Last week, the Eighth Circuit Court of Appeals rejected the district court’s approval of the class action settlement in the Target data breach litigation. See In re Target Corp. Customer Data Sec. Breach Litig., 2017 U.S. App. Lexis 1767 (8th Cir. Feb. 1 2017). The Eighth Circuit remanded and ordered the district court “to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied in this case” and reconsider its certification decision. Id. at 17-18. Among the issues for the district court to specifically consider on remand were potential intraclass conflicts between class members who were receiving payments from the settlement fund and class members who were not, and whether subclasses with separate representation were required if there was a fundamental conflict. Id. at 13. The Eighth Circuit expressed no opinion on the appropriateness of class certification but remanded so that the district court expressly considered these issues before recertifying the class. Id. at 13-14.
The Target settlement was one of the early and well documented settlements in data breach litigation. To the extent that other parties were modeling class action settlements with the Target agreement as the template, it is important to monitor the briefing and remand proceedings.
The Eighth Circuit’s decision also reinforces the need to carefully examine the breadth of the class definition, not just in cybersecurity litigation but in other class action litigation as well. Courts are increasingly focused and concerned with putative classes which include class members with different levels of recovery and alleged damages within the class, including potential class members who may not have current injuries or damages. Conceptually, the issue is whether the potential conflicts require certification of subclasses (or a more narrowly defined class in the first instance); but practically, subclasses can create significant difficulties with facilitating and finalizing settlements. Counsel also need to be wary of how this issue of potential intraclass conflicts is argued and addressed depending on whether a party is seeking to defeat and/or limit class certification or is advocating for a class action settlement.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2022 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern