Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Court certifies two classes in restaurant chain data breach

Privacy/Cyber Risk & Data Security Courts Data Breach Consumer Finance State Issues

Privacy, Cyber Risk & Data Security

On April 15, the U.S. District Court for the Middle District of Florida certified a nationwide class and a California-only class of restaurant customers who claim the restaurant chain’s negligence led to a 2018 data breach that compromised their credit card information. The two classes of consumers include those who made credit or debit card purchases at affected restaurants in March and April 2018, when their data was accessed by cybercriminals, and who incurred reasonable expenses or time spent mitigating the consequences of the breach. The judge certified the classes only on the plaintiffs’ negligence and state Unfair Competition Law (California) claims, and deferred ruling on the class certification related to claims that the restaurants’ parent company breached an implied contract with customers by failing to have adequate cybersecurity protocols. Certifying that claim, the judge stated, could require applying 50 different state laws on the breach of implied contracts.