The Seventh Circuit Court of Appeals reversed the dismissal of a data breach suit against P.F. Chang's, holding that the risk of future fraudulent charges and identity theft created by a data breach constituted a "certainly impending" future injury to establish standing for the plaintiffs.
Like many other companies, the national restaurant chain recently suffered a data breach. In June 2014, P.F. Chang's announced that its computer system had been breached and consumer credit and debit card data had been stolen. As a precaution, the company switched to a manual card processing system at all locations in the United States. A few weeks later the company announced that it had determined data was stolen from just 33 restaurants and only one in Illinois.
Two Illinois residents filed separate suits against P.F. Chang's. Lucas Kosner alleged that a few weeks after he paid with his debit card at the restaurant, four fraudulent transactions were made. He cancelled the card immediately and, believing the charges occurred because of the data breach, purchased a credit monitoring service for $106.89. John Lewert dined at the same restaurant, also paying with his debit card. Although no fraudulent transactions were made with his card, his complaint stated that he spent time and effort monitoring his card statements and his credit report after he learned of the breach. Neither plaintiff dined at the Illinois restaurant identified by the chain as being impacted by the breach.
P.F. Chang's moved to dismiss the consolidated cases, arguing that the plaintiffs lacked standing to bring suit. A federal district court agreed, but a three-judge panel of the Seventh Circuit reversed.
As a starting point, the court referenced a prior decision on standing in a data breach case in Remijas v. Neiman Marcus Group, where the Seventh Circuit concluded that the plaintiffs' increased risk of fraudulent credit and debit card charges and identity theft was concrete and particularized enough to support Article III standing. Standing was further supported by the time and money class members spent protecting against future identity theft or fraudulent charges, the Remijas court said.
"In the present case, several of Lewert and Kosner's alleged injuries fit within the categories we delineated in Remijas," the court wrote. "They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen. These alleged injuries are concrete enough to support a lawsuit."
The plaintiffs also pled sufficient facts to establish standing on their present injuries, the panel added, with Kosner asserting that he already experienced fraudulent charges and Lewert claiming that he spent time and effort monitoring his card statements and other financial information.
The restaurant chain attempted to distinguish Remijas by arguing that the plaintiffs' data was not actually exposed in the breach, noting that Lewert and Kosner dined at a restaurant not identified as one of those impacted by the data theft. "To the extent this is a valid distinction (and that is questionable), it is one that is immaterial," the court said. The plaintiffs plausibly alleged that their data was stolen and that P.F. Chang's public statements addressed customers who had dined at all of its stores in the United States.
"This creates a factual dispute about the scope of the breach, but it does not destroy standing," the Seventh Circuit explained. "P.F. Chang's will have the opportunity to present evidence to explain how the breach occurred and which stores it affected. Perhaps it can trace which specific data files were stolen. Perhaps each individual location's data is behind a separate firewall. Or perhaps it is being too optimistic and the breach was greater than it suggests."
"When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if the breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected," the court added.
Addressing the plaintiffs' other asserted injuries, the panel said the cost of their meals was not an injury, despite their claim they would not have dined at the restaurant had they known of its poor data security. Nor did the panel accept their contention that they had a property right in their personally identifiable data.
Lewert and Kosner did manage to satisfy the requirements for causation and redressability, however. The court again rejected the defendant's argument that they dined at a restaurant not hit by the hackers, as that would assume the answer to a disputed fact. "All class members should have the chance to show that they spent time and resources tracking down the possible fraud, changing automatic charges, and replacing cards as a prophylactic measure," the court said.
To read the decision in Lewert v. P.F. Chang's China Bistro, Inc., click here.
Why it matters: The Seventh Circuit has now firmly established itself as a plaintiff-friendly jurisdiction for data breach litigation, with the Lewertdecision building upon the generous standing position adopted inRemijas. The Remijas ruling provided a road map for data breach plaintiffs to win the battle over standing. As noted by the panel, the Lewertplaintiffs alleged "the same kind" of injuries as the successful plaintiffs in the Remijas case. In addition, companies should note that the court relied upon statements released by P.F. Chang's after the breach to support the plaintiffs' contentions, including advice to review credit reports and comments on the scope of the breach.