IN RE ONIX GROUP, LLC DATA BREACH LITIGATION

• Court: District Court, E.D. Pennsylvania
• Decided: June 14, 2024
• Docket: 2:23-cv-02288
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA

CIVIL ACTION

IN RE ONIX GROUP, LLC DATA BREACH LITIGATION NO. 23-2288-KSM

MEMORANDUM

Marston, J. June 14, 2024

This is a putative class action brought by Plaintiffs Eric Meyers, Donald Owens, Aida Albina Wimbush, Ashtyn Mark, Leah Simione, Melissa Lyston, and Angela Haynie (“Plaintiffs”). (See Doc. No. 18.) Plaintiffs allege that Defendant Onix Group, LLC (“Defendant”) failed to adequately safeguard sensitive personal information entrusted to it by its customers, despite the foreseeability of a data breach. (Doc. No. 29-1 at 8.) Presently before the Court is Plaintiffs’ Unopposed Motion for Preliminary Approval of the Class Action Settlement (the “Motion”) and revised Settlement Agreement, Notices, and Claim Form. (Doc. Nos. 29, 35, 37, 42, 43.1) For the reasons below, the Motion is granted, and the Court will schedule a final approval hearing. I. BACKGROUND

Beginning in June 2023, numerous class actions were filed in this Court on behalf of consumers whose information was stolen following a third party cyberattack against Defendant, a conglomerate operating in the hospitality, commercial real estate development, and healthcare industries. (See, e.g., Doc. No. 1, Owens v. Onix Group, LLC, Civil Action No. 2:23-cv-2301-

1 The operative Settlement Agreement is incorporated as Doc. No. 43, and the operative Claim Form, short-form notice, and long-form notice are incorporated as Doc. Nos. 43-2, 43-3, and 43-4 respectively. KSM; Doc. No. 1, Bernard v. Onix Group, LLC, Civil Action No. 5:23-cv-02556-KSM; Doc. No. 18 at ¶ 2.) On July 19, 2023, this Court consolidated these class actions under the new case name “In re Onix Group, LLC Data Breach Litigation.” (Doc. No. 14.) On September 15, 2023, Plaintiffs filed a consolidated complaint asserting claims for negligence, negligence per se,

breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of state consumer protection and privacy statutes. (Doc. No. 18.) Plaintiffs alleged that they entrusted Defendant with their sensitive personal information, such as name, address, social security number, medication information, health insurance information, and other clinical information, but that Defendant failed to implement adequate security practices to protect the information from cybercriminals. (Id. at ¶¶ 20–24.) Plaintiffs argued that a large depository of highly valuable health care information is a foreseeable target for cybercriminals, and that Defendant should have known that its repository of information for hundreds of thousands of patients posed a significant risk of being targeted for a data breach. (Id. at ¶ 223.) On December 1, 2023, following mediation with an experienced mediator, Bennett G. Picker, Esquire of Stradley

Ronon Stevens & Young LLP, the parties agreed to a settlement in principle, and on February 20, 2024, Plaintiffs filed an initial unopposed Motion for preliminary approval of the class action settlement. (Doc. No. 29; Doc. No. 29-1 at 9.) On May 15, 2024, the Court held a hearing on the Motion, and on May 21, 2024, at the Court’s direction, the parties filed a revised settlement agreement, short-form notice, long-form notice, and Claim Form. (Doc. Nos. 34, 35.) On May 31, 2024, at the Court’s further direction to provide additional clarity in the settlement notices and Claim Form, the parties filed second amended settlement documents.2 (Doc. No. 37.)

2 In addition, on June 13, 2024, at the Court’s direction to ensure that deadlines in the Settlement Agreement were more certain, the parties filed a second amended Settlement Agreement. (Doc. No. 42.) The parties refiled the Settlement Agreement on June 14, 2024 to correct a clerical error. (Doc. No. 43.) II. Preliminary Certification of the Class for Settlement Purposes

a. Legal Standard

The Court may certify class actions for the sole purpose of settlement. In re CertainTeed Corp. Roofing Shingle Prods. Liab. Litig., 269 F.R.D. 468, 476 (E.D. Pa. 2010) (citing In re GMC Pick-Up Truck Fuel Tank Prods. Liab. Litig., 55 F.3d 768, 786 (3d Cir. 1995)). In these situations, the court provisionally certifies the class, but reserves “[f]inal certification” until it “rules on whether the final settlement agreement is to be approved.” Id. When a court certifies a class for settlement, “it must first find that the class satisfies all the requirements of Rule 23,” and in particular Rule 23(a) and 23(b). In re Cmty. Bank of N. Va., 418 F.3d 277, 300 (3d Cir. 2005). Under Rule 23(a), a class action is allowable only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class. Fed. R. Civ. P. 23(a); see also Reyes v. Netdeposit, LLC, 802 F.3d 469, 482 (3d Cir. 2015) (“All potential classes must initially satisfy four prerequisites to be certified: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.”). Additionally, the class must be currently and readily ascertainable based on objective criteria. Marcus v. BMW of N. Am. LLC, 687 F.3d 583, 593 (3d Cir. 2012). If the Rule 23(a) and ascertainability conditions are met, then a case may proceed as a class action if one of the conditions of Rule 23(b) is also satisfied. Here, Plaintiff seeks certification for a class under Rule 23(b)(3), which requires that “the court find[] that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed. R. Civ. P. 23(b)(3); see also Reyes, 802 F.3d at 482 (explaining that plaintiff must demonstrate “predominance and superiority” for certification under Rule 23(b)(3)).

b. Analysis Plaintiff proposes a class of: All 308,942 natural persons whose Private Information was compromised in the Data Breach and who have not been confirmed to be deceased. Excluded from the Settlement Class are: (1) the Judges presiding over the Action and members of their immediate families and their staff; (2) Onix, its subsidiaries, parent companies, successors, predecessors, and any entity in which Onix or its parents, have a controlling interest, and its current or former officers and directors; (3) natural persons who properly execute and submit a Request for Exclusion prior to the expiration of the Opt-Out Period; and (4) the successors or assigns of any such excluded natural person.

(Doc. No. 29-1 at 10; Doc. No. 43-1 at ¶ 1.42.) This class is ascertainable and meets all six requirements of Rules 23(a) and 23(b). We will address each in turn. i. Ascertainability The plaintiff has the burden of showing, by a preponderance of the evidence, that “(1) the class is ‘defined with reference to objective criteria’; and (2) there is ‘a reliable and administratively feasible mechanism for determining whether putative class members fall within the class definition.’” Byrd v. Aaron’s Inc., 784 F.3d 154, 163 (3d Cir. 2015) (citing Carrera v. Bayer Corp., 727 F.3d 300, 306 (3d Cir. 2013)). The class here is clearly ascertainable because the parties were able to determine the exact number and identities of individuals whose data could have been compromised using Defendant’s records and were able to determine the number of confirmed deceased individuals using public records and related business services. (Doc. No. 29-1 at 10; Doc. No. 43-1 at ¶ 1.42; May 15, 2024 Hr’g Tr. at 18:9–19:10.) ii. Rule 23(a) Requirements Numerosity

While “[t]here is no magic number of class members needed for a suit to proceed as a class action,” the Third Circuit has held that “numerosity is generally satisfied if there are more than 40 class members.” In re Nat’l Football League Players Concussion Inj. Litig., 821 F.3d 410, 426 (3d Cir. 2016). Here, the proposed class is sufficiently numerous because it consists of over 308,000 people. (Doc. No. 29-1 at 24.) The Court is satisfied that this is enough people to render joinder impracticable. Fed. R. Civ. P. 23(a); see Corra v. ACTS Ret. Servs., Inc., No. 22- 2917, 2024 WL 22075, at *3 (E.D. Pa. Jan. 2, 2024) (holding that a proposed class of over 20,000 members “easily satisfies the numerosity requirement”). Commonality

As the Third Circuit has explained, “[a] putative class satisfies Rule 23(a)’s commonality requirement if the named plaintiffs share at least one question of fact or law with the grievances of the prospective class.” In re Nat’l Football League Players, 821 F.3d at 426–27 (quoting Rodriguez v. Nat’l City Bank, 726 F.3d 372, 382 (3d Cir. 2013)). It is “easy enough” to meet the requirement, provided all members of the class have claims that are capable of class-wide resolution. Id. Commonality is met in this case because “the proposed class members all suffered from the same data breach. There are common questions as to how the data breach occurred, whether [Defendant] had a duty to protect [consumers], and whether the [consumers] were harmed by the breach.” Fulton-Green v. Accolade, Inc., No. CV 18-274, 2019 WL 316722, at *3 (E.D. Pa. Jan. 24, 2019). Typicality

There is a “‘low threshold’ for typicality”; provided “the interests of the class and the class representative are aligned,” courts will find typicality even when class members’ claims are only legally similar, and not factually similar. In re Nat’l Football League Players, 821 F.3d at 427–28 (quoting Newton v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 259 F.3d 154, 182–83 (3d Cir. 2001)). The representative Plaintiffs’ claims here are “virtually identical” to those of the class because their claims “arise from the same conduct”—each Plaintiff’s claim “stems from [Defendant’s] security measures and whether they were adequate to protect” the Plaintiff’s sensitive data. In re Wawa, Inc. Data Sec. Litig., No. CV 19-6019, 2023 WL 6690705, at *4 (E.D. Pa. Oct. 12, 2023). Thus, the typicality requirement is met. Adequacy of Representation

Courts considering adequacy of representation examine both “the qualifications of class counsel and the class representatives.” In re Nat’l Football League Players, 821 F.3d at 428. First, when considering the adequacy of class representatives, courts seek “to root out conflicts of interest within the class” and to “uncover conflicts of interest between the named parties and the class they seek to represent.” Id. at 428, 430 (quoting Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 625 (1997)). “A class representative must represent a class capably and diligently,” but this is a low bar: “‘a minimal degree of knowledge’ about the litigation is adequate.” Id. at 430 (quoting New Directions Treatment Servs. v. City of Reading, 490 F.3d 293, 313 (3d Cir. 2007)). “[T]he linchpin of the adequacy requirement is the alignment of interests and incentives between the representative plaintiffs and the rest of the class.” In re Cmty. Bank of N. Va., 795 F.3d at 393 (quoting Dewey v. Volkswagen Aktiengesellschaft, 681 F.3d 170, 183 (3d Cir. 2012)). Here, this requirement is satisfied because the representative Plaintiffs have been actively participating in the litigation of this case by providing documents, answering their counsel’s questions, and reviewing the complaint and settlement terms. (Doc. No. 29-1 at 26.) The Court discerns no conflict of interest between the class representatives and other potential class members—their interests are aligned in attempting to prove the factual

averments in the complaint and establishing Defendant’s liability. (Id.) Second, with respect to class counsel, the important factors are whether the attorneys “(1) possessed adequate experience; (2) vigorously prosecuted the action; and (3) acted at arm’s length from the defendant.” In re GMC, 55 F.3d at 801. The Third Circuit has indicated that courts should consider the non-exhaustive list of factors in Rule 23(g) for appointing counsel in determining the adequacy of representation. See In re Nat’l Football League Players, 821 F.3d at 429. Those factors include counsel’s work in the instant class action, experience in handling class actions or other kinds of complex litigation, knowledge of the applicable laws, and resources available for representing the class. Fed. R. Civ. P. 23(g)(1)(A). The court also “may consider any other matter pertinent to counsel’s ability to fairly and adequately represent the

interests of the class.” Fed. R. Civ. P. 23(g)(1)(B). Here, the proposed class counsel—Benjamin F. Johns, Esquire, and Gary M. Klinger, Esquire—are qualified to “fairly and adequately represent the interests of the class.” Fed. R. Civ. P. 23(a)(4). Johns and Klinger were previously appointed by the Court as interim class counsel and have diligently pursued this matter even before their appointment, engaged in discovery exchanges, and negotiated a favorable settlement for the putative class. (Doc. No. 14; Doc. No. 29-1 at 9, 26, 30.) Plaintiffs’ counsel have substantial experience handling class litigation, including many actions arising from data breaches. (See Doc. No. 29-3.) Last, the parties worked with experienced mediator Bennett Picker, Esquire to facilitate arms’ length negotiations, which weighs in favor of finding adequacy. See Fulton-Green, 2019 WL 4677954, at *6 (collecting cases). Thus, the Court finds that the proposed class’s interests have been advanced by experienced, dedicated counsel, working at arms’ length from Defendant in accordance with Rule 23(a)(4). ***

In sum, the Court finds that the Rule 23(a) conditions for class certification are met. iii. Rule 23(b)(3) Requirements As discussed above, in addition to meeting the requirements of Rule 23(a), the putative class must also satisfy Rule 23(b)(3), which requires the Court find that “the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy.” Fed. R. Civ. P. 23(b)(3). Predominance Here, predominance is satisfied. The key issue under the predominance factor is “whether proposed classes are sufficiently cohesive to warrant adjudication by

representation.” Amchem, 521 U.S. at 623. The Third Circuit has counseled that courts should be “more inclined to find the predominance test met in the settlement context.” In re Nat’l Football League Players, 821 F.3d at 434 (quoting Sullivan v. DB Invs., Inc., 667 F.3d 273, 304 n.29 (3d Cir. 2011) (en banc)). In this data breach litigation, Defendant’s conduct is common to all class members, and all class members were harmed by that conduct. “The issues facing each class member are the same: demonstrating the degree of the [] data breach and proving [Defendant’s] culpability.” In re Wawa, 2023 WL 6690705, at *5; (Doc. No. 29-1 at 27.) Taken together, these common questions of law and fact predominate over individual factual questions, such as the specific degree of damages incurred. See Corra, 2024 WL 22075, at *5 (holding that common questions predominate in certifying the class even though “there may be slight differences among class members regarding degree of damages or the exact type of injury suffered”). Superiority

Lastly, the parties have demonstrated the class action mechanism is superior to other available methods for fairly and efficiently adjudicating the controversy. Fed. R. Civ. P. 23(b)(3). When evaluating this requirement, courts consider “the class members’ interests in individually controlling litigation, the extent and nature of any litigation, the desirability or undesirability of concentrating the litigation, and the likely difficulties in managing a class action.” In re Nat’l Football League Players, 821 F.3d at 435 (citing Rule 23(b)(3)(A)–(D)). Superiority can be satisfied where the settlement prevents “duplicative lawsuits and enables fast processing of a multitude of claims.” Id. (quoting In re Nat’l Football League Players’ Concussion Inj. Litig., 307 F.R.D. 351, 382 (E.D. Pa. 2015)); see also Sullivan, 667 F.3d at 312. Here, these factors weigh in favor of class litigation. With over 308,000 potential class

members and considering the “cost and complexity of the litigation,” many potential plaintiffs would likely “have small claims that would be impractical to litigate on an individual basis.” Corra, 2024 WL 22075, at *5; In re Wawa, 2023 WL 6690705, at *5; (Doc. No. 29-1 at 10.) Moreover, “where, as here, the Court is confronted with a request for settlement-only class certification, [the Court] need not inquire whether the case, if tried, would present intractable management problems, see Fed. R. Civ. P. 23(b)(3)(D), for the proposal is that there be no trial.” Corra, 2024 WL 22075, at *5 (quoting Amchem, 521 U.S. at 620) (cleaned up). Accordingly, superiority is met in this case. *** For these reasons, we find that the requirements of Rules 23(a) and 23(b)(3) are satisfied, and the Court provisionally certifies the class. c. Appointment of Class Representative Appointment of class representatives is governed by Rule 23(a) of the Federal Rules of

Civil Procedure, which requires that their claims be “typical of the claims . . . of the class” and that they “will fairly and adequately protect the interests of the class.” For the reasons previously discussed in Part II.b.ii, those requirements are met here, and the Court will appoint Eric Meyers, Donald Owens, Aida Albina Wimbush, Ashtyn Mark, Leah Simione, Melissa Lyston, and Angela Haynie as representatives of the settlement class. d. Appointment of Class Counsel Rule 23(g) of the Federal Rules of Civil Procedure provides the standard for the appointment of class counsel. Class counsel are responsible not just for representing the interests of the class representative, but for “fairly and adequately represent[ing] the interests of the class.” Fed. R. Civ. P. 23(g)(4). As discussed above in Part II.b.ii, Rule 23(g) provides a non-

exclusive list of factors courts should consider when appointing class counsel. For the reasons previously discussed, the Court finds that Benjamin F. Johns, Esquire, and Gary M. Klinger, Esquire have the ability and resources to “fairly and adequately represent the interests of the class.” Accordingly, they will be appointed as class counsel. III. Preliminary Approval of the Settlement Agreement The parties also ask the Court to preliminarily approve their settlement agreement which was negotiated at arm’s length with the assistance of mediator Bennett G. Picker, Esquire, of Stradley Ronon Stevens & Young LLP. (See generally Doc. No. 29; Doc. No. 29-1 at 7.) a. Settlement Agreement3 As noted above, the proposed settlement class consists of: All 308,942 natural persons whose Private Information was compromised in the Data Breach and who have not been confirmed to be deceased. Excluded from the Settlement Class are: (1) the Judges presiding over the Action and members of their immediate families and their staff; (2) Onix, its subsidiaries, parent companies, successors, predecessors, and any entity in which Onix or its parents, have a controlling interest, and its current or former officers and directors; (3) natural persons who properly execute and submit a Request for Exclusion prior to the expiration of the Opt-Out Period; and (4) the successors or assigns of any such excluded natural person.

(Doc. No. 29-1 at 10; Doc. No. 43-1 at ¶ 1.42.) The settlement requires Defendant to create a $1,250,000 non-reversionary settlement fund which will be used to pay for administrative expenses, taxes, any service award,4 and any fee award and costs.5 (Doc. No. 43-1 at ¶ 3.8.) The amount left over in the settlement fund after these expenses (the “Net Settlement Fund”) will be used to pay for approved claims submitted by class members. (Id.) Class members may file a claim for one of the following benefits from the settlement fund: (1) class members may claim 12 months of credit monitoring and insurance services, which includes at minimum three credit bureau monitoring services and $1 million in identity theft insurance (“Option 1”); (2) class members may submit a “Documented Loss Payment”

3 Unless otherwise noted, terms such as “Claim Form” have the meanings ascribed in the parties’ Class Action Settlement Agreement. (See Doc. No. 43-1.)

4 Plaintiffs suggest a service award of up to $1,000 for each representative Plaintiff, for which they will separately petition the Court for approval. (Doc. No. 29-1 at 15; Doc. No. 43-1 at ¶ 8.1.) The settlement is not conditioned on the Court’s award of any service payments. (Doc. No. 43-1 at ¶ 8.3.)

5 Plaintiffs intend to separately file a motion for an award of attorneys’ fees for up to 33.3% of the settlement fund ($416,666.66) and for reasonable costs. (Doc. No. 29-1 at 15.) The settlement is not conditioned on the Court’s award of any attorney’s fees or costs. (Doc. No. 43-1 at ¶ 9.3.) claim seeking up to $5,000 per person for the reimbursement of losses supported by reasonable documentation which were more likely than not the result of the data breach at issue (“Option 2”); or (3) class members may submit a claim for a pro rata cash payment without any supporting documentation (“Option 3”).6 (Id. ¶ 3.3.) All class members who opt for Option 3, pro rata cash

payment, will receive an equal amount, which is calculated by subtracting from the Net Settlement Fund the costs associated with the first two settlement benefit options, and then dividing the net amount evenly by the total number of claims submitted.7 (Id. ¶ 3.8.) In addition to the foregoing benefits, Defendant also agrees to “adopt, continue, and/or implement certain data security and privacy improvements designed to protect against similar data security incident in the future.” (Id. ¶ 2.1.) Defendant has agreed to confirm compliance with these measures to class counsel at their request on an ongoing basis for at least two years. (Id.) To serve as the Settlement Administrator, the parties used a competitive bidding process to select the Angeion Group, a nationally recognized claims administrator that has handled

dozens of similar data breach settlements. (Doc. No. 29-1 at 12.) Following this Court’s preliminary approval of the class settlement, the Settlement Administrator will administer the

6 The initial settlement agreement filed listed “Documented Loss Payment” as Option 1, and credit monitoring services as Option 2. (Doc. No. 29-2 at ¶ 3.3(a), (b).) Because awards for credit monitoring services will be paid out prior to awards for documented loss payments (Doc. No. 43-1 at ¶ 3.8), the Court requested that the listed order of settlement payment options be reversed (May 15, 2024 Hr’g Tr. at 14:10–14), and the parties implemented this change in their amended settlement agreement (see Doc. No. 43-1 at ¶ 3.3). The parties also revised the proposed Claim Form, short-form and long-form notice accordingly. (See Doc. Nos. 43-2, 43-3, 43-4.)

7 To the extent any amount remains in the Net Settlement Fund more than 120 days after the distribution of all settlement payments, a subsequent settlement payment will be evenly made to all class members who opted for Option 3 and who deposited the initial payment they received. (Doc. No. 43-1 at ¶ 3.10.) If the remaining amount left in the settlement fund is not economically distributable—i.e., the amount of payment for each person is less than $3.00—the parties intend to petition the Court at a later date for permission to distribute the remaining funds to a cy pres approved non-profit recipient. (Id.) settlement agreement’s notice plan, which calls for direct-mail of short-form notices to the class,8 establishing a dedicated settlement website,9 and creating a toll-free help line to assist class members with obtaining settlement information. (Doc. No. 43-1 at ¶¶ 6.3, 6.7.) The plan to send direct-mail notices to the class is consistent with the manner the class members were

initially notified of the data breach. (Doc. No. 29-1 at 12.) The revised short-form notice to be mailed to the class describes the nature of the dispute and settlement benefits; clearly explains how class members can submit a claim for a settlement payment; explains how class members can exclude themselves from or object to the settlement; describes the proposed attorney’s fees; and informs class members of the time and location of the final fairness hearing. (Doc. No. 43- 3.) The revised long-form notice, to be posted to the settlement website, includes additional information such as more detailed descriptions of class members’ legal rights and settlement benefits, descriptions of how settlement benefits will be paid, and information regarding who is included in the settlement.10 (See Doc. No. 43-4; Doc. No. 43-1 at ¶ 6.7.) If the settlement is approved, class members will have 90 days after the notice is issued to complete and submit a claim indicating which of the settlement benefit option they prefer.11

8 The Settlement Administrator will run the class member list through the National Change of Address Registry to ensure that notice reaches a percentage of the class consistent with due process. (Doc. No. 29- 1 at 12; Doc. No. 29-4 at 8.)

9 The website will inform class members of the terms of the settlement agreement, their rights, and relevant dates and deadlines, and will provide access to important documents, such as the long-form notice, the Claim Form, the Court’s preliminary approval order, the settlement agreement, the operative complaint, and the motion for a fee award. (Doc. No. 43-1 at ¶ 6.7.)

10 If the claims rate is less than 3% of the settlement class 45 days prior to the deadline to submit claims, class counsel has sole discretion to decide whether to direct the Settlement Administrator to send a Reminder Notice to the class. (Doc. No. 43-1 at ¶ 6.4.) The Settlement Administrator will also send a reminder notice to all class members who have not filed a claim as of ten days before the deadline. (Id.)

11 As explained in the second-amended settlement notices, class members can file for a claim by submitting a Claim Form on the Settlement Website, or by downloading, printing, and completing a Claim Form and mailing it to the Settlement Administrator. (See, e.g., Doc. No. 43-4 at 6.) Additionally, (Doc. No. 43-1 at ¶ 3.5.) The Settlement Administrator is responsible for reviewing the form to determine if they are complete and valid.12 (Id. ¶ 3.6.) Alternatively, class members have 60 days to object to the settlement or to opt out from the settlement. (Id. ¶¶ 6.8, 6.9.) If this settlement is approved, class members who do not exclude themselves from the

settlement will be bound by a release that is tailored to cover the claims that were asserted or that could have been asserted by the class related to this data breach incident. (Doc. No. 29-1 at 10.) Specifically, the release is limited to: all Released Claims, including Unknown Claims, against each of the Released Parties, and agree to refrain from instituting, directing or maintaining any lawsuit, contested matter, adversary proceeding, or miscellaneous proceeding against each of the Released Parties that relates to the Data Incident or otherwise arises out of the same facts and circumstances set forth in the operative Class Action Complaint in this Action. This Settlement releases claims against only the Released Parties. This Settlement does not release, and it is not the intention of the Parties to this Settlement to release, any claims against any third party. Nor does this Release apply to any Class Member who timely excludes himself or herself from the Settlement, or to any Class Member (or the estate of any Class Member) who is deceased.

(Doc. No. 43-1 at ¶ 4.1.) “Released Claims,” in turn, is defined as:

any claim, liability, right, demand, suit, obligation, damage, including consequential damage, loss or cost, punitive damage, attorneys’ fees, costs, and expenses, action or cause of action, of every kind or description—whether known or Unknown (as the term “Unknown Claims” is defined herein), suspected or unsuspected, asserted or unasserted, liquidated or unliquidated, legal, statutory, or equitable—that was or could have been asserted on behalf of the Settlement Class in the Action related to or arising from the Data Incident, regardless of whether the claims or causes of action are

if the class member opts for a pro rata cash payment, they may submit the tear-off form which was attached to the short-form notice sent by direct mail. (See id.)

12 If the Settlement Administrator determines that a claim is incomplete or defective, the claimant is provided 30 days to cure the defect. (Doc. No. 43-1 at ¶ 3.6.) Also, if a class member’s claim for a documented loss—under the first settlement benefit option—is rejected, the claim will be instead considered as a claim for a cash fund payment. (Id. ¶ 3.3(a).) based on federal, state, or local law, statute, ordinance, regulation, contract, common law, or any other source, and regardless of whether they are foreseen or unforeseen, suspected or unsuspected, or fixed or contingent, arising out of, or related or connected in any way with the claims or causes of action of every kind and description that were brought, alleged, argued, raised or asserted in any pleading or court filing in the Action.

(Id. ¶ 1.36.)

b. Fair, Reasonable and Adequate Settlement

Preliminary approval of a proposed class-action settlement is left to the discretion of the trial court and is based on an examination of whether the proposed settlement is “likely” to be approved under Rule 23(e)(2). Fed. R. Civ. P. 23(e)(1)(B)(i); see In re Prudential Ins. Co. Am. Sales Prac. Litig. Agent Actions, 148 F.3d 283, 299 (3d Cir. 1998); see also In re Traffic Exec. Ass’n-E. R.R.s, 627 F.2d 631, 634 (2d Cir. 1980) (“[Preliminary approval] is at most a determination that there is what might be termed ‘probable cause’ to submit the proposal to class members and hold a full-scale hearing as to its fairness.”). To approve a class action settlement, a settlement must be “fair, reasonable, and adequate.” Fed. R. Civ. P. 23(e)(2). The settlement is entitled to “an initial presumption of fairness” if “the court finds that: (1) the negotiations occurred at arm’s length; (2) there was sufficient discovery; (3) the proponents of the settlement are experienced in similar litigation; and (4) only a small fraction of the class objected.” In re GMC, 55 F.3d at 785. However, where, as here, the parties seek settlement approval and final class certification simultaneously, the Court must examine the fairness of the settlement “even more scrupulous[ly] than usual.” In re Warfarin Sodium Antitrust Litig., 391 F.3d 516, 534 (3d Cir. 2004). Here, after review of the Motion, the revised proposed Settlement Agreement, the revised Claim Form and the revised short- and long-form notices, we are satisfied that the proposed settlement meets the criteria for preliminary approval. The Settlement Agreement is entitled to an initial presumption of fairness because: (1) the parties negotiated the settlement at arms’ length with the assistance of mediator Bennett Picker, Esquire (Doc. No. 29-1 at 18), (2) prior to reaching settlement, experienced class counsel thoroughly investigated the class members’

claims and conducted lengthy interviews of Plaintiffs and other class members, and reviewed all documents produced by Defendants regarding the security breach (id. at 19), and (3) class counsel, as described above, have significant experience in similar litigation (see supra Section II.b.ii). Because a class has not yet been certified, the fourth factor—the fraction of class members objecting to the settlement—cannot be evaluated at this point. Thus, on balance, the GMC factors weigh in favor of preliminary approval such that an initial presumption of fairness attaches. Although the Settlement is entitled to an initial presumption of fairness, we must consider the following factors set forth by the Third Circuit in Girsh v. Jepson to confirm that the settlement is fair, reasonable, and adequate:

(1) the complexity, expense and likely duration of the litigation; (2) the reaction of the class to the settlement; (3) stage of the proceedings and the amount of discovery completed; (4) risks of establishing liability; (5) risk of establishing damages; (6) risk of maintaining the class action through the trial; (7) ability of the defendants to withstand a greater judgment; (8) the range of reasonableness of the settlement fund in light of the best possible recovery; and (9) the range of reasonableness of the settlement fund to a possible recovery in light of all the attendant risks of litigation.

521 F.3d 153, 157 (3d Cir. 1975) (quoting City of Detroit v. Grinnell Corp., 495 F.2d 448, 463 (2d Cir. 1974)) (cleaned up). The first factor—complexity, expense, and likely duration of the litigation—is easily met because this “is a complex class action lawsuit regarding damages from a data breach, an area of law that has not yet been fully developed.” In re Wawa, 2023 WL 6690705, at *7. And, if the litigation were to continue, Plaintiffs and the settlement class would face many challenges and expenses associated with class action litigation, including obtaining class certification, briefing motions for summary judgment, obtaining and defending expert opinions, and maintaining class

certification through trial. Id.; (Doc. No. 29-1 at 20.) Thus, the first Girsh factor weighs in favor of approving the proposed settlement agreement. The second factor—the reaction of the class to the settlement—is neutral because the class has not yet received notice of the settlement. The third factor—stage of the proceedings and the amount of discovery completed— considers whether “counsel had an adequate appreciation of the merits of the case before negotiating.” In re Warfarin Sodium Antitrust Litig., 391 F.3d at 537. Here, Plaintiffs’ counsel conducted lengthy interviews of Plaintiffs and other class members, reviewed Plaintiffs’ documentation and all documents produced by Defendant related to the data breach, analyzed applicable state laws regarding breaches of consumer information, exchanged informal discovery

with Defendant prior to mediation, and exchanged detailed mediation statements. (Doc. No. 29- 1 at 19.) Thus, although we are “somewhat early in the litigation process,” the Court finds that counsel “have adequately developed their case and engaged in a significant degree of case development.” In re Wawa, 2023 WL 6690705, at *8 (holding that the third Girsh factor weighed in favor of approving settlement where case was “somewhat early in the litigation process,” because although the parties conducted only limited discovery, they exerted significant effort in the settlement negotiations). The third factor thus weighs in favor of approving the settlement. The fourth and fifth factors—risks of establishing liability and damages—also counsel in favor of approving the settlement. Plaintiffs’ counsel demonstrated that there is a risk of establishing liability, and in turn, damages, because this case involves a number of open questions, including whether Defendant owed a duty to the class to safeguard sensitive information, whether Defendant breached that duty, whether the compromised information was

ever actually viewed by bad actors, whether Defendant violated state consumer protection laws, whether Defendant’s conduct was the proximate cause of the breach, and the extent to which the class is entitled to recovery. (Doc. No. 29-1 at 27; May 15, 2024 Hr’g Tr. at 4:14–17, 20:9– 21:18.) Additionally, Plaintiffs’ counsel explains that Defendant provided information prior to mediation suggesting that a substantial portion of the settlement class was deceased and argued that many of those class members would not have standing to bring claims in litigation. (Doc. No. 29-1 at 19.) Thus, the Court finds that the fourth and fifth Girsh factors weigh in favor of approving the settlement. The sixth Girsh factor—the likelihood of maintaining class certification if the action were to proceed to trial—weighs in favor of approval because there “will always be a ‘risk’ or

possibility of decertification.” In re Prudential, 148 F.3d at 321. The seventh Girsh factor—the likelihood of Defendant to withstand a greater settlement—is “most clearly relevant where a settlement in a given case is less than would ordinarily be awarded but the defendant’s financial circumstances do not permit a greater settlement.” In re Nat’l Football League Players, 307 F.R.D. at 394 (quoting Reibstein v. Rite Aid Corp., 761 F. Supp. 2d 241, 254 (E.D. Pa. 2011)). “However, when there is no ‘reason to believe that [d]efendants face any financial instability[,] . . . this factor is largely irrelevant.’” Id. There is no reason to believe Defendant here is financially unstable, and whether it could withstand a larger judgment weighs neither in favor of nor against approving the Settlement. Finally, the eighth and ninth factors—the range of reasonableness of the settlement fund in light of the best possible recovery and in light of all the attendant risks of litigation—ask the Court to consider “whether the settlement represents a good value for a weak case or a poor value for a strong case.” In re Warfarin Sodium Antitrust Litig., 391 F.3d at 538. Here, the

settlement is reasonable in light of the best possible recovery and attendant risks of litigation. As discussed above, Plaintiffs face a significant risk in this case because they must prove not only that Defendant owed a duty to Plaintiffs to safeguard their information, but also that their conduct was the proximate cause of that breach. Considering that “class certification is rare in data breach cases” and that Plaintiffs would face tremendous challenges in maintaining class certification and overcoming the summary judgment hurdle, this settlement for $1.25 million, in addition to injunctive relief in the form of improving and maintaining adequate safeguards for private information for at least two years, is reasonable. Corra, 2024 WL 22075, at *9 (noting that the $350,000 settlement for a data breach class action case was reasonable particularly where “there is such a high probability that proceeding to trial would yield nothing for the more

than 20,000 people whose personal information was potentially accessed through this breach”); Barletti v. Connexin Software, Inc., Case No. 2:22-cv-04676-JDW, 2024 WL 1096531, at *7 (E.D. Pa. Mar. 13, 2024) (holding that a $4 million class action settlement was reasonable in a data breach case of about 3 million consumers’ personal data “given the risks that the Class Reps faced in securing and collecting on a larger judgment, or any judgment at all”). Given the undeniable risks with continuing the litigation, discussed supra, the final two factors both weigh in favor of approval.

* * * For these reasons, the Court finds that on balance, the Girsh factors weigh in favor of approval of the settlement agreement. In addition to consideration of the GMC and Girsh factors, the Third Circuit has advised that “when appropriate,” “it may be helpful to expand the Girsh factors” to include non-

exclusive factors, such as “the maturity of the underlying substantive issues,” “the existence and probable outcome of claims by other classes and subclasses,” “the comparison between the results achieved by the settlement for individual class or subclass members and the results achieved – or likely to be achieved – for other claimants,” “whether class or subclass members are accorded the right to opt out of the settlement,” “whether any provision for attorneys’ fees are reasonable,” and “whether the procedure for processing individual claims under the settlement is fair and reasonable.” In re Pet Food Prods. Liab. Litig., 629 F.3d 333, 350 (3d Cir. 2010) (quoting In re Prudential, 148 F.3d at 323). Here, these factors also weigh in favor of approving the settlement. In particular, although the Court reserves determination on the question for the final approval hearing, the

provision for proposed attorney’s fees of no more than 33.3% of the settlement appears reasonable. (Doc. No. 29-1 at 21.) “Courts in the Third Circuit have identified contingent fee requests of this magnitude as squarely within the range of awards found to be reasonable.” Barletti, 2024 WL 1096531, at *6 (citations and quotation omitted). Also, as discussed, class members are accorded the right to opt out of the settlement (Doc. No. 43-1 at ¶ 6.8), and the procedure for processing individual claims under the settlement is fair and reasonable because the settlement provides for notice to the class member if their Claim Form is deficient and affords a 30-day period to cure any such defect (id. ¶¶ 3.3, 3.6). And any claims for Documented Losses which are rejected as invalid by the Settlement Administrator will instead be considered as a claim for a pro rata cash payment. (Id. ¶ 3.3(a).)

* * * Thus, the Settlement Agreement is fair, reasonable, and adequate, and does not otherwise reveal any deficiencies. It is entitled to a presumption of fairness, and that presumption is supported by the Girsh factors, seven of which weigh in favor of approval and two of which are neutral.13 c. Notice

The Court is also satisfied that the form and content of the revised notice to the settlement class is adequate. “The notice to the proposed class must be the ‘best notice that is practicable under the circumstances, including individual notice to all members who can be identified through reasonable effort.’” Katz, v. DNC Servs. Corp., No. 16-5800, 2023 U.S. Dist. LEXIS 65901, at *7 (E.D. Pa. Apr. 14, 2023) (citing Fed. R. Civ. P. 23(c)(2)(B)). The principles of due process “require[] that notice be ‘reasonably calculated, under all the circumstances, to apprise

13 The parties suggest that in the hypothetical scenario that any money remains in the Net Settlement Fund following distribution of settlement payments to the class and such remainder is not economically distributable, they may petition the Court for permission to distribute the remaining funds to an approved non-profit recipient. (Doc. No. 43-1 at ¶ 3.10.) The Court has not yet granted such approval.

The cy pres doctrine “may be used to direct excess funds to a third-party for a purpose related to the class injury.” Huffman v. Prudential Ins. Co. of Am., No, 10-cv-5135, 2020 U.S. Dist. LEXIS 140539, 2020 WL 4530150, at *1 (E.D. Pa. Aug. 6, 2020). “In the normal cy pres scenario, parties may seek to distribute to a nonparty (or nonparties) the excess settlement funds for their next best use—a charitable purpose reasonably approximating the interests pursued by the class.” Id. (internal quotation marks omitted) (quoting In re: Google Inc. Cookie Placement Consumer Privacy Litig., 934 F.3d 316, 327 (3d Cir. 2019)). “Approval of a settlement agreement which names a cy pres recipient is warranted when the court finds that the settlement, taken as a whole, is fair, reasonable, and adequate from the perspective of the class.” Katz, 2023 U.S. Dist. LEXIS 65901, at *31 (citing In re Baby Prods. Antitrust Litig., 708 F.3d 163, 172–73 (3d Cir. 2013) (cleaned up)). Here, the hypothetical inclusion of an approved non-profit organization as the intended cy pres recipient, to be approved at a later date, does not change the Court’s preliminary conclusion that the settlement is fair, reasonable and adequate. interested parties of the pendency of the action and afford them an opportunity to present their objections.’” In re Nat’l Football League Players, 821 F.3d at 435 (quoting Mullane v. Cent. Hanover Bank & Trust Co., 339 U.S. 306, 314 (1950)). The notice documents must provide a detailed description of the settlement, the circumstances leading to it, and the consequences of

objecting or opting out. See In re Diet Drugs Prods. Liab. Litig., 369 F.3d 293, 310–12 (3d Cir. 2004). Here, the Court finds that the requirements of Rule 23 and due process are satisfied by the parties’ revised proposed notice plan. As discussed above, following preliminary approval of the class settlement, the Settlement Administrator will send short-form notices to the class via direct mail, establish a dedicated settlement website,14 and create a toll-free help line to assist class members with obtaining settlement information. (Doc. No. 43-1 at ¶¶ 6.3, 6.7.) The plan to send direct-mail notices to the class is consistent with the manner the class members were initially notified of the data breach, and the Settlement Administrator will run the list through the National Change of Address Registry to maximize notice to the class. (Doc. No. 29-1 at 12.)

The short-form notice mailed to the class describes the nature of the dispute and settlement benefits, clearly explains how class members may submit a claim for a settlement payment, explains how class members can exclude themselves from or object to the settlement, and informs class members of the time and location of the final fairness hearing.15 (See Doc. No. 43-

14 The website will inform class members of the terms of the Settlement Agreement, their rights, relevant dates and deadlines, and important documents, including the long-form notice, the Claim Form, the preliminary approval order, the Settlement Agreement, operative complaint, and the motion for a fee award. (Doc. No. 43-1 at ¶ 6.7.)

15 Consistent with the Court’s direction, the parties also revised the short-form notice to make it clear that class members are only entitled to one form of compensation, and that the tear-off Claim Form appended to the short-form notice is only for the pro rata cash payment option. (Doc. No. 43-3 at 2–3.) The long- form notice was also revised to clarify that class members are entitled to only one form of settlement payment and that the prospective relief benefit is for a period of two years; it provides additional detail on how to submit a settlement claim which is consistent with the short-form notice and Claim Form 3.) The long-form notice, posted to the settlement website, includes additional, consistent information such as more detailed descriptions of class members’ legal rights and options; information on who is included in the settlement; more detailed information on each of the settlement benefit options; descriptions of how the settlement benefits will be paid and attorney’s

fees; and the identities of class counsel. (See Doc. No. 43-4; Doc. No. 43-1 at ¶ 6.7.) Moreover, we are satisfied that the content of the proposed notice satisfies Rule 23 and due process. The revised notice explains, in plain language, the genesis of the lawsuit, who the interested parties are, how the suit came to be settled, how class members’ claims will be calculated, the process for making a claim, the process for opting out of the settlement, the process for objecting to the settlement, and the consequences of opting out or objecting to the settlement. (See generally Doc. Nos. 43-2, 43-3.) As written, the proposed notice will ensure that “interested parties [are apprised] of the pendency of the action and afford them an opportunity to present their objections.” In re Nat’l Football League Players, 821 F.3d at 435 (quoting Mullane, 339 U.S. at 314).

***

For these reasons, the Court grants preliminary approval of the class action settlement.

IV. CONCLUSION

The parties’ proposed settlement was negotiated by experienced counsel with the help of an experienced mediator. It provides significant benefits to the class members. The Court is satisfied that preliminary approval is appropriate. Accordingly, Plaintiffs’ Motion is granted. A fairness hearing is scheduled for November 20, 2024, at 10:30 a.m. An appropriate order follows.

directions. (Doc. No. 43-4 at 3, 6–7.)