IN RE PHILADELPHIA INQUIRER DATA SECURITY LITIGATION

• Court: District Court, E.D. Pennsylvania
• Decided: October 25, 2024
• Docket: 2:24-cv-02106
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA

CIVIL ACTION

IN RE PHILADELPHIA INQUIRER DATA SECURITY LITIGATION NO. 24-2106-KSM

MEMORANDUM

Marston, J. October 25, 2024

This is a putative class action brought by Plaintiffs Ivery Sheree Mosley, Steven Hassell, and Christopher Devine. (See Doc. No. 16.) Plaintiffs allege that Defendant, The Philadelphia Inquirer, failed to adequately safeguard sensitive personal information entrusted to it, despite acknowledging the risk of a data breach. (Id.) Presently before the Court is Plaintiffs’ renewed motion for preliminary approval of the class action settlement and revised settlement agreement, notices, and claim form. (Doc. Nos. 26, 26-2, 26-3, 26-4, 26-5.) For the reasons below, the motion is granted, and the Court will schedule a final approval hearing. I. BACKGROUND

Beginning in May 2023, several class actions were filed in this Court on behalf of consumers whose information was stolen following a third party cyberattack against Defendant. (See, e.g., Doc. No. 1, Mosley v. The Philadelphia Inquirer, PBC, Civil Action No.; Doc. No. 1- 1, Hassell v. The Philadelphia Inquirer LLC, Civil Action No. 2:24-cv-02499-KSM; Doc. No. 1- 1, Devine v. The Philadelphia Inquirer LLC, Civil Action No. 2:24-cv-02503-KSM.) On July 23, 2024, this Court consolidated these class actions under the new case name “In re Philadelphia Inquirer Data Security Litigation.” (Doc. No. 15.) On July 31, 2024, Plaintiffs filed a consolidated complaint asserting claims for negligence, negligence per se, invasion of privacy, unjust enrichment, and violations of state consumer protection and privacy statutes. (Doc. No. 16.) Plaintiffs alleged that they entrusted Defendant with their sensitive personal information, such as names, addresses, social security numbers, account passwords, and financial information.

(See id. at ¶¶ 1–7.) But, they allege, Defendant failed to implement adequate security practices to protect Plaintiffs’ information from cybercriminals and failed to provide timely notice of the data breach. (Id. at ¶¶ 8–14.) Plaintiffs argued that they entrusted Defendant with their information with the reasonable expectation that Defendant would comply with its obligations to keep the information confidential and secure from unauthorized access, pursuant to state consumer protection and privacy laws. (Id. at ¶¶ 26–31.) On July 8, 2024, following mediation with an experienced mediator, Bennett G. Picker, Esquire of Stradley Ronon Stevens & Young LLP, the parties agreed to a settlement in principle, and on August 22, 2024, Plaintiffs filed an initial unopposed motion for preliminary approval of the class action settlement. (Doc. No. 17; Doc. No. 17-1 at 11.) On September 25, 2024, the

Court held a hearing on the motion, and on October 4, 2024, at the Court’s direction, the parties filed the renewed motion and revised settlement agreement, short-form notice, long-form notice, and claim form currently before the Court. (Doc. Nos. 26, 26-2, 26-3, 26-4, 26-5.) II. Preliminary Certification of the Class for Settlement Purposes

A. Legal Standard

The Court may certify class actions for the sole purpose of settlement. In re CertainTeed Corp. Roofing Shingle Prods. Liab. Litig., 269 F.R.D. 468, 476 (E.D. Pa. 2010) (citing In re GMC Pick-Up Truck Fuel Tank Prods. Liab. Litig., 55 F.3d 768, 786 (3d Cir. 1995)). In these situations, the court provisionally certifies the class, but reserves “[f]inal certification” until it “rules on whether the final settlement agreement is to be approved.” Id. When a court certifies a class for settlement, “it must first find that the class satisfies all the requirements of Rule 23,” and in particular Rule 23(a) and 23(b). In re Cmty. Bank of N. Va.,

418 F.3d 277, 300 (3d Cir. 2005). Under Rule 23(a), a class action is allowable only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class. Fed. R. Civ. P. 23(a); see also Reyes v. Netdeposit, LLC, 802 F.3d 469, 482 (3d Cir. 2015) (“All potential classes must initially satisfy four prerequisites to be certified: (1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.”). Additionally, the class must be currently and readily ascertainable based on objective criteria. Marcus v. BMW of N. Am. LLC, 687 F.3d 583, 593 (3d Cir. 2012). If the Rule 23(a) and ascertainability conditions are met, then a case may proceed as a class action if one of the conditions of Rule 23(b) is also satisfied. Here, Plaintiffs seek certification for a class under Rule 23(b)(3), which requires that “the court find[] that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed. R. Civ. P. 23(b)(3); see also Reyes, 802 F.3d at 482 (explaining that a plaintiff must demonstrate “predominance and superiority” for certification under Rule 23(b)(3)). B. Analysis Plaintiffs propose a class of “approximately 25,549 natural persons whose Private Information was potentially compromised in the Data Incident.” (Doc. No. 17-1 at 11; Doc. No. 26-2 at ¶ 1.40.) This class is ascertainable and meets all six requirements of Rules 23(a) and

23(b). We will address each in turn. 1. Ascertainability The plaintiff has the burden of showing, by a preponderance of the evidence, that “(1) the class is ‘defined with reference to objective criteria’; and (2) there is ‘a reliable and administratively feasible mechanism for determining whether putative class members fall within the class definition.’” Byrd v. Aaron’s Inc., 784 F.3d 154, 163 (3d Cir. 2015) (citing Carrera v. Bayer Corp., 727 F.3d 300, 306 (3d Cir. 2013)). The class here is ascertainable because the parties will determine the exact number and identities of individuals whose data could have been compromised using Defendant’s records. (Doc. No. 17-1 at 26.) 2. Rule 23(a) Requirements

In addition to being ascertainable, the putative class must also satisfy the requirements of Rule 23(a): “(1) numerosity, (2) commonality, (3) typicality, and (4) adequacy of representation.” Reyes, 802 F.3d at 482. Numerosity

While “[t]here is no magic number of class members needed for a suit to proceed as a class action,” the Third Circuit has held that “numerosity is generally satisfied if there are more than 40 class members.” In re Nat’l Football League Players Concussion Inj. Litig., 821 F.3d 410, 426 (3d Cir. 2016). Here, the proposed class is sufficiently numerous because it consists of over 25,000 people. (Doc. No. 17-1 at 26–27.) The Court is satisfied that this is enough people to render joinder impracticable. Fed. R. Civ. P. 23(a); see Corra v. ACTS Ret. Servs., Inc., No. 22-2917, 2024 WL 22075, at *3 (E.D. Pa. Jan. 2, 2024) (holding that a proposed class of over 20,000 members “easily satisfies the numerosity requirement”). Commonality

As the Third Circuit has explained, “[a] putative class satisfies Rule 23(a)’s commonality requirement if the named plaintiffs share at least one question of fact or law with the grievances of the prospective class.” In re Nat’l Football League Players, 821 F.3d at 426–27 (quoting Rodriguez v. Nat’l City Bank, 726 F.3d 372, 382 (3d Cir. 2013)). It is “easy enough” to meet the requirement, provided all members of the class have claims that are capable of class-wide resolution. Id. Commonality is met in this case because “the proposed class members all suffered from the same data breach. There are common questions as to how the data breach occurred, whether [Defendant] had a duty to protect [consumers], and whether the [consumers] were harmed by the breach.” Fulton-Green v. Accolade, Inc., No. CV 18-274, 2019 WL 316722, at *3 (E.D. Pa. Jan. 24, 2019).

Typicality

There is a “low threshold” for typicality. Newton v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 259 F.3d 154, 182–83 (3d Cir. 2001). So long as “the interests of the class and the class representative are aligned,” courts will find typicality even when class members’ claims are only legally similar, and not factually similar. Id. The representative Plaintiffs’ claims here are “virtually identical” to those of the class because their claims “arise from the same conduct”— each Plaintiff’s claim “stems from [Defendant’s] security measures and whether they were adequate to protect” the Plaintiff’s sensitive data. In re Wawa, Inc. Data Sec. Litig., No. CV 19- 6019, 2023 WL 6690705, at *4 (E.D. Pa. Oct. 12, 2023). Thus, the typicality requirement is met. Adequacy of Representation

Courts considering adequacy of representation examine both “the qualifications of class counsel and the class representatives.” In re Nat’l Football League Players, 821 F.3d at 428. First, when considering the adequacy of class representatives, courts seek “to root out conflicts of interest within the class” and to “uncover conflicts of interest between the named parties and the class they seek to represent.” Id. at 428, 430 (quoting Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 625 (1997)). “A class representative must represent a class capably and diligently,” but this is a low bar: “‘a minimal degree of knowledge’ about the litigation is adequate.” Id. at 430 (quoting New Directions Treatment Servs. v. City of Reading, 490 F.3d 293, 313 (3d Cir. 2007)). “[T]he linchpin of the adequacy requirement is the alignment of interests and incentives between the representative plaintiffs and the rest of the class.” In re Cmty. Bank of N. Va., 795 F.3d at 393 (quoting Dewey v. Volkswagen Aktiengesellschaft, 681 F.3d 170, 183 (3d Cir. 2012)). Here, this requirement is satisfied because the representative Plaintiffs have been actively participating in the litigation of this case by providing documents,

answering their lawyer’s questions, and reviewing the complaint and settlement terms. (Doc. No. 17-1 at 28.) The Court discerns no conflict of interest between the class representatives and other potential class members—their interests are aligned in attempting to prove the factual averments in the complaint and establishing Defendant’s liability. (Id.) Second, with respect to class counsel, the important factors are whether the attorneys “(1) possessed adequate experience; (2) vigorously prosecuted the action; and (3) acted at arm’s length from the defendant.” In re GMC, 55 F.3d at 801. The Third Circuit has indicated that courts should consider the non-exhaustive list of factors in Rule 23(g) for appointing counsel in determining the adequacy of representation. See In re Nat’l Football League Players, 821 F.3d at 429. Those factors include counsel’s work in the instant class action, experience in handling class actions or other kinds of complex litigation, knowledge of the applicable laws, and resources available for representing the class. Fed. R. Civ. P. 23(g)(1)(A). The court also “may consider any other matter pertinent to counsel’s ability to fairly and adequately represent the

interests of the class.” Fed. R. Civ. P. 23(g)(1)(B). Here, the proposed class counsel—Benjamin F. Johns, Esquire; Gary M. Klinger, Esquire; Kenneth J. Grunfeld, Esquire; and Terence R. Coates, Esquire—are qualified to “fairly and adequately represent the interests of the class.” Fed. R. Civ. P. 23(a)(4). Johns, Klinger, Grunfeld, and Coates have diligently pursued this matter even before their appointment, engaged in discovery exchanges, and negotiated a favorable settlement for the putative class. (Doc. No. 17-1 at 20–21.) Plaintiffs’ counsel have substantial experience handling class litigation, including many actions arising from data breaches. (See Doc. No. 17-3.) Last, the parties worked with experienced mediator Bennett Picker, Esquire to facilitate arms’ length negotiations, which weighs in favor of finding adequacy. See Fulton-Green, 2019 WL 4677954, at *6 (collecting cases). Thus, the Court finds

that the proposed class’s interests have been advanced by experienced, dedicated counsel, working at arms’ length from Defendant in accordance with Rule 23(a)(4). *** In sum, the Court finds that the Rule 23(a) conditions for class certification are met. 3. Rule 23(b)(3) Requirements In addition to meeting the requirements of Rule 23(a), the putative class must also satisfy Rule 23(b)(3), which requires the Court find that “the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy.” Fed. R. Civ. P. 23(b)(3). Predominance Here, predominance is satisfied. The key issue under the predominance factor is

“whether proposed classes are sufficiently cohesive to warrant adjudication by representation.” Amchem, 521 U.S. at 623. The Third Circuit has counseled that courts should be “more inclined to find the predominance test met in the settlement context.” In re Nat’l Football League Players, 821 F.3d at 434 (quoting Sullivan v. DB Invs., Inc., 667 F.3d 273, 304 n.29 (3d Cir. 2011) (en banc)). In this data breach litigation, Defendant’s conduct is common to all class members, and all class members were harmed by that conduct. And “[t]he issues facing each class member are the same: demonstrating the degree of the [ ] data breach and proving [Defendant’s] culpability.” In re Wawa, 2023 WL 6690705, at *5; (Doc. No. 17-1 at 29–30). Taken together, these common questions of law and fact predominate over individual factual questions, such as the specific degree of damages incurred. See Corra, 2024 WL 22075, at *5

(holding that common questions predominated even though “there may be slight differences among class members regarding degree of damages or the exact type of injury suffered”). Superiority Lastly, the parties have demonstrated the class action mechanism is superior to other available methods for fairly and efficiently adjudicating the controversy. Fed. R. Civ. P. 23(b)(3). When evaluating this requirement, courts consider “the class members’ interests in individually controlling litigation, the extent and nature of any litigation, the desirability or undesirability of concentrating the litigation, and the likely difficulties in managing a class action.” In re Nat’l Football League Players, 821 F.3d at 435 (citing Rule 23(b)(3)(A)–(D)). Superiority can be satisfied where the settlement prevents “duplicative lawsuits and enables fast processing of a multitude of claims.” Id. (quoting In re Nat’l Football League Players’ Concussion Inj. Litig., 307 F.R.D. 351, 382 (E.D. Pa. 2015)); see also Sullivan, 667 F.3d at 312. Here, these factors weigh in favor of class litigation. With over 25,000 potential class

members and considering the “cost and complexity of the litigation,” many potential plaintiffs would likely “have small claims that would be impractical to litigate on an individual basis.” Corra, 2024 WL 22075, at *5; In re Wawa, 2023 WL 6690705, at *5; (Doc. No. 17-1 at 30). Moreover, “where, as here, the Court is confronted with a request for settlement-only class certification, [the Court] need not inquire whether the case, if tried, would present intractable management problems, see Fed. R. Civ. P. 23(b)(3)(D), for the proposal is that there be no trial.” Corra, 2024 WL 22075, at *5 (quoting Amchem, 521 U.S. at 620) (cleaned up). Accordingly, superiority is met in this case. ***

For these reasons, we find that the requirements of Rules 23(a) and 23(b)(3) are satisfied, and the Court provisionally certifies the class. C. Appointment of Class Representative Appointment of class representatives is governed by Rule 23(a) of the Federal Rules of Civil Procedure, which requires that their claims be “typical of the claims . . . of the class” and that they “will fairly and adequately protect the interests of the class.” For the reasons previously discussed in Part II.B.2, those requirements are met here, and the Court will appoint Ivery Sheree Mosley, Steven Hassell, and Christopher Devine as representatives of the settlement class. D. Appointment of Class Counsel Rule 23(g) of the Federal Rules of Civil Procedure provides the standard for the appointment of class counsel. Class counsel are responsible not just for representing the interests of the class representatives, but for “fairly and adequately represent[ing] the interests of the

class.” Fed. R. Civ. P. 23(g)(4). As discussed above in Part II.B.2, Rule 23(g) provides a non- exclusive list of factors courts should consider when appointing class counsel. For the reasons previously discussed, the Court finds that Benjamin F. Johns, Esquire; Gary M. Klinger, Esquire; Kenneth J. Grunfeld, Esquire; and Terence R. Coates, Esquire have the ability and resources to “fairly and adequately represent the interests of the class.” Accordingly, they will be appointed as class counsel. III. Preliminary Approval of the Settlement Agreement The parties also ask the Court to preliminarily approve their settlement agreement which was negotiated at arm’s length with the assistance of mediator Bennett G. Picker, Esquire, of Stradley Ronon Stevens & Young LLP. (See generally Doc. No. 17.)

A. Settlement Agreement1 As noted above, the proposed settlement class consists of “approximately 25,549 natural persons whose Private Information was potentially compromised in the Data Incident.” (Doc. No. 17-1 at 11; Doc. No. 26-2 at ¶ 1.40.) The settlement requires Defendant to create a $525,000 non-reversionary settlement fund which will be used to pay for administrative expenses, taxes,

1 Unless otherwise noted, terms such as “claim form” have the meanings ascribed in the parties’ revised class action settlement agreement. (See Doc. No. 26-2.) Because the parties have submitted a revised settlement agreement, (id.), the Court cites to the relevant sections of that agreement. any service award,2 and any fee award and costs.3 (Doc. No. 26-2 at ¶ 3.8.) The amount left over in the settlement fund after these expenses (the “net settlement fund”) will be used to pay for approved claims submitted by class members. (Id.) Class members may file a claim for 12 months of credit monitoring and insurance

services (“CMIS”), which includes three-credit bureau monitoring services and $1 million in identity theft insurance. (Doc. No. 26-2 at ¶ 3.3(a).) Also, class members may file a claim for one of the following additional settlement benefits: (1) class members may submit a “Documented Loss Payment” claim seeking up to $5,000 per person for the reimbursement of losses supported by reasonable documentation which were more likely than not the result of the data breach at issue; or (2) class members may submit a claim for a pro rata cash payment without any supporting documentation. (Id. ¶ 3.3(b)–(c).) All class members who opt for the pro rata cash payment will receive an equal amount, which is calculated by subtracting from the net settlement fund the costs associated with the CMIS and Documented Loss settlement benefit options, and then dividing the net amount evenly by the total number of valid claims submitted.4

(Id. ¶ 3.8.)

2 Plaintiffs suggest a service award of up to $2,000 for each representative Plaintiff, for which they will separately petition the Court for approval. (Doc. No. 17-1 at 17; Doc. No. 26-2 at ¶ 8.1.) The settlement is not conditioned on the Court’s award of any service payments. (Doc. No. 26-2 at ¶ 8.3.)

3 Plaintiffs intend to separately file a motion for an award of attorneys’ fees for up to 33.3% of the settlement fund ($175,000) and for reasonable costs. (Doc. No. 17-1 at 17; Doc. No. 26-2 at ¶ 9.1.) The settlement is not conditioned on the Court’s award of any attorney’s fees or costs. (Doc. No. 26-2 at ¶ 9.3.)

4 To the extent any amount remains in the net settlement fund more than 120 days after the distribution of all settlement payments, a subsequent settlement payment will be evenly made to all class members who opted for the pro rata cash payment and who deposited the initial payment they received. (Doc. No. 26-2 at ¶ 3.10.) If the remaining amount left in the settlement fund is not economically distributable—i.e., the amount of payment for each person is less than $3.00—the parties intend to petition the Court for permission to distribute the remaining funds to a cy pres approved non-profit recipient. (Id.) In addition to the foregoing benefits, Defendant agrees to “adopt, continue, or implement, for a period of at least two (2) years and consistent with applicable law, reasonable data and information security measures . . . to strengthen Philadelphia Inquirer’s data and information security.” (Id. ¶ 2.1.)

To serve as the Settlement Administrator, the parties used a competitive bidding process to select Verita Global, LLC, a nationally recognized claims administrator that has handled dozens of similar data breach settlements. (Doc. No. 17-1 at 14.) Following this Court’s preliminary approval of the class settlement, the Settlement Administrator will administer the settlement agreement’s notice plan, which calls for direct-mailing of short-form notices to the class,5 establishing a dedicated settlement website,6 and creating a toll-free help line to assist class members with obtaining settlement information. (Doc. No. 26-2 at ¶¶ 1.24, 6.3, 6.7.) The plan to send direct-mail notices to the class is consistent with the manner the class members were initially notified of the data breach. (Doc. No. 17-1 at 14.) The revised short-form notice to be mailed to the class describes the nature of the dispute and settlement benefits; clearly explains

how class members can submit a claim for a settlement payment; explains how class members can exclude themselves from or object to the settlement; and informs class members of the time and location of the final fairness hearing. (Doc. No. 26-4.) The revised long-form notice, to be posted to the settlement website, includes additional information such as more detailed

5 The Settlement Administrator will run the class member list through the National Change of Address Registry to ensure that notice reaches a percentage of the class consistent with due process. (Doc. No. 17- 1 at 14.)

6 The website will inform class members of the terms of the settlement agreement, their rights, and relevant dates and deadlines, and will provide access to important documents, such as the long-form notice, the Claim Form, the Court’s preliminary approval order, the settlement agreement, and the operative complaint. (Doc. No. 26-2 at ¶ 6.7.) descriptions of class members’ legal rights and settlement benefits, descriptions of how settlement benefits will be paid, and information regarding who is included in the settlement. (See Doc. No. 26-5; Doc. No. 26-2 at ¶ 6.7.) If the settlement is approved, class members will have 90 days after the notice is issued to complete and submit a claim indicating which settlement benefit option(s) they prefer.7 (Doc.

No. 26-2 at ¶ 3.5.) The Settlement Administrator is responsible for reviewing the Claim Forms to determine if they are complete and valid.8 (Id. ¶ 3.6.) Alternatively, class members have 60 days to object to the settlement or to opt out from the settlement. (Id. ¶¶ 6.8, 6.9.) If this settlement is approved, class members who do not exclude themselves from the settlement will be bound by a release that is tailored to cover the claims that were asserted or that could have been asserted by the class related to this data breach incident. (Doc. No. 17-1 at 12.) Specifically, the release is limited to “all Released Claims, including Unknown Claims, against each of the Released Parties,” and the class members: agree to refrain from instituting, directing or maintaining any lawsuit, contested matter, adversary proceeding, or miscellaneous proceeding against each of the Released Parties that relates to the Data Incident or otherwise arises out of the same facts and circumstances set forth in the operative Consolidated Class Action Complaint in this Action. This Settlement releases claims against only the Released Parties. This Settlement does not release, and it is not the intention of the Parties to this Settlement to release, any claims against any third party. Nor does this Release apply to any Class Member who timely excludes himself or herself from the

7 Class members can file for a claim by submitting a Claim Form on the settlement website, or by downloading, printing, and completing a Claim Form and mailing it to the Settlement Administrator. (See, e.g., Doc. No. 26-4 at 3.) Additionally, if the class member opts for a pro rata cash payment, they may submit the tear-off form which was attached to the short-form notice sent by direct mail. (See id.)

8 If the Settlement Administrator determines that a claim is incomplete or defective, the claimant is provided 30 days to cure the defect. (Doc. No. 26-2 at ¶ 3.6.) Also, if a class member’s claim for a documented loss is rejected, the claim will be instead considered as a claim for a cash fund payment. (Id. ¶ 3.3(b).) Settlement, or to any Class Member (or the estate of any Class Member) who is deceased prior to the Notice Date.

(Doc. No. 26-2 at ¶ 4.1.) “Released Claims,” in turn, is defined as:

any claim, liability, right, demand, suit, obligation, damage, including consequential damage, loss or cost, punitive damage, attorneys’ fees, costs, and expenses, action or cause of action, of every kind or description— whether known or Unknown (as the term “Unknown Claims” is defined herein), suspected or unsuspected, asserted or unasserted, liquidated or unliquidated, legal, statutory, or equitable—that was or could have been asserted on behalf of the Settlement Class in the Action related to or arising from the Data Incident, regardless of whether the claims or causes of action are based on federal, state, or local law, statute, ordinance, regulation, contract, common law, or any other source, and regardless of whether they are foreseen or unforeseen, suspected or unsuspected, or fixed or contingent, arising out of, or related or connected in any way with the Data Incident, including claims or causes of action of every kind and description that were brought, alleged, argued, raised or asserted in any pleading or court filing in the Action.

(Id. ¶ 1.34.)

B. Fair, Reasonable and Adequate Settlement

Preliminary approval of a proposed class action settlement is left to the discretion of the trial court and is based on an examination of whether the proposed settlement is “likely” to be approved under Rule 23(e)(2). Fed. R. Civ. P. 23(e)(1)(B)(i); see In re Prudential Ins. Co. Am. Sales Prac. Litig. Agent Actions, 148 F.3d 283, 299 (3d Cir. 1998); see also In re Traffic Exec. Ass’n-E. R.R.s, 627 F.2d 631, 634 (2d Cir. 1980) (“[Preliminary approval] is at most a determination that there is what might be termed ‘probable cause’ to submit the proposal to class members and hold a full-scale hearing as to its fairness.”). Under Rule 23(e)(2), a settlement must be “fair, reasonable, and adequate.” Fed. R. Civ. P. 23(e)(2). To determine whether a settlement satisfies Rule 23(e)(2), the court considers the factors outlined by the Third Circuit in In re GMC, Girsh v. Jepson, and In re Pet Foods. 1. The GMC Factors The settlement is entitled to “an initial presumption of fairness” if “the court finds that: (1) the negotiations occurred at arm’s length; (2) there was sufficient discovery; (3) the proponents of the settlement are experienced in similar litigation; and (4) only a small fraction of

the class objected.” In re GMC, 55 F.3d at 785. However, where, as here, the parties seek settlement approval and class certification simultaneously, the Court must examine the fairness of the settlement “even more scrupulous[ly] than usual.” In re Warfarin Sodium Antitrust Litig., 391 F.3d 516, 534 (3d Cir. 2004). Here, after review of the renewed motion and the revised settlement agreement, claim form and short- and long-form notices, we are satisfied that the proposed settlement meets the criteria for preliminary approval. The settlement agreement is entitled to an initial presumption of fairness because: (1) the parties negotiated the settlement at arms’ length with the assistance of mediator Bennett Picker, Esquire (Doc. No. 17-1 at 11), (2) prior to reaching settlement, experienced class counsel thoroughly investigated the class members’ claims and conducted

lengthy interviews of Plaintiffs, reviewed all documents produced by Defendant regarding the security breach, and exchanged mediation statements with Defendant (id. at 16, 20–21), and (3) class counsel, as described above, have significant experience in similar litigation (see supra Section II.B.2). Because a class has not yet been certified, the fourth factor—the fraction of class members objecting to the settlement—cannot be evaluated at this point. Thus, on balance, the GMC factors weigh in favor of preliminary approval such that an initial presumption of fairness attaches. 2. The Girsh Factors Although the settlement is entitled to an initial presumption of fairness, we must consider the following factors set forth by the Third Circuit in Girsh v. Jepson to confirm that it is fair, reasonable, and adequate: (1) the complexity, expense and likely duration of the litigation; (2) the reaction of the class to the settlement; (3) stage of the proceedings and the amount of discovery completed; (4) risks of establishing liability; (5) risk of establishing damages; (6) risk of maintaining the class action through the trial; (7) ability of the defendants to withstand a greater judgment; (8) the range of reasonableness of the settlement fund in light of the best possible recovery; and (9) the range of reasonableness of the settlement fund to a possible recovery in light of all the attendant risks of litigation.

521 F.3d 153, 157 (3d Cir. 1975) (quoting City of Detroit v. Grinnell Corp., 495 F.2d 448, 463 (2d Cir. 1974)) (cleaned up).9 The first factor—complexity, expense, and likely duration of the litigation—is easily met because this “is a complex class action lawsuit regarding damages from a data breach, an area of law that has not yet been fully developed.” In re Wawa, 2023 WL 6690705, at *7. And, if the litigation were to continue, Plaintiffs and the settlement class would face many challenges and expenses associated with class action litigation, including obtaining class certification, briefing motions for summary judgment, obtaining and defending expert opinions, and maintaining class certification through trial. Id.; (Doc. No. 17-1 at 22). Thus, the first Girsh factor weighs in favor of approving the proposed settlement agreement. The second factor—the reaction of the class to the settlement—is neutral because the class has not yet received notice of the settlement.

9 The Court is mindful that Federal Rule of Civil Procedure 23(e)(2) enumerates certain considerations for approving a class action settlement. Since those factors substantially overlap with the Girsh factors and Pet Food Products factors, discussed infra, the Court does not separately address the 23(e)(2) factors. See Hall v. Accolade, Inc., No. 17-3423, 2020 U.S. Dist. LEXIS 52632, at *19 n.12 (E.D. Pa. Mar. 24, 2020) (“The Girsh factors predate the recent revisions to Rule 23, which now explicitly identifies the factors that should apply in scrutinizing proposed class settlements, and the earlier discussion in Girsh substantially overlaps with the factors now identified in Rule 23.”). The third factor—stage of the proceedings and the amount of discovery completed— considers whether “counsel had an adequate appreciation of the merits of the case before negotiating.” In re Warfarin Sodium Antitrust Litig., 391 F.3d at 537. Here, Plaintiffs’ counsel conducted lengthy interviews of Plaintiffs, reviewed Plaintiffs’ documentation and all documents

produced by Defendant related to the data breach, analyzed applicable state laws regarding breaches of consumer information, exchanged informal discovery with Defendant prior to mediation, and exchanged detailed mediation statements. (Doc. No. 17-1 at 21.) Thus, although we are “somewhat early in the litigation process,” the Court finds that counsel “have adequately developed their case and engaged in a significant degree of case development.” In re Wawa, 2023 WL 6690705, at *8 (holding that the third Girsh factor weighed in favor of approving settlement where the case was “somewhat early in the litigation process,” because although the parties conducted only limited discovery, they exerted significant effort in the settlement negotiations). The third factor thus weighs in favor of approving the settlement. The fourth and fifth factors—risks of establishing liability and damages—also counsel in

favor of approving the settlement. Plaintiffs’ counsel demonstrated that there is a risk of establishing liability, and in turn, damages, because this case involves a number of open questions, including whether Defendant owed a duty to the class to safeguard sensitive information, whether Defendant breached that duty, whether the compromised information was ever actually viewed by bad actors, whether Defendant violated state consumer protection laws, whether Defendant’s conduct was the proximate cause of the breach, and the extent to which the class is entitled to recovery. (Doc. No. 17-1 at 29–30.) Thus, the Court finds that the fourth and fifth Girsh factors weigh in favor of approving the settlement. The sixth Girsh factor—the likelihood of maintaining class certification if the action were to proceed to trial—weighs in favor of approval because there “will always be a ‘risk’ or possibility of decertification.” In re Prudential, 148 F.3d at 321. The seventh Girsh factor—the likelihood of Defendant to withstand a greater settlement—is “most clearly relevant where a settlement in a given case is less than would

ordinarily be awarded but the defendant’s financial circumstances do not permit a greater settlement.” In re Nat’l Football League Players, 307 F.R.D. at 394 (quoting Reibstein v. Rite Aid Corp., 761 F. Supp. 2d 241, 254 (E.D. Pa. 2011)). “However, when there is no ‘reason to believe that [d]efendants face any financial instability[,] . . . this factor is largely irrelevant.’” Id. There is no reason to believe Defendant here is financially unstable, so this factor is neutral. Finally, the eighth and ninth factors—the range of reasonableness of the settlement fund in light of the best possible recovery and in light of all the attendant risks of litigation—ask the Court to consider “whether the settlement represents a good value for a weak case or a poor value for a strong case.” In re Warfarin Sodium Antitrust Litig., 391 F.3d at 538. Here, the settlement is reasonable in light of the best possible recovery and attendant risks of litigation. As

discussed above, Plaintiffs face a significant risk in this case because they must prove not only that Defendant owed a duty to Plaintiffs to safeguard their information, but also that their conduct was the proximate cause of that breach. Considering that Plaintiffs would face substantial challenges in maintaining class certification and overcoming the summary judgment hurdle, this settlement for $525,000, in addition to injunctive relief in the form of improving and maintaining adequate safeguards for private information for at least two years, is reasonable. See Corra, 2024 WL 22075, at *9 (noting that the $350,000 settlement for a data breach class action case was reasonable particularly where “there is such a high probability that proceeding to trial would yield nothing for the more than 20,000 people whose personal information was potentially accessed through this breach”); Barletti v. Connexin Software, Inc., Case No. 2:22-cv-04676- JDW, 2024 WL 1096531, at *7 (E.D. Pa. Mar. 13, 2024) (holding that a $4 million class action settlement was reasonable in a data breach case of about 3 million consumers’ personal data “given the risks that the Class Reps faced in securing and collecting on a larger judgment, or any

judgment at all”). Given the undeniable risks with continuing the litigation, discussed supra, the final two factors both weigh in favor of approval. * * * For these reasons, the Court finds that on balance, the Girsh factors weigh in favor of approval of the settlement agreement. 3. The In re Pet Food Factors In addition to consideration of the GMC and Girsh factors, the Third Circuit has advised that “when appropriate,” “it may be helpful to expand the Girsh factors” to include non-

exclusive factors, such as “the maturity of the underlying substantive issues,” “the existence and probable outcome of claims by other classes and subclasses,” “the comparison between the results achieved by the settlement for individual class or subclass members and the results achieved – or likely to be achieved – for other claimants,” “whether class or subclass members are accorded the right to opt out of the settlement,” “whether any provision for attorneys’ fees are reasonable,” and “whether the procedure for processing individual claims under the settlement is fair and reasonable.” In re Pet Food Prods. Liab. Litig., 629 F.3d 333, 350 (3d Cir. 2010) (quoting In re Prudential, 148 F.3d at 323). Here, these factors also weigh in favor of approving the settlement. In particular, although the Court reserves determination on the question for the final approval hearing, the

provision for proposed attorney’s fees of no more than 33.3% of the settlement appears reasonable. (Doc. No. 17-1 at 23.) “Courts in the Third Circuit have identified contingent fee requests of this magnitude as squarely within the range of awards found to be reasonable.” Barletti, 2024 WL 1096531, at *6 (citations and quotation omitted). Also, as discussed, class members are accorded the right to opt out of the settlement (Doc. No. 26-2 at ¶ 6.8), and the

procedure for processing individual claims under the settlement is fair and reasonable because the settlement provides for notice to the class member if their Claim Form is deficient and affords a 30-day period to cure any such defect (id. ¶¶ 3.3, 3.6). And any claims for Documented Losses which are rejected as invalid by the Settlement Administrator will instead be considered as a claim for a pro rata cash payment. (Id. ¶ 3.3(b).) * * * Thus, the settlement agreement is fair, reasonable, and adequate, and does not otherwise reveal any deficiencies. It is entitled to a presumption of fairness, and that

presumption is supported by the Girsh factors, seven of which weigh in favor of approval and two of which are neutral, and also by the In re Pet Foods factors.10

10 The parties suggest that in the hypothetical scenario that any money remains in the Net Settlement Fund following distribution of settlement payments to the class and such remainder is not economically distributable, they may petition the Court for permission to distribute the remaining funds to an approved non-profit recipient. (Doc. No. 26-2 at ¶ 3.10.) The Court has not yet granted such approval.

The cy pres doctrine “may be used to direct excess funds to a third-party for a purpose related to the class injury.” Huffman v. Prudential Ins. Co. of Am., No, 10-cv-5135, 2020 U.S. Dist. LEXIS 140539, 2020 WL 4530150, at *1 (E.D. Pa. Aug. 6, 2020). “In the normal cy pres scenario, parties may seek to distribute to a nonparty (or nonparties) the excess settlement funds for their next best use—a charitable purpose reasonably approximating the interests pursued by the class.” Id. (internal quotation marks omitted) (quoting In re: Google Inc. Cookie Placement Consumer Privacy Litig., 934 F.3d 316, 327 (3d Cir. 2019)). “Approval of a settlement agreement which names a cy pres recipient is warranted when the court finds that the settlement, taken as a whole, is fair, reasonable, and adequate from the perspective of the class.” Katz, 2023 U.S. Dist. LEXIS 65901, at *31 (citing In re Baby Prods. Antitrust Litig., 708 F.3d 163, 172–73 (3d Cir. 2013) (cleaned up)). Here, the hypothetical inclusion of an approved non-profit organization as the intended cy pres recipient, to be approved at a later date, does not change the Court’s preliminary conclusion that the settlement is fair, reasonable and adequate. C. Notice

The Court is also satisfied that the form and content of the revised notice to the settlement class is adequate. “The notice to the proposed class must be the ‘best notice that is practicable under the circumstances, including individual notice to all members who can be identified through reasonable effort.’” Katz v. DNC Servs. Corp., No. 16-5800, 2023 U.S. Dist. LEXIS 65901, at *7 (E.D. Pa. Apr. 14, 2023) (citing Fed. R. Civ. P. 23(c)(2)(B)). The principles of due process “require[] that notice be ‘reasonably calculated, under all the circumstances, to apprise interested parties of the pendency of the action and afford them an opportunity to present their objections.’” In re Nat’l Football League Players, 821 F.3d at 435 (quoting Mullane v. Cent. Hanover Bank & Trust Co., 339 U.S. 306, 314 (1950)). The notice documents must provide a detailed description of the settlement, the circumstances leading to it, and the consequences of objecting or opting out. See In re Diet Drugs Prods. Liab. Litig., 369 F.3d 293, 310–12 (3d Cir. 2004). Here, the Court finds that the requirements of Rule 23 and due process are satisfied by

the parties’ revised proposed notice plan. As discussed above, following preliminary approval of the class settlement, the Settlement Administrator will send short-form notices to the class via direct mail, establish a dedicated settlement website,11 and create a toll-free help line to assist class members with obtaining settlement information. (Doc. No. 26-2 at ¶¶ 1.24, 6.3, 6.7.) The plan to send direct-mail notices to the class is consistent with the manner the class members were initially notified of the data breach, and the Settlement Administrator will run the list through the

11 The website will inform class members of the terms of the settlement agreement, their rights, relevant dates and deadlines, and important documents, including the long-form notice, the Claim Form, the preliminary approval order, the settlement agreement, and the operative complaint. (Doc. No. 26-2 at ¶ 6.7.) National Change of Address Registry to maximize notice to the class. (Doc. No. 17-1 at 14.) The revised short-form notice mailed to the class describes the nature of the dispute and settlement benefits, clearly explains how class members may submit a claim for a settlement payment, explains how class members can exclude themselves from or object to the settlement,

and informs class members of the time and location of the final fairness hearing. (See Doc. No. 26-4.) The revised long-form notice, posted to the settlement website, includes additional, consistent information such as more detailed descriptions of class members’ legal rights and options, information on who is included in the settlement, more detailed information on each of the settlement benefit options, descriptions of how the settlement benefits will be paid and attorney’s fees, and the identities of class counsel. (See Doc. Nos. 26-5, 26-2 at ¶ 6.7.) Moreover, we are satisfied that the content of the proposed notice satisfies Rule 23 and due process. The revised notice explains, in plain language, the genesis of the lawsuit, who the interested parties are, how the suit came to be settled, how class members’ claims will be calculated, the process for making a claim, the process for opting out of the settlement, the

process for objecting to the settlement, and the consequences of opting out or objecting to the settlement. (See generally Doc. Nos. 26-4, 26-5.) As written, the proposed notice will ensure that “interested parties [are apprised] of the pendency of the action and afford them an opportunity to present their objections.” In re Nat’l Football League Players, 821 F.3d at 435 (quoting Mullane, 339 U.S. at 314). ***

For these reasons, the Court grants preliminary approval of the class action settlement. IV. CONCLUSION

The parties’ proposed settlement was negotiated by experienced counsel with the help of an experienced mediator. It provides significant benefits to the class members. The Court is satisfied that preliminary approval is appropriate. Thus, Plaintiffs’ motion is granted. A fairness hearing is scheduled for March 18, 2025, at 10:00 a.m. An appropriate order follows.