IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN
JORDAN ANDERSON, on behalf of himself and others similarly situated,
Plaintiff, OPINION and ORDER v.
24-cv-200-jdp BAUER BUILT INC. d/b/a Bauer Built Tire & Service,
Defendant.
This proposed class action arises from a cyberattack on defendant Bauer Built Inc., which sells and services tires. Plaintiff Jordan Anderson is a former employee of Bauer Built. Anderson alleges that Bauer Built’s failure to adequately protect its computer network allowed cybercriminals to steal information about Bauer Built’s customers and employees, including full names, social security numbers, driver license numbers, financial account numbers, and medical information. Now before the court is Anderson’s unopposed motion for class certification and preliminary approval of the parties’ settlement agreement. Dkt. 21. The court will deny the motion without prejudice to allow Anderson to address the following concerns. First, the court has an independent obligation to ensure that jurisdiction is proper. See Ware v. Best Buy Stores, L.P., 6 F.4th 726, 731 (7th Cir. 2021). Anderson’s claims arise under state law, so he relies on 28 U.S.C. § 1332(d) as the basis for jurisdiction. That statute applies to a proposed class action that meets the following criteria: (1) the proposed class includes at least 100 members; (2) at least one member of the class is a citizen of a state different from any defendant; and (3) the aggregated amount in controversy is more than $5 million. See Ware, 6 F.4th at 733. The first two requirements are met. In the proposed settlement agreement, the parties represent that the settlement class contains 4,876 individuals. Dkt. 22-1, ¶ 36. There is minimal diversity because Anderson is a citizen of Minnesota and Bauer Built is a citizen of Wisconsin. Dkt. 8 (answer), ¶¶ 8–9. That leaves the amount-in-controversy. In the complaint, Anderson alleges that “[t]he
amount in controversy exceeds $5 million, exclusive of interests and costs.” Dkt. 1, ¶ 10. But a conclusory allegation isn’t enough to establish jurisdiction; the proponent of federal jurisdiction must provide a plausible explanation for how the stakes of the lawsuit exceed the jurisdictional threshold. Ware, 6 F.4th at 732. Here, it is not clear from the parties’ submissions that the amount in controversy plausibly exceeds $5 million. With 4,876 members in the proposed class, the amount in controversy would exceed $5 million if each class member, on average, could recover $1,026. Anderson alleges that the class members suffered harms including actual identity theft, time spent mitigating the risk of identity theft, diminution in
value of their private information, and credit monitoring expenses. Dkt. 1, ¶ 71. The Seventh Circuit has observed in other data breach cases that credit monitoring services can cost up to $19.95 a month, see Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015), so recoveries of up to several hundred dollars per class member are plausible on that basis alone. See Linman v. Marten Transp., Ltd., No. 22-cv-204-jdp, 2023 WL 2562712, at *2 (W.D. Wis. Mar. 17, 2023) ($143 per class member is plausible); In re TJX Companies Retail Sec. Breach Litig., 584 F. Supp. 2d 395, 400 (D. Mass. 2008) (approving class settlement for victims of retail security breach in which it was estimated that three years of credit monitoring would cost
$390); but see Bohnenstiehl v. McBride, Lock, & Assocs., LLC, No. 16-cv-306, 2016 WL 6872955 (S.D. Ill. Nov. 22, 2016) ($22,000 per class member is not plausible). But it is not plausible from the information in the complaint and settlement documents that the class members could recover more than $1000 each in credit monitoring expenses, and Anderson has provided no basis to estimate the potential recovery from the other types of damages he identified in the complaint. In the renewed motion, Anderson should explain why the amount in controversy exceeds the jurisdictional threshold.
Second, before a court may approve a proposed class settlement, the court must certify that the proposed class satisfies the requirements of Federal Rule of Civil Procedure 23, including the requirement that the class be “defined clearly” using “objective criteria.” Mullins v. Direct Digital, LLC, 795 F.3d 654, 657 (7th Cir. 2015). The parties’ settlement agreement defines the proposed class as follows: All individuals residing in the United States whose PII/PHI was compromised in the Data Breach discovered by Bauer in April 2023, including all those individuals who received notice of the breach. Dkt. 22-1, ¶ 36. The definition excludes Bauer Built’s officers and directors, class members who opt out, the assigned judge, his staff, and family, and any person found guilty of criminal activity related to the data breach. Id. ¶ 58. According to Bauer Built, there are “approximately 4,876 unique individuals” in the proposed class. Id. ¶ 36. There are two problems with the class definition. First, the settlement agreement does not define “PII/PHI,” so it is not clear what information about an individual would have to have been compromised to make an individual part of the class. Second, and relatedly, the class definition suggests that there are some members of the class whose data was compromised, but who did not receive notice of the breach. The parties should explain whether that’s truly the case, and if so, how Bauer Built identified those individuals. Third, Anderson’s explanation of the proposed payments to class members is incomplete. Under the settlement agreement, class members can elect to receive either (1) compensation for documented out-of-pocket losses of up to $500, plus identity theft or fraud losses of up to $5,000; or (2) a pro rata cash payment of $45. Class members who elect the first pathway can also receive two years of credit monitoring at defendant’s expense. The settlement does not set a fixed amount for aggregate payments to class members; instead,
payment is guaranteed for all class members who submit a valid claim. Separately from the class payments, defendant also agreed: • to make certain data security improvements; • to pay the fee for the settlement administrator; • to pay the reasonable attorney fees of class counsel of up to $125,000; and • to pay an incentive award of $2,500 to named plaintiff Anderson. Dkt. 22-1, ¶¶ 43–44, 54, 68, 70.
The court is satisfied that the settlement is procedurally fair. There is no indication of collusion between the parties, and they reached the central terms of the settlement after arm’s length negotiations. Each class member is entitled to the same damages and there is no cap on total payments, so there is no risk that valid claims will exceed the total settlement fund. But Anderson has not explained how the parties determined the amount of the out-of-pocket or pro rata payments. In most cases, plaintiffs’ counsel will calculate or estimate the maximum amount of damages the class could recover based on the plaintiffs’ theory of the case, and then explain why the discount in the proposed settlement is a reasonable one. Such an approach can
be difficult to apply to data breach cases because it is difficult to precisely quantify the relatively small injuries to individual class members.
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN
JORDAN ANDERSON, on behalf of himself and others similarly situated,
Plaintiff, OPINION and ORDER v.
24-cv-200-jdp BAUER BUILT INC. d/b/a Bauer Built Tire & Service,
Defendant.
This proposed class action arises from a cyberattack on defendant Bauer Built Inc., which sells and services tires. Plaintiff Jordan Anderson is a former employee of Bauer Built. Anderson alleges that Bauer Built’s failure to adequately protect its computer network allowed cybercriminals to steal information about Bauer Built’s customers and employees, including full names, social security numbers, driver license numbers, financial account numbers, and medical information. Now before the court is Anderson’s unopposed motion for class certification and preliminary approval of the parties’ settlement agreement. Dkt. 21. The court will deny the motion without prejudice to allow Anderson to address the following concerns. First, the court has an independent obligation to ensure that jurisdiction is proper. See Ware v. Best Buy Stores, L.P., 6 F.4th 726, 731 (7th Cir. 2021). Anderson’s claims arise under state law, so he relies on 28 U.S.C. § 1332(d) as the basis for jurisdiction. That statute applies to a proposed class action that meets the following criteria: (1) the proposed class includes at least 100 members; (2) at least one member of the class is a citizen of a state different from any defendant; and (3) the aggregated amount in controversy is more than $5 million. See Ware, 6 F.4th at 733. The first two requirements are met. In the proposed settlement agreement, the parties represent that the settlement class contains 4,876 individuals. Dkt. 22-1, ¶ 36. There is minimal diversity because Anderson is a citizen of Minnesota and Bauer Built is a citizen of Wisconsin. Dkt. 8 (answer), ¶¶ 8–9. That leaves the amount-in-controversy. In the complaint, Anderson alleges that “[t]he
amount in controversy exceeds $5 million, exclusive of interests and costs.” Dkt. 1, ¶ 10. But a conclusory allegation isn’t enough to establish jurisdiction; the proponent of federal jurisdiction must provide a plausible explanation for how the stakes of the lawsuit exceed the jurisdictional threshold. Ware, 6 F.4th at 732. Here, it is not clear from the parties’ submissions that the amount in controversy plausibly exceeds $5 million. With 4,876 members in the proposed class, the amount in controversy would exceed $5 million if each class member, on average, could recover $1,026. Anderson alleges that the class members suffered harms including actual identity theft, time spent mitigating the risk of identity theft, diminution in
value of their private information, and credit monitoring expenses. Dkt. 1, ¶ 71. The Seventh Circuit has observed in other data breach cases that credit monitoring services can cost up to $19.95 a month, see Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015), so recoveries of up to several hundred dollars per class member are plausible on that basis alone. See Linman v. Marten Transp., Ltd., No. 22-cv-204-jdp, 2023 WL 2562712, at *2 (W.D. Wis. Mar. 17, 2023) ($143 per class member is plausible); In re TJX Companies Retail Sec. Breach Litig., 584 F. Supp. 2d 395, 400 (D. Mass. 2008) (approving class settlement for victims of retail security breach in which it was estimated that three years of credit monitoring would cost
$390); but see Bohnenstiehl v. McBride, Lock, & Assocs., LLC, No. 16-cv-306, 2016 WL 6872955 (S.D. Ill. Nov. 22, 2016) ($22,000 per class member is not plausible). But it is not plausible from the information in the complaint and settlement documents that the class members could recover more than $1000 each in credit monitoring expenses, and Anderson has provided no basis to estimate the potential recovery from the other types of damages he identified in the complaint. In the renewed motion, Anderson should explain why the amount in controversy exceeds the jurisdictional threshold.
Second, before a court may approve a proposed class settlement, the court must certify that the proposed class satisfies the requirements of Federal Rule of Civil Procedure 23, including the requirement that the class be “defined clearly” using “objective criteria.” Mullins v. Direct Digital, LLC, 795 F.3d 654, 657 (7th Cir. 2015). The parties’ settlement agreement defines the proposed class as follows: All individuals residing in the United States whose PII/PHI was compromised in the Data Breach discovered by Bauer in April 2023, including all those individuals who received notice of the breach. Dkt. 22-1, ¶ 36. The definition excludes Bauer Built’s officers and directors, class members who opt out, the assigned judge, his staff, and family, and any person found guilty of criminal activity related to the data breach. Id. ¶ 58. According to Bauer Built, there are “approximately 4,876 unique individuals” in the proposed class. Id. ¶ 36. There are two problems with the class definition. First, the settlement agreement does not define “PII/PHI,” so it is not clear what information about an individual would have to have been compromised to make an individual part of the class. Second, and relatedly, the class definition suggests that there are some members of the class whose data was compromised, but who did not receive notice of the breach. The parties should explain whether that’s truly the case, and if so, how Bauer Built identified those individuals. Third, Anderson’s explanation of the proposed payments to class members is incomplete. Under the settlement agreement, class members can elect to receive either (1) compensation for documented out-of-pocket losses of up to $500, plus identity theft or fraud losses of up to $5,000; or (2) a pro rata cash payment of $45. Class members who elect the first pathway can also receive two years of credit monitoring at defendant’s expense. The settlement does not set a fixed amount for aggregate payments to class members; instead,
payment is guaranteed for all class members who submit a valid claim. Separately from the class payments, defendant also agreed: • to make certain data security improvements; • to pay the fee for the settlement administrator; • to pay the reasonable attorney fees of class counsel of up to $125,000; and • to pay an incentive award of $2,500 to named plaintiff Anderson. Dkt. 22-1, ¶¶ 43–44, 54, 68, 70.
The court is satisfied that the settlement is procedurally fair. There is no indication of collusion between the parties, and they reached the central terms of the settlement after arm’s length negotiations. Each class member is entitled to the same damages and there is no cap on total payments, so there is no risk that valid claims will exceed the total settlement fund. But Anderson has not explained how the parties determined the amount of the out-of-pocket or pro rata payments. In most cases, plaintiffs’ counsel will calculate or estimate the maximum amount of damages the class could recover based on the plaintiffs’ theory of the case, and then explain why the discount in the proposed settlement is a reasonable one. Such an approach can
be difficult to apply to data breach cases because it is difficult to precisely quantify the relatively small injuries to individual class members. But that challenge does not mean that it is impossible for plaintiffs to assess the value of their claims. Anderson will have to explain the potential amount the class could recover to respond to the above issue related to the amount in controversy. He should also explain why the proposed payments the class members will receive are reasonable, perhaps by comparing this case to other data breach class action settlements. Fourth, class counsel says in their brief that they will submit a separate motion
requesting $125,000 for attorneys’ fees and costs. In this circuit, the relevant ratio to assessing the reasonableness of the attorney’s fee is “the ratio of (1) the fee to (2) the fee plus what the class members received.” Redman v. RadioShack Corp., 768 F.3d 622, 630 (7th Cir. 2014). In this case, the amount that class members will receive depends on how many class members submit valid claims, so the court cannot assess the reasonableness of fees now. Counsel does not need to submit a motion for attorney fees at this point; however, given the relatively small size of the class, counsel is warned that the court is unlikely to approve a fee award of $125,000.
Even if every class member submitted a claim for the pro rata payment of $45, the total payment to the class would be only $220,000, so a fee award of $125,000 is almost certainly excessive under the percentage-of-recovery method. Nor does it appear that the lodestar method justifies an award of $125,000. Counsel have not yet submitted their billing records, but they represent in their brief that they have devoted 91 hours to the case, so the lodestar is approximately $50,000. Dkt. 22, at 25.
ORDER IT IS ORDERED that: 1. Plaintiff Jordan Anderson’s unopposed motion for certification of a class and for preliminary approval of the settlement, Dkt. 21, is DENIED without prejudice. 2. Anderson may have until February 12, 2026, to file an amended motion addressing the concerns raised in this order. Entered January 29, 2026. BY THE COURT:
/s/ ________________________________________ JAMES D. PETERSON District Judge