Reversing the trial court’s ruling dismissing the action for lack of standing, the U.S. Court of Appeals for the Seventh Circuit recently held that the increased risk of fraudulent credit or debit card charges and possible identity theft due to a data breach that already occurred was “certainly impending future harm” and was sufficient for Article III standing.

In addition, the Court also held that time and money the plaintiffs allegedly spent resolving fraudulent charges and possible identity theft also were sufficient injuries for Article III standing.

However, this opinion was issued prior to the Supreme Court of the United States’ ruling in Spokeo v. Robins, which clarified that harm sufficient to confer Article III standing cannot be hypothetical or conjectural; it must be “actual or imminent.”  It is not clear whether the Seventh Circuit’s ruling in this case will withstand scrutiny under Spokeo v. Robins.

A copy of the opinion is available at:  Link to Opinion.

A restaurant chain experienced a computer hack, which resulted in credit and debit card data being stolen. On June 12, 2014, the restaurant announced the computer hack and as a precaution encouraged its customers to monitor their card statements.

Months after the original announcement, the restaurant determined the data was stolen from only 33 restaurants, including only one from Illinois. The plaintiffs did not dine at this location.

The plaintiffs each brought their own suit against the restaurant chain seeking damages resulting from the data security breach, on behalf of themselves and on behalf of a putative class.

The first plaintiff allegedly dined at the restaurant chain in April 2014 and supposedly noticed fraudulent charges on his debit card two months later. This plaintiff allegedly then learned about the data breach at the restaurant and claimed that he purchased a credit monitoring service to protect against identity theft. He spent $106.89 on the service.

The second plaintiff dined at the same restaurant location as the first plaintiff, but did not have any fraudulent charges on his debit card.  However, the second plaintiff alleged he spent time and effort monitoring his credit card statements and his credit report to ensure that no fraudulent charges had been made on his card.

The two suits were consolidated. In the aggregate, the claims they asserted on behalf of the class exceeded $5,000,000 and minimal diversity existed.  The district court dismissed the consolidated action for lack of standing.

As you may recall, to invoke federal jurisdiction, plaintiffs must demonstrate that they have suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.

The Seventh Circuit previously examined standing in a case involving a data breach. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), a department store experienced a data breach that potentially exposed the payment card data of all customers who paid with cards during the previous year. The Seventh Circuit identified two future injuries that were sufficiently imminent: the increased risk of fraudulent credit or debit card charges, and the increased risk of identity theft.  The Seventh Circuit held in Remijas that these were not mere “allegations of possible future injury,” but instead were the type of “certainly impending” future harm that the Supreme Court requires to establish standing.

The Seventh Circuit in Remijas also held there was no need to speculate as to whether customer information had been stolen and what information was taken where a data theft had already occurred.

Moreover, the Seventh Circuit in Remijas found injuries sufficient for standing in the time and money the class members spent resolving fraudulent charges, as well as in the identity theft that had already occurred or in the time and money spent protecting against future identity theft.  The Seventh Circuit in Remijas held that the fact that the data breach had already occurred made the risk of identity theft and fraudulent charges sufficiently immediate to justify mitigation.

In the instant case, the plaintiffs alleged the same sort of future injuries as were discussed in Remijas. The Seventh Circuit found it is plausible to infer a substantial risk of harm from a data breach because a primary incentive for hacks is to make fraudulent charges or assume the consumers’ identities.

The Seventh Circuit held that both named plaintiffs alleged sufficient facts to support standing.  According to the Court, one plaintiff had already allegedly experienced fraudulent charges, although the bank was able to stop the charges before they went through, and the other plaintiff allegedly spent time and effort monitoring his financial information as a guard against fraudulent charges and identity theft.

The defendant restaurant chain argued that the plaintiffs’ mitigation was unreasonable because there was no threat of identity theft.  However, the plaintiffs alleged that the defendant had encouraged customers to monitor their credit reports, rather than simply their credit and debit card statements for existing affected cards.  The First Circuit previously found that expenses for replacing cards and purchasing a credit monitoring service were reasonable mitigation after a data breach. See Anderson v. Hannahford Bros. Co., 659 F.3d 151, 162 (1st Cir. 2011). Thus, the Seventh Circuit here ruled that the plaintiffs’ mitigation was reasonable.

The defendant also contested whether the plaintiffs’ data was actually exposed in the breach. The Seventh Circuit found this immaterial as the plaintiffs’ factual allegations must only be plausible at the pleadings stage. The Court held that the plaintiffs did plausibly allege their data was stolen, as the defendant addressed customers who had dined at all of its stores in the United States, and admitted it did not originally know how many stores were affected.  The Court noted that although this creates a factual dispute, it does not destroy standing.

The Seventh Circuit also briefly discussed the plaintiffs’ other alleged injuries. The Court found that at least some of the plaintiffs’ injuries qualify as immediate and concrete injuries to support Article III standing.

The Seventh Circuit then addressed causation and redressability. The Court found that the plaintiffs alleged that the defendant’s location they both visited was among the locations involved in the data breach and included enough facts to meet the plausibility standard. The defendant alleged alternative causes for the plaintiffs’ claim, but the Court held that merely identifying potential alternative causes does not defeat standing.

As to redressability, the Court held that the plaintiffs and those in the putative class (should it be certified), allegedly have quantifiable financial injuries including purchasing a credit monitoring service, loss of point accrual (if it has monetary value), and reimbursement for fraudulent charges.  The Seventh Circuit held that a favorable judgment would redress the plaintiffs’ injuries.

The Seventh Circuit lastly addressed the defendant’s alternative argument that the plaintiffs failed to state a claim upon which relief could be granted. The Court did not address this argument as the district court dismissed the plaintiffs’ claims for lack of subject matter jurisdiction. The Court noted it could only grant additional relief if the appellee files a cross-appeal and the defendant in this case did not do so.

In sum, the Seventh Circuit concluded that the plaintiffs alleged sufficient facts to support Article III standing, and reversed the trial court’s ruling.