Opinion
MDL Case No. 1:17-md-02807-JSG
11-02-2020
IN RE: SONIC CORP. CUSTOMER DATA BREACH LITIGATION (Financial Institutions)
OPINION & ORDER
[Resolving Doc. No. 240, 258] :
American Airlines Federal Credit Union, Arkansas Federal Credit Union, and Redstone Federal Credit Union ("Plaintiffs") bring this class action claim against Sonic Corporation for alleged damages coming out of a 2017 payment card data breach by unidentified actors. The hackers targeted 762 Sonic Drive-Ins.
Sonic Corporation and its subsidiaries and affiliates Sonic Industries Services, Inc., Sonic Capital LLC, Sonic Franchising LLC, Sonic Industries LLC, and Sonic Restaurants, Inc. (collectively hereafter, "Sonic" or "Sonic Defendants").
Doc. 202 at 5.
Plaintiffs now seek to certify a class of: "All banks, credit unions, financial institutions, and other entities in the United States that received an alert of a potentially compromised account from any card brand in the Sonic Data Breach."
Doc. 258 at 1.
For the following reasons, the Court GRANTS Plaintiffs' motion to certify a class of Plaintiffs. The Court will, however, define the class differently than Plaintiffs' proposal. The Court certifies a class of: All banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account from any card brand involved with the Sonic Data Breach.
I. Background
A. The Data Breach
Between April 7, 2017, and October 28, 2017, hackers used malware installed on point-of-sale systems at 762 Sonic restaurants to steal sales transaction payment card data. Sonic required franchise restaurants to use only certain types of point-of-sale systems. In 2017, many Sonic restaurants used obsolete technology that was vulnerable to hacking.
Doc. 202 at 13.
Id. at 15-16.
The hackers targeted Sonic franchises that used a particular point-of-sale system and were able to obtain cardholder data. Plaintiffs claim the industry standard requires encryption of stored credit card data, but Sonic's franchisees used outdated technology—mandated by Sonic corporate policy—and did not encrypt the stolen card data.
Id. at 17, 20-21.
Id. 19-20; 31-32.
A following investigation revealed that the stolen data had been sold online. The hackers were able to steal credit card data with impunity for more than six months because Sonic had set up security alerts using an invalid e-mail address. Five million payment cards' data were sold online.
Id. at 21-22.
Id. at 16.
Doc. 258 at 3.
Plaintiffs allege that "Visa and other card brands determined" that the compromised cards had all been used at Sonic restaurants.
Id.
B. The Proposed Class
Plaintiffs and the proposed class members operate as financial institutions that received alerts of payment cards exposed in the breach. According to Plaintiffs' expert, financial institutions are "obligated to respond in some manner" when they receive a card brand alert for "a number of reasons, including [because they are required to respond] by regulation and to protect their customers and their bottom line." Financial institutions facing a payment card data breach can react in a variety of ways. They can reissue compromised cards. They can refund fraudulent purchases. They can monitor potentially compromised cards.
Id. at 1.
Id. at 8-9.
Id. at 9.
Plaintiffs estimate that there are potentially thousands of potential class member financial institutions.
Id. at 2.
II. Legal Standard
Federal Rule of Civil Procedure 23 governs class certification and is more than "a mere pleading standard." Rather, the party seeking certification "must affirmatively demonstrate . . . compliance with the Rule," and the court must do a "rigorous analysis" to ensure that Rule 23's requirements are met.
Wal-Mart Stores Inc . v. Dukes, 564 U.S. 338, 350 (2011).
Id.
Rikos v . Procter & Gamble Co., 799 F.3d 497, 504 (6th Cir. 2015) (citing In re Whirlpool Corp . Front-Loading Washer Prods. Liab. Litig., 722 F.3d 838, 851 (6th Cir.2013)).
Under Rule 23(a), Plaintiffs may sue as a class if they satisfy four prerequisites: 1) "the class is so numerous" that it is impracticable to join all potential members; 2) there are questions of law or fact common to the class; 3) the representative parties' claims or defenses "are typical" of the class; and 4) "the representative parties will fairly and adequately protect the interests of the class."
Further, Plaintiffs must also satisfy the Rule 23(b) requirements. Plaintiffs bring this case under Rule 23(b)(3), which requires that common questions of law or fact must "predominate over any questions affecting only individual members" of the class and that a class action must be "superior to other available methods for fairly and efficiently adjudicating the controversy."
Doc. 258 at 10.
III. Analysis
A. Rule 23(a) Certification
The Court evaluates each prerequisite to certification in turn.
1. Numerosity
To satisfy Rule 23(a), the proposed class must be large enough that it would be impracticable to join all potential class members. Plaintiffs assert that they meet the numerosity requirement because there are "thousands of financial institutions" that received alerts regarding the breach.
In turn, Defendants argue that Plaintiffs' definition is overbroad and unascertainable. Plaintiffs seek to certify a class of "financial institutions" that received "an alert" without defining these terms. Defendants respond that Plaintiffs' lists of financial institutions that received breach alerts may contain "payment cards that were only exposed without more (i.e. without attendant fraud, without attendant replacement by the banks, etc.)." To Defendants, those financial institutions were not injured and lack standing.
Doc. 293 at 5, 8.
Id.
Doc. 320 at 8 (emphasis in original).
Id. As discussed further below, Plaintiffs argue that receiving an alert and responding to it amount to a cognizable injury.
Still, Defendants do not specifically challenge the numerosity of the potential class.
There is no strict numerical test under Rule 23, but "substantial" numbers tend to satisfy the numerosity prerequisite. While the number of class members is not precisely known, Plaintiffs provide lists with thousands of financial institutions that received breach alerts. Defendants note that an alert that a card or cards may have been exposed does not mean that the cards were actually compromised, but the lists demonstrate that Plaintiffs meet the numerosity requirement.
In re Am . Med. Sys., 75 F.3d 1069, 1079-80 (6th Cir. 1996).
Docs. 258-AA, 258-BB, 258-CC.
Doc. 293 at 5-6.
2. Common Questions of Law or Fact
Rule 23(a) requires that the class members have common issues of law or fact that require adjudication. This means that "claims must depend upon a common contention . . . that [] is capable of a classwide resolution." Resolving the common contention "will resolve an issue that is central to the validity of each one of the claims in one stroke" and "drive resolution of the lawsuit."
Dukes , 564 U.S. at 350.
Id.
In re Whirlpool Corp ., 722 F.3d at 838852.
In this case, Plaintiffs claim that all potential class members shared a common injury due to the same set of circumstances—Sonic's actions leading to and after the data breach. Further, Plaintiffs put forward a variety of common questions for class members: "(1) whether Sonic owed card-issuing financial institutions a duty to act reasonably; (2) whether Sonic's actions breached its duty; (3) . . . whether Sonic's conduct caused FI Plaintiffs' and the Class's injuries." Plaintiffs point out that Oklahoma law controls each question, rather than multiple states' laws.
Doc. 258 at 11.
Id. Following this court's order on July 1, 2020, only Plaintiffs claim for negligence remains. The court dismissed Plaintiffs' negligence per se claim, so questions pertaining to that claim are not included here. See Doc. 304.
Doc. 258 at 11.
Defendants counter that Plaintiffs and potential class members have not all suffered the "same injury," as required by Wal-Mart Stores Inc. v. Dukes, because not all potential class members have been injured. To Defendants, proof of "negligence . . . will vary from class member to class member because financial institutions do not follow a common set of procedures" in response to a breach alert.
Doc. 320 at 10.
Id.
But Plaintiffs contend that the common conditions that lead to the data breach are sufficient to show that Sonic breached its duty to all Plaintiffs and potential class members, causing injury. Plaintiffs maintain that they do not need to show identical injury at this stage. They are correct that for class certification they only need to show that they can prove that all class members suffered damage.
Doc. 323 at 1, 10 ("[T]hose varied responses only affect Class members' individual damages, not Sonic's liability to the Class.").
Doc. 323 at 3. See also Rikos , 799 F.3d at 505 ("The Supreme Court in Dukes did not hold that named class plaintiffs must prove at the class-certification stage that all or most class members were in fact injured to meet this requirement. Rather, the Court held that named plaintiffs must show that their claims depend upon a common contention that is of such a nature that it is capable of classwide resolution . . . .").
This is a different situation than in Dukes, where the Supreme Court held that Plaintiffs could not challenge "literally millions of [Defendant's] employment decisions at once." Here, while Plaintiffs and potential class members' responses to the breach alerts varied, they all challenge the same set of Defendants actions. Plaintiffs meet the commonality requirement.
Dukes , 564 U.S. at 352.
3. Typicality
The typicality prong of Rule 23(a) requires that the named plaintiff's claims are "typical" of the other class members' claims. There must be "a sufficient relationship . . . between the injury to the named plaintiff and the conduct affecting the class, so that the court may properly attribute a collective nature to the challenged conduct." Further, "a plaintiff's claim is typical if it arises from the same event or practice or course of conduct that gives rise to the claims of other class members, and if his or her claims are based on the same legal theory." The goal is that, in pursuing their own claims, "the named plaintiff will also advance the interests of the class members."
In re Am . Med. Sys., 75 F.3d at 1082.
Id.
Id.
Here, Plaintiffs' negligence claims all grow out of Sonic's alleged failure to secure its point-of-sale systems, an alleged failure that made the data breach possible. Further, Plaintiffs argue that they and the other potential class members all suffered injury because they had to respond to the security breach alert.
Doc. 258 at 12; Doc. 323 at 4.
Doc. 258 at 12.
Defendants respond that the named Plaintiffs' claims are not typical. Even though the class's negligence claims may all arise out of Sonic's conduct leading to one event, Defendants maintain that each class member will have to prove that they suffered some fraud, had to replace a card, or other injury. Defendants underscore this argument by noting that some of the cards exposed in the Sonic breach were exposed in other breaches that gave rise to 2017-2019 alerts, so damages could have resulted from other exposures.
Doc. 320 at 12-13 (citing Jones v . Allercare, 203 F.R.D. 290, 299 (N.D. Ohio 2001)).
Id. at 13.
Essentially, Plaintiffs argue that receiving an alert results from a common cause and creates a common class injury. Defendants argue that it does not. To Defendants, there will need to be "individualized inquiries to investigate how the thousands of class members responded to the breach." But how potential class members responded to the breach alert speaks more to damages than it does to Defendants' liability.
Doc. 323 at 1, 11-12.
Doc. 289 at 9.
Id.
Still, the Court will define the class more narrowly than Plaintiff's proposal. The Court will only include those financial institutions that received notice and took action to reissue credit cards or reimbursed a compromised account. Similar to other courts in similar data breach cases, the Court is wary of defining a class solely by the receipt of a card brand alert or card exposure, without more evidence of injury or compromised accounts.
In re Target Corp . Customer Data Sec. Breach Litig., 309 F.R.D. 482, 490 (D. Minn. 2015); In re TJX Cos . Retail Sec. Breach Litig., 246 F.R.D. 389, 392 (D. Mass. 2007).
Plaintiffs meet 23(a)(3)'s typicality requirement. The potential need to assess individual responses for damages purposes does not negate the fact that Plaintiffs' negligence claims grow out of the same conduct, and that Plaintiffs' negligence theories could apply to any potential class member.
See Doc. 323 at 11-12. See also In re TJX Cos . Retail Sec. Breach Litig., 246 F.R.D. at 393 ("Although the size of the banks, the brand of credit or debit card they issue, or their response to the security breach may vary . . . in general, [typicality] may be satisfied even though varying fact patterns support the claims . . . of individual class members.") (internal citations omitted).
4. Adequate Representation
The final prong of 23(a) requires that the named plaintiffs fairly and adequately represent the interests of the entire class. The court must "analyze that requirement using a two-prong test: '1) [T]he representative must have common interests with unnamed members of the class, and 2) it must appear that the representatives will vigorously prosecute the interests of the class through qualified counsel.'" "The court reviews the adequacy of class representation to determine whether class counsel are qualified, experienced and generally able to conduct the litigation, and to consider whether the class members have interests that are not antagonistic to one another."
Pelzer v . Vassalle, 655 F. Appx. 352, 364 (6th Cir. 2016) (citing In re Am . Med. Sys., 75 F.3d at 1083).
Stout v . J.D. Byrider, 228 F.3d 709, 717 (6th Cir. 2000).
Plaintiffs offer that they will represent the interests of the class without conflict because they "they seek to recover the same type of damages arising out of the same incident." Further, Plaintiffs contend that they have demonstrated their "commitment to vigorously prosecuting the interests of the class" through their active participation in the discovery process and court proceedings. Finally, Plaintiffs' counsel have experience litigating class actions against financial institutions in data breach situations.
Doc. 258 at 13.
Id.
Defendants respond that the named Plaintiffs' interests are at odds with the rest of the class because some Plaintiffs' cards incurred fraud or reissuance damages, while other cards were only exposed. But this recommends changing the class. It does not defeat typicality.
Doc. 320 at 16-17.
Defendants also argue that Plaintiffs' proposed model for calculating class-wide damages might overcompensate some plaintiffs and undercompensate others. Plaintiffs counter that the model is intended to provide aggregate damages that can be allotted on an individual basis.
Id. at 17. Defendants cite an inapplicable example from Stout. There, the court found that adequacy was not met because the named Plaintiffs had already obtained relief or proposed resolution from Defendants, suggesting that unnamed class members would lose the benefit of having their cases individually addressed. 228 F.3d at 717-18. That is not the case here. Defendants compare the facts in Stout to the fact that the named Plaintiffs in this litigation received reimbursements from Visa's Global Compromised Account Recovery program. The facts are not comparable.
Doc. 323 at 26.
The court agrees that Plaintiffs meet this prong. All potential class members seek to recover damages due to the Sonic breach, and Plaintiffs and their counsel have actively and vigorously litigated their case so far. Further, limiting the class to financial institutions that received notice and took action to reissue credit cards or reimbursed a compromised account creates even more common claims among Plaintiffs and bolsters the adequacy of Plaintiffs' representation. Defendants concerns about individual questions speak more to damages calculations. In the Sixth Circuit, the potential for individual damages considerations do not defeat class certification.
Id. at 27 (citing S . Indep. Bank v. Fred's, Inc., No. 2:15-CV-799-WKW, 2019 WL 1179396, at *12 (M.D. Ala. Mar. 13, 2019)).
Gawry v . Countrywide Home Loans, Inc., 640 F. Supp. 2d 942, 958 (N.D. Ohio 2009) (citing Beattie v . CenturyTel, Inc., 511 F.3d 554, 564 (6th Cir. 2007)).
B. Rule 23(b)(3)
Plaintiffs satisfy the prerequisites of Federal Rule of Civil Procedure 23(a). To certify their proposed class, however, they must also meet the standard set forth in Rule 23(b). In this instance, Plaintiffs seek to proceed under Rule 23(b)(3). The Court must find that "the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy."
Doc. 258 at 10.
Fed. R. Civ. Pro. 23(b)(3). The pertinent considerations for Rule 23(b)(3) include: "(A) the class members' interests in individually controlling the prosecution or defense of separate actions; (B) the extent and nature of any litigation concerning the controversy already begun by or against class members; (C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; and (D) the likely difficulties in managing a class action." Id.
The goal is to ensure that the proposed class is "sufficiently cohesive to warrant" representation as a class. Courts must carefully consider "the relation between common and individual questions in a case. An individual question is one where members of a proposed class will need to present evidence that varies from member to member, while a common question is one where the same evidence will suffice for each member to make a prima facie showing [or] the issue is susceptible to generalized, class-wide proof."
Tyson Foods , Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1045 (2016) (citing Amchem Prods ., Inc. v. Windsor, 521 U.S. 591, 623 (1997)).
Id. (citation omitted).
1. Predominance
The parties and the Court agree that Oklahoma law applies in this case to all potential class members' claims, so there will be common legal negligence standards. Beyond this, Plaintiffs argue that predominance is met because Sonic's liability can be determined "on a classwide basis" and "Plaintiffs outline a damages model capable of calculating classwide damages." Plaintiffs contend that generalizable proof across the class can show Sonic's negligence led to the damages.
Doc. 258 at 14.
Id.
Id. at 18 ("Sonic's liability in negligence depends on whether: 1) it owed a duty to act reasonably with respect to card-issuing financial institutions, 2) it breached that duty, and 3) its breach of its duty injured the plaintiffs.").
Defendants argue that individual evidence will be necessary to show injury—for example, to show whether each card at issue was compromised in the Sonic breach. Defendants also state that common questions do not predominate because Sonic's contributory negligence defense will require individual financial institutions to respond.
Doc. 320 at 20.
Id. at 23-24.
But these are questions of individualized damages. Plaintiffs argue that the claim that connects the class is that Defendants failed to meet their duty to prevent the cards' exposure, not fraud or comprise. More importantly, some financial institutions still needed to reissue the cards and reimburse fraudulent changes that resulted from the Sonic breach.
The Court agrees with Plaintiffs that these are issues of damages, not liability. Unlike in Fred's, a single state's law will be used to determine liability. Common issues of fact and law predominate here.
Doc. 323 at 7.
2. Superiority
Plaintiffs must also satisfy Rule 23(b)(3)'s requirement that "a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Plaintiffs assert that a single class action is "superior to the prospect of thousands of financial institutions litigating the same questions against the same defendants in dozens of courts across the nation." Defendants counter that the potential damages for each individual potential plaintiff are large enough to incentivize Plaintiffs to pursue their own suits. Further, Defendants argue that financial institutions are sophisticated actors capable of pursuing their own claims.
Doc. 258 at 2.
Doc. 320 at 33-35.
Id. at 35.
But here, where Sonic's liability is an issue "common to all class members" and where the data breach issues predominate, a class action makes sense. As in Target, "given the number of financial institutions involved and the similarity of all class members' claims, Plaintiffs have established that the class action device is the superior method for resolving this dispute."
Young v . Nationwide Mut. Ins. Co., 693 F.3d 532, 545 (6th Cir. 2012). See also Doc. 323 at 24 ("[T]he class action mechanism is superior because trying the core common issues one time is far more efficient than trying the same issue thousands of times in individual actions.").
In re Target Corp . Customer Data Sec. Breach Litig., 309 F.R.D. at 490.
3. Damages
The parties spend significant portions of their briefs debating the merits of Plaintiffs' expert's damages model. Defendants' concern is that the model requires too much individualized inquiry and not-yet-complete data collection from potential class members.
Doc. 258 at 19-20; Doc. 289 at 12-19; Doc. 293 at 24-33; Doc. 323 at 17-23.
Doc. 289 at 14 ("Plaintiffs' argument for classwide damages—and the foundation upon which their damages expert Mr. Ratner crafts his 'classwide' calculation—is predicated upon the false presumption that the appropriate relief is some single damages number that can later be allocated amongst the putative class members. But the damages sought here are actually out-of-pocket compensatory damages specific to individual CIFI putative class members (i.e., cost of replacing cards specific to the CIFI, cost of labor and investigation specific to the CIFI, etc.).").
Plaintiffs note that an approximated damages model is appropriate as long as it is reasonable. They propose a model that will calculate within a degree of statistical significance the cost of replacing compromised cards and reimbursing fraudulent charges.
Doc 258 at 19 ("Plaintiffs' methodology for calculating classwide damages is sufficient 'if the evidence show[s] the extent of the damages as a matter of just and reasonable inference, although the result be only approximate.'") (citing In re Polyurethane Foam Antitr . Litig., No. 1:10-md-2196, 2014 WL 6461355, at *44 (N.D. Ohio Nov. 17, 2014)).
Id.
"Courts within the Sixth Circuit have held that if common issues predominate, class certification should not be denied simply because individual class members are entitled to differing damages." Plaintiffs "need not calculate a specific damage figure for each class member but rather must present a damages model that functions on a class-wide basis." But, "class certification is not warranted where the proposal to calculate individual damages is clearly inadequate or requires significant inquiry to determine necessary variables."
Gawry , 640 F. Supp. 2d at 958.
Id. (internal quotations marks omitted).
Id.(internal quotations marks omitted).
Plaintiffs' expert's proposed model and similar methods have been deemed reasonable in other cases, and the Court finds that it is reasonable here. Plaintiffs point out that "[t]he Supreme Court has sanctioned this type of representative evidence in class actions."
See Fred's , Inc., 2019 WL 1179396, at *8-9.
Doc. 323 at 19 (citing Tyson Foods , Inc., 136 S. Ct. at 1046) ("In many cases, a representative sample is the only practicable means to collect and present relevant data establishing a defendant's liability.").
Unlike in Fred's, Plaintiffs' expert's model of estimated damages will not "quickly become swamped by individualized questions." Although the damages inquiries for each Plaintiff may be complex because of the large class size, they are more akin to those is Target than Fred's. In Fred's, the damages query was complicated by a prerequisite duty analysis across many states' laws. Here, negligence will be considered class-wide according to Oklahoma's law. "Because those key questions c[an] be decided on a class-wide basis, individualized damages questions d[o] not defeat predominance."
Fred's, Inc., 2019 WL 1179396, at *20.
Id. at 21.
C. Class Definition
Finally, the parties dispute the appropriate class definition. Plaintiffs propose a class defined as: "All banks, credit unions, financial institutions, and other entities in the United States that received an alert of a potentially compromised account from any card brand in the Sonic Data Breach." Defendants argue that it is overbroad and vague. The Court will amend Plaintiffs proposed language and certify a class of: All banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account from any card brand in the Sonic Data Breach.
Doc. 258 at 1.
Doc. 293 at 4-9. --------
IV. Conclusion
For those reasons, the Court GRANTS Plaintiffs' motion for class certification. The Court APPOINTS Plaintiffs American Airlines Federal Credit Union, Arkansas Federal Credit Union, and Redstone Federal Credit Union as class representatives and APPOINTS the law firms of Zimmerman Reed LLP and Berman Fink Van Horn P.C. as class counsel.
The Court hereby certifies the following Rule 23(b)(3) class: All banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account involved in the Sonic Data Breach.
IT IS SO ORDERED. Dated: November 2, 2020
s/ James S. Gwin
JAMES S. GWIN
UNITED STATES DISTRICT JUDGE