18th Annual Workplace Class Action Report - 2022 Edition

Annual Workplace Class Action Litigation Report: 2022 Edition 571 Perdue, et al. v. Hy-Vee, Inc., 2021 U.S. Dist. LEXIS 12691 (C.D. Ill. Jan. 25, 2021) . Plaintiffs, a group of consumers, brought a data-breach class action against Defendant after a cyber-attack in which hackers accessed Defendant’s computer systems that potentially resulted in unauthorized access to customer payment data, including card number, expiration date, internal verification code, and cardholder names. Plaintiffs alleged that Defendant’s lax security system resulted in millions of credit cards holder’s information being stolen at various fuel pumps, drive-thru coffee shops, and restaurants owned by Defendant over an eight -month period. The parties reached a settlement agreement and Plaintiffs brought an unopposed motion for preliminary approval of the class action settlement pursuant to Rule 23(e). The Court granted the motion for preliminary approval and conditionally certified a settlement class pursuant to Rules 23(a) and (b)(3). The settlement class consisted of all persons who used a payment card to make a purchase at an affected store during the security incident. The agreement did not provide for a settlement fund. Instead, it provided that class members could receive expense reimbursement of up to up to $225 for certain categories of out of pocket expenses such as unreimbursed bank fees, card reissuance fees, overdraft fees, and lost time spent dealing with replacement card issues or reversing fraudulent charges from the security incident. Additionally, the settlement agreement provided that class members could receive up to $5,000 for extraordinary expenses such as fraudulent charges made on credit or debit card accounts that were not reversed or repaid. The parties created a process for assessing and determining the validity and value of claims and a payment methodology to settlement class members who submitted a timely and valid claim form. As part of the settlement agreement, Defendant also committed to establish and maintain security enhancements that were estimated to cost more than $20 million. The agreement also provided that class counsel could seek an award for attorneys’ fees, costs, and expenses not to exceed $739,000. Class counsel also could request approval of an incentive award of $2,000 for each of the representative Plaintiffs. Further, the agreement provided attorneys’ fees, costs, and expenses and incentive awards were to paid separately by Defendant and would not reduce the amount of payments to class members who submitted valid claims. After considering these terms, the Court granted Plaintiffs’ motion for preliminary approval of a class action settlement. Rahman, et al. v. Marriott International, Inc., 2021 U.S. Dist. LEXIS 15155 (C.D. Cal. Jan. 12, 2021) . Plaintiff filed a class action alleging negligence, violation of the California Consumer Privacy Act, breach of contract, breach of implied contract, unjust enrichment, and violation of the California Unfair Competition Law in connection with a cybersecurity breach at Defendant when two employees accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization. Following an investigation into the unauthorized access, Defendant confirmed that while names, addresses, and other publicly available information was obtained in the breach, no sensitive information, such as social security numbers, credit card information, or passwords, was compromised. Id . at *2. Defendant filed a motion to dismiss for lack of Article III standing. Defendant argued that although Plaintiff may have suffered some degree of unauthorized access of personal information, the information obtained lacked the degree of sensitivity required by the Ninth Circuit to establish injury-in-fact sufficient to confer standing. Id . at *4. Plaintiff contended that data sensitivity was not required to prove standing. The Court disagreed with Plaintiff. It explained that the Ninth Circuit precedent was clear, which provided that both the sensitivity of the personal data and the fact that the information was stolen were prerequisites to finding that a Plaintiff "adequately alleged an injury-in-fact. Id . at *5. The Court ruled that Plaintiff failed to plausibly plead that any sensitive data was actually stolen in the data breach. Without a breach of this type of sensitive information, the Court held that Plaintiff failed to allege an injury-in-fact to meet the constitutional requirements of standing. Accordingly, the Court granted Defendant’s motion to dismiss. Springmeyer, et al. v. Marriott International, Inc., 2021 U.S. Dist. LEXIS 39891 (D. Md. March 3, 2021). Plaintiffs filed a class action alleging various common law and statutory causes of action in connection with a data breach affecting over five million of Defendant’s hotel guests. Defendant filed a motion to dismiss for lack of standing, which the Court granted. On March 31, 2020, Defendant announced a data breach, sent an email to affected guests, and posted an incident notification on its website. Defendant explained that it had identified that "an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property." Id . at *2-3. Following the data breach, Defendant disabled the login credentials, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Id . at *3. Defendant advised affected users that it had had no reason to believe that the