Gavin Reinke, Ashley Miller and Amanda Wellen of Alston & Bird write:
On June 27, 2025, the District Court for the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International, Inc., the parent company of the popular chain restaurant, Chili’s.
The recent class certification order followed a lengthy procedural history going all the way back to 2021, when the District Court issued an order granting the plaintiffs’ motion for class certification—a rarity in data breach litigation. The Court had previously certified a class of individuals (i) whose data was accessed by cybercriminals; and (ii) who “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.”
Brinker appealed. In 2023, the Eleventh Circuit vacated and remanded the District Court’s order. It vacated the lower court’s ruling with respect to standing, concluding that although all three plaintiffs satisfied the “actual misuse” standard required to establish a concrete injury in data breach cases in the Eleventh Circuit, only one of the three named plaintiffs had standing to sue because the other two plaintiffs’ injuries were not fairly traceable to the cyberattack.
Read more at Privacy, Cyber & Data Strategy Blog.
h/t, JDSupra