include persons who had made credit or debit card purchases at affected Chili’s locations and “had their data accessed by cybercriminals.”

On appeal, the Eleventh Circuit held that two plaintiffs lacked Article III standing because their Chili’s visits fell outside the dates those locations were affected, which the court viewed as a “fatal causation issue.”  The third plaintiff, however, visited a Chili’s location during the period that location was affected; the Eleventh Circuit held that her injuries were fairly traceable to the breach.

The Eleventh Circuit also held that the third plaintiff adequately alleged a concrete injury.  In a prior case, it held that a data breach plaintiff can establish a concrete injury if, as a result of the breach, she experiences “misuse” of her data in some way.  See Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021).  Here, the court held that an allegation that credit card information was exposed for sale on the dark web constituted “misuse,” giving rise to Article III standing.

Finally, the Eleventh Circuit remanded for the district court to reconsider its class certification ruling.  The Eleventh Circuit reasoned that the phrase “had their data accessed by cybercriminals” was broader than the “misuse” required by its precedent, yet the district court’s analysis assumed the terms were synonymous.  It thus instructed the district court to either limit the class definition to customers whose data was misused or to perform its predominance analysis again, taking the broader class definition into account.

Photo of Amy Heath Amy Heath

Amy Heath focuses on complex commercial litigation and class actions. She has handled matters involving contract, privacy, consumer protection, fraud, unfair competition, and intellectual property claims. She also has experience with internal investigations. Before practicing law, Amy served as an intelligence analyst.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.