CPW’s Kristin Bryan has been covering the Sonic data breach litigation and broader lessons the case carries for other data privacy class actions. A ruling from the Sixth Circuit this week is a powerful reminder of the district court’s discretion in ruling on issues pertaining to class certification—and barriers to challenging certification of a class. Read on to learn more.
Recall that in 2017 unidentified third parties accessed Sonic customers’ payment card data. The hackers purportedly obtained customer payment card information from more than three-hundred Sonic Drive-Ins. Litigation followed, which was consolidated into multidistrict litigation. In the consolidated complaint filed in the MDL, Sonic customers alleged that their personal information had been exposed to criminals and was at risk of future misuse. Additionally, claims were also filed against Sonic on behalf of various financial institutions.
Most recently, Sonic filed a petition with the Sixth Circuit for permission to appeal an order from the district court certifying a class under Fed. R. Civ. P. 23 to recover economic damages incurred by various financial institutions and credit unions arising from their reissuance of cards and reimbursement of accounts following the 2017 data event. Sonic argued that the class certified by the district court was, in fact, not ascertainable and that the district court abused its discretion in certifying a class because commonality, typicality, predominance, and superiority are lacking.
As litigators already know, the federal Courts of Appeals may, in their discretion, permit an appeal from an order granting certification of a class action. Fed. R. Civ. P. 23(f). As such, the Courts of Appeals “may consider any relevant factor [they] find persuasive” is exercising their discretionary authority. Assessing Sonic’s request, the Sixth Circuit noted that “Sonic does not dispute that the district court applied the correct legal framework” in considering the “four prerequisites in Federal Rule of Civil Procedure 23(a)—numerosity, commonality, typicality, and adequacy—as well as those under Rule 23(b)—that questions of law or fact common to the class members predominate over individualized issues, that a class action is the superior method for adjudicating the action, and that the membership of the class is ascertainable.”
As relevant for purposes of this litigation, however, it is also well-established in the Sixth Circuit that “a class definition must be sufficiently definite so that it is administratively feasible for the court to determine whether a particular individual is a member of the proposed class.” In this case, the district court certified a class with four criteria: (1) “[a]ll banks, credit unions, and financial institutions in the United States”; (2) that “received notice”; (3) that “took action to reissue credit or debit cards or reimbursed a compromised account”; and (4) that was involved “in the Sonic Data Breach.” While Sonic conceded that the first two criteria passed muster, it argued the third and fourth criteria “require[d] individualized assessment and self-identification by each plaintiff instead of reference to evidence within Sonic’s control or that of a third party.”
The Sixth Circuit found these arguments unpersuasive, noting that “we have never rejected self-identification as a means of determining membership when there are records verifying that determination.” (emphasis added). Additionally, the Sixth Circuit also held that Sonic’s contention that “the class is not ascertainable because the Financial Institutions cannot show that they took action as a direct result of this breach” was not appropriate for issues of class certification. This was because, the Court explained that criterion was “not part of the class definition” and more instead concerns merits-based issues such as causation.
The Sixth Circuit also distinguished the case law Sonic relied upon in arguing the class definition is overbroad because it encompassed financial institutions that were not injured and, thus, lack standing. This was because, according to the Court, the cases on which Sonic relies “all involve situations in which the class definition resulted in the inclusion of those not suffering injury in that definition.” (emphasis supplied). By contrast, in this case, the Court found that “[t]he definition here, however, limits class membership to those financial institutions who . . . had cards affected by the breach and acted in response to the breach by reissuing cards or reimbursing fraudulent charges”—which constitutes concrete injury for purposes of Article III.
For these reasons, and others, the Court denied Sonic’s petition for permission to appeal. Defendants in other data breach and data privacy class actions will want to take note of this ruling, as it suggests challenging a district court’s order of class certification may be more difficult in certain instances. And for more developments in this area of the law, stay tuned. CPW will be there to keep you in the loop.