United States: E-Commerce Platform Data Breach Settlement Receives Final Court Approval

CPW previously covered the Drizly  data breach litigation.  In that case, this month a federal court in Massachusetts granted final approval to a class settlement in the absence of any objections.  Barr v. Drizly, 2021 U.S. Dist. LEXIS 217158 (D. Mass. Nov. 4, 2021).  Read on to learn more.

As a recap, Drizly operates an online e-commerce platform that facilitates the delivery of alcoholic beverages from local retailers.  The litigation, Barr v. Drizly, LLC, Case No. 1:20-cv-11492 (D. Mass.), concerned a data event which Plaintiffs alleged resulted in consumers' information, including at least email addresses, dates of birth, hashed passwords, delivery addresses, phone numbers, and IP addresses, to be improperly exposed to third parties on the dark web.  The data event was allegedly the result of a targeted attack that occurred around February 2020, but was not identified by Drizly until the end of July 2020.

Under the terms of the settlement approved by the Court, each eligible Class Member that files a timely and valid Proof of Claim and Release ("Claim Form") will receive an individual cash payment of $14.00, that may be adjusted upward if the total amount due to all Authorized Claimants does not exceed $1,050,000, and adjusted downward in the event that the aggregate cash payments to all Authorized Claimants exceeds $3,150,000.  Additionally, Class Members will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders from Drizly.  Finally, Drizly will also implement and maintain for a two-year period certain security measures.

In granting final approval, the Court found (solely for purposes of settlement), that the requirements of Federal Rule of Civil Procedure Rule 23(a) and (b)(3) were satisfied such that:

Additionally, the Court concluded that common issues of fact and law predominate over any questions affecting only individual members.  Moreover (also as required under Fed. R. Civ. P. 23(b)(3)) the Court determined that that a class action was superior to other available methods for fairly and efficiently adjudicating this controversy.

The payout to individual class members when viewed in isolation may strike some as low.  However, readers of CPW should bear in mind this is par for the course for most data breach cases.  In many instances, plaintiffs' attorneys will try to position themselves for a large payout, relying upon statutory causes of action that provide liquidated damages on a per violation basis to class members.  However, uncertainties in this area of the law—including in relation to questions of standing and causation—are still formidable challenges for Plaintiffs to overcome.  These issues in particular were previously cited in the Drizly litigation as driving settlement here.  See ECF 52-1 at 15 (citing In re Tyco Int'l, Ltd. Multidistrict Litig., 535 F. Supp. 2d 249, 260 (D.N.H. 2007) (noting that, because the case "involved a greater risk of non-recovery" due to "still-developing law," this factor weighed in favor of approval); see also In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md2807, 2019 WL 3773737, at *7 (N.D. Ohio Aug. 12, 2019) ("Data breach litigation is complex and risky.  This unsettled area of law often presents novel questions for courts.") (emphasis supplied).  This trend is expected to continue–particularly in light of the Supreme Court's ruling in TransUnion  earlier this year.

For more developments regarding data privacy and security litigations, stay tuned.  CPW will be there to keep you in the loop.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.