On June 27, 2025, the District Court for the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International, Inc., the parent company of the popular chain restaurant, Chili’s.

The recent class certification order followed a lengthy procedural history going all the way back to 2021, when the District Court issued an order granting the plaintiffs’ motion for class certification—a rarity in data breach litigation.  The Court had previously certified a class of individuals (i) whose data was accessed by cybercriminals; and (ii) who “incurred reasonable expenses or time spent in mitigation of the consequences of the Data Breach.”

Brinker appealed.  In 2023, the Eleventh Circuit vacated and remanded the District Court’s order.  It vacated the lower court’s ruling with respect to standing, concluding that although all three plaintiffs satisfied the “actual misuse” standard required to establish a concrete injury in data breach cases in the Eleventh Circuit, only one of the three named plaintiffs had standing to sue because the other two plaintiffs’ injuries were not fairly traceable to the cyberattack.  The Eleventh Circuit then expressed concerns about the existing class definition—and whether it would improperly include individuals without Article III standing.  In light of these concerns, it remanded with instructions for the District Court to either (i) “refine the class definition[] to only include [individuals who experienced fraudulent charges or those whose data was posted on the dark web] and then conduct a more thorough predominance analysis”; or (ii) reassess its predominance finding given that the broader class definition “may include uninjured individuals . . . .”

The District Court chose to refine the class definition and perform a new predominance analysis.  It found that, once the class definition was refined to only include individuals who experienced fraudulent charges or whose information was posted on the dark web, “individual questions abound[ed]”—including (1) the details of each putative class member’s transactions at Chili’s restaurants and (2) whether each member experienced fraudulent charges or had data posted on the dark web—such that Rule 23’s predominance requirement could not be satisfied.  The District Court also found that individualized questions of damages predominated over common questions.  The District Court reasoned that Rule 23 required it to consider whether individualized proof would be required to assess each class member’s mitigation efforts, and that evidence about the “expenses and time each class member spent in mitigation,” which would be required for each putative class member to demonstrate Article III standing to sue for damages, would be highly individualized.

In light of the class certification denial, the District Court has provided Plaintiff until July 25, 2025 to file a notice indicating whether she intends to pursue her claims individually.  If she declines to do so, the case will be dismissed.

The District Court’s ruling is a significant victory for companies impacted by cyberattacks, as it highlights the significant impediments to class certification that the highly individualized nature of plaintiffs’ claims in these cases create.  As data breach litigation continues to proliferate, the District Court’s decision will likely have wide-reaching implications regarding plaintiffs’ ability to recover on a classwide basis.