A recent Law 360 story by Joyce Hanson, “Up to $1.6M Deal Over Chipotle Data Breach Gets Judge’s OK,” reports that a Colorado federal judge approved a class action settlement that will result in a payout that could total up to $1.6 million over a 2017 Chipotle data breach that exposed customer names and payment card numbers to hackers, saying the terms are fair and reasonable. U.S. District Judge Christine M. Arguello said in her order granting the plaintiffs' unopposed motion for final approval that the settlement making class members eligible for out-of-pocket reimbursement of up to $250 is adequate and that the value of immediate recovery in the case outweighs "the mere possibility" of future relief after long and expensive litigation. As of Nov. 19, class members have timely submitted 6,429 claim forms, according to the plaintiffs.
"The parties judge the settlement to be fair and reasonable, and no class member has objected to the settlement," the judge wrote. "Class counsel are experienced class action litigators who are very knowledgeable about the claims, remedies and defenses at issue in this litigation." In addition, class members who suffered other "extraordinary" unreimbursed monetary losses because of compromised information can make a claim for reimbursement of up to $10,000, according to the order. The out-of-pocket reimbursement of up to $250 covers an automatic payment for each affected card, payment for customers' time spent dealing with fraud issues, and reimbursement for credit monitoring and identity theft insurance.
Judge Arguello also agreed to the customers' Nov. 1 unopposed motion for $1.2 million for their attorneys, comprised of $1,165,782 in fees and $34,000 in expenses, based on class counsel's 2,406 hours spent on investigation, prosecution and litigation settlement. The judge also approved an incentive award of $2,500 for each of six class representatives in the suit led by plaintiff Todd Gordon.
Chipotle revealed in April 2017 that it had detected a data security breach in its electronic processing and transmission of confidential customer and employee information. The burrito chain acknowledged at the time that it may be subject to lawsuits because of the breach that reportedly affected transactions from March 24 through April 18 of that year. Financial institutions that sued over the breach told the court in March that the parties had reached a confidential settlement agreement. On June 19, Judge Arguello granted the customers' June 13 unopposed motion for preliminary approval of the settlement, conditionally certifying the class.
The customers said the requested fee award is consistent with attorney fees approved in the court and in other data breach settlements. Class counsel's lodestar of $1.44 million through Oct. 31 represents a 0.83 negative multiplier, which "supports the reasonableness of the fee requested," the customers said