18th Annual Workplace Class Action Report - 2022 Edition

572 Annual Workplace Class Action Litigation Report: 2022 Edition information involved included loyalty account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers. Id . Defendant also offered Plaintiffs one year of free enrollment in Experian’s IdentityWorks credit monitoring service. Id . at *4. Plaintiffs alleged that the data breach and their alleged damages were the result of Defendant’s failure to implement appropriate safeguards for its guests’ personal identifying information (“PII”). Plaintiffs contended that as a result of the data breach, they had spent time monitoring their accounts to ensure integrity of their PII. The Court noted that in order to establish standing, Plaintiffs must allege facts that plausibly inferred that the unauthorized access of Plaintiffs’ PII by an unspecified bad actor or actors using Defendant’s employee credentials was fairly traceable to Defendant’s conduct. Plaintiffs alleged that the data breach and their injuries were a result of "Marriott’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its guests’ PII." Id . at *7. The Court held that Plaintiffs failed to allege any facts describing Defendant’s cybersecurity or steps that it could have or should have taken to prevent the data breach. The Court reasoned that repetition of conclusory and non-specific allegations of Defendant’s alleged shortcomings did not overcome the need to plead sufficient facts relating to what it did or did not do that led to the injuries claimed by the Plaintiffs. Id . at *8. The Court determined that Plaintiffs failed to allege any facts about what measures Defendant did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what "standard and reasonably available steps" existed that Defendant did not take, how Defendant failed to detect the data breach, or why it did not provide timely and accurate notice of the breach. Id . at *8-9. Thus, the Court ruled that Plaintiffs failed to allege sufficient facts establishing that their alleged injuries were fairly traceable to Defendant’s conduct to prove they had standing to bring their claims. For these reasons, the Court granted Defendant’s motion to dismiss. Tsao, et al. v. Captiva MVP Restaurant Partners, LLC, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021). Plaintiff filed a class action against Defendant asserting various causes of action over a data breach, including: (i) breach of an implied contract to safeguard customers’ credit card data; (ii) failure to provide sufficient security for credit card data; (iii) negligent violations of Section 5 of the Fair Trade Commission Act; (iv) unjust enrichment; and (v) violations of the Florida Unfair and Deceptive Trade Practices Act. Id. at *5. Specifically, Defendant’s restaurant chain PDQ suffered a data breach wherein hackers gained access to customers’ credit and debit card information. Plaintiff made two food purchases at PDQ using two different credit cards, and once he learned of the data breach, Plaintiff cancelled both of the cards. Defendant filed a motion to dismiss on the basis that Plaintiff lacked Article III standing to bring the action, and the District Court granted the motion. On appeal, the Eleventh Circuit affirmed the District Court’s order. Plaintiff offered two primary theories under which he allegedly established standing, including: (i) that he could suffer future injury as a result of the data breach; and (ii) alternatively that he already had suffered concrete mitigation injuries in the form of lost time, lost credit card reward points, and lost access to accounts. Id. at *9. In addressing Plaintiff’s appeal, the Eleventh Circuit noted that a “Plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such harm.” Id. at *14. While the federal circuit are divided on Plaintiff’s argument regarding future harm, the Eleventh Circuit found that case law authorities conferring standing on a Plaintiff in this situation generally involved some claims of actual misuse or access to personal data. Here, the Eleventh Circuit found that Plaintiff offered “only vague, conclusory allegations that members of the class have suffered any actual misuse of their personal data.” Id. at *24-25. Since Plaintiff also immediately cancelled his credit cards after the breach – thereby eliminating the risk of future credit card fraud – the Eleventh Circuit rejected Plaintiff’s argument concerning the risk of future harm. With respect to Plaintiff’s alleged mitigation injuries, the Eleventh Circuit held that Plaintiff could not conjure up standing by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft. Accordingly, the Eleventh Circuit affirmed the District Court’s order granting Defendant’s motion to dismiss. (xxxii) Decertification Issues Under Rule 23 Nwauzor, et al. v. Geo Group, 2021 U.S. Dist. LEXIS 124295 (W.D. Wash. June 28, 2021). Plaintiffs in consolidated class actions alleged that Defendant failed to pay immigration detainee workers in its Voluntary Work Program the applicable minimum wage at its Northwest Detention Center, now renamed as the Northwest ICE Processing Center. Id . at *3. The Court previously had granted certification to a class defined as "[a]ll civil immigration detainees who participated in the Voluntary Work Program at the Northwest Detention Center at any time between September 26, 2014, and the date of final judgment in this matter." Id . Following discovery, Defendant filed a motion to decertify the class, which the Court denied. Plaintiffs Ugochuk Goodluck Nwauzor