Last week, the Eighth Circuit Court of Appeals rejected the district court’s approval of the class action settlement in the Target data breach litigation. See In re Target Corp. Customer Data Sec. Breach Litig., 2017 U.S. App. Lexis 1767 (8th Cir. Feb. 1 2017). The Eighth Circuit remanded and ordered the district court “to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied in this case” and reconsider its certification decision. Id. at 17-18. Among the issues for the district court to specifically consider on remand were potential intraclass conflicts between class members who were receiving payments from the settlement fund and class members who were not, and whether subclasses with separate representation were required if there was a fundamental conflict. Id. at 13. The Eighth Circuit expressed no opinion on the appropriateness of class certification but remanded so that the district court expressly considered these issues before recertifying the class. Id. at 13-14.
The Target settlement was one of the early and well documented settlements in data breach litigation. To the extent that other parties were modeling class action settlements with the Target agreement as the template, it is important to monitor the briefing and remand proceedings.
The Eighth Circuit’s decision also reinforces the need to carefully examine the breadth of the class definition, not just in cybersecurity litigation but in other class action litigation as well. Courts are increasingly focused and concerned with putative classes which include class members with different levels of recovery and alleged damages within the class, including potential class members who may not have current injuries or damages. Conceptually, the issue is whether the potential conflicts require certification of subclasses (or a more narrowly defined class in the first instance); but practically, subclasses can create significant difficulties with facilitating and finalizing settlements. Counsel also need to be wary of how this issue of potential intraclass conflicts is argued and addressed depending on whether a party is seeking to defeat and/or limit class certification or is advocating for a class action settlement.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2019 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Class Action Litigation
- Privacy Laws
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo