Last week, the Eighth Circuit Court of Appeals rejected the district court’s approval of the class action settlement in the Target data breach litigation. See In re Target Corp. Customer Data Sec. Breach Litig., 2017 U.S. App. Lexis 1767 (8th Cir. Feb. 1 2017). The Eighth Circuit remanded and ordered the district court “to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied in this case” and reconsider its certification decision. Id. at 17-18. Among the issues for the district court to specifically consider on remand were potential intraclass conflicts between class members who were receiving payments from the settlement fund and class members who were not, and whether subclasses with separate representation were required if there was a fundamental conflict. Id. at 13. The Eighth Circuit expressed no opinion on the appropriateness of class certification but remanded so that the district court expressly considered these issues before recertifying the class. Id. at 13-14.
The Target settlement was one of the early and well documented settlements in data breach litigation. To the extent that other parties were modeling class action settlements with the Target agreement as the template, it is important to monitor the briefing and remand proceedings.
The Eighth Circuit’s decision also reinforces the need to carefully examine the breadth of the class definition, not just in cybersecurity litigation but in other class action litigation as well. Courts are increasingly focused and concerned with putative classes which include class members with different levels of recovery and alleged damages within the class, including potential class members who may not have current injuries or damages. Conceptually, the issue is whether the potential conflicts require certification of subclasses (or a more narrowly defined class in the first instance); but practically, subclasses can create significant difficulties with facilitating and finalizing settlements. Counsel also need to be wary of how this issue of potential intraclass conflicts is argued and addressed depending on whether a party is seeking to defeat and/or limit class certification or is advocating for a class action settlement.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2020 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Cyber Insurance
- California Consumer Privacy Act
- Privacy Laws
- General Data Protection Regulation
- Data Breach
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Data Security in the Remote-Work Environment – 10 Reminders Regarding Data Security and Cyber Attacks
- Stay Safe While “Zooming”
- Revisions to Proposed CCPA Regulations Released
- Happy New Year from the CCPA
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy