In a brief made public on March 10, P.F. Chang’s China Bistro, Inc. urged the U.S. Court of Appeals for the Seventh Circuit to affirm a lower court’s decision to toss out two consolidated complaints filed against the company in the wake of the company’s announcement in June 2014 that customer payment data in some of its stores had been compromised. The district court had found that plaintiffs Lewart and Kosner lacked standing because they failed to allege actual harm. On appeal, plaintiffs argue that they suffered mitigation expenses and temporary loss of their cards and accounts because of P.F. Chang’s mishandling of the data breach and that this affords adequate standing.
In the decision below, the district court focused on the fact that neither plaintiff had alleged that any successful fraudulent charges had been made on their accounts, let alone that any charges had been unreimbursed by their banks. Attempted charges had been made on Kosner’s account, but had not been honored by his bank. Any mitigation expenses that the plaintiffs had incurred were to prevent purely speculative harm. In its brief to the Seventh Circuit, P.F. Chang’s echoed this reasoning and highlighted that, in fact, neither plaintiff had visited a restaurant implicated in the data breach.
In their opening brief to the Seventh Circuit, the plaintiffs’ statement of issues is a litany of possible theories for why a person whose personal information has even potentially been compromised in a company data breach may suffer injury-in-fact. Plaintiffs argue, among other things, that they have been exposed to the risk that their data may be misused in the future, that they would not have bought P.F. Chang’s goods and services had they known of the restaurant chain’s mismanagement of customer data, that at least one of the plaintiffs purchased credit monitoring services as a consequence of the breach, and that allegations of unreimbursed fraudulent charges are not necessary given these other harms.
In attempts to overcome the fact that neither of them appear to have visited a restaurant subject to the data breach, plaintiffs appear to argue that P.F. Chang’s nevertheless mishandled the disclosure of the data breach, causing plaintiffs to incur expense to proactively prevent any damage to their credit, identities, or accounts.