Within the last two weeks, two different federal district courts have issued decisions in high-profile data breach cases that highlight an important issue to watch in 2015: whether consumers whose payment card data was taken have standing to pursue claims against retailers.  Northern District of Illinois Judge John Darrah and District of Minnesota Judge Paul Magnuson issued decisions regarding motions to dismiss in consumer class actions against P.F. Chang’s China Bistro Inc. and Target Corp. respectively, with substantially different results.  Judge Darrah granted the motion to dismiss the class action against P.F. Chang’s, while Judge Magnuson allowed most of the putative consumer class action against Target to proceed.  The rulings took different approaches in examining whether the plaintiffs had sufficiently alleged injury, showing continuing uncertainty over what consumers must plead in order to pursue a claim after a data breach.

P.F. Chang’s Class Action Dismissed

P.F. Chang’s disclosed a data breach on June 12, 2014 that resulted in compromised credit card and debit-card data from 33 restaurant locations. Multiple class actions followed.

In an effort to demonstrate standing, the plaintiffs alleged five types of injury: (1) overpayment for products and services purchased; (2) fraudulent charges; (3) opportunity costs; (4) identity theft; and (5) mitigation damages.  The court rejected all of them.

The plaintiffs stated that they had been harmed because they had overpaid for goods and services, on the theory that the price of food and drink at P.F. Chang’s implicitly included a fee for personal information protection which P.F. Chang’s failed to provide.  Judge Darrah deemed the argument “unpersuasive” because no injury in fact was alleged, particularly since credit card users are charged the same amount as customers who pay using other methods such as cash.

The court dismissed the plaintiffs’ other damages claims in short order, finding that plaintiffs failed to show “an unreimbursed charge” on their payment cards such that plaintiffs could demonstrate an actual injury, and that the opportunity cost of not having a credit or debit card for the days between learning about a fraudulent charge and receiving a new card “is not a cognizable injury.”

Judge Darrah also cited the 2013 Supreme Court decision Clapper v. Amnesty International USA in dismissing the plaintiffs’ assertion that their efforts to mitigate or prevent injury following the breach created a cognizable injury, noting that costs incurred in anticipation of non-imminent harm do not qualify as injuries.

The plaintiffs filed a notice of appeal.  This case now joins another data breach action, against  Neiman Marcus (which also succeeded in securing dismissal of the data breach class action against it), in the queue of cases awaiting briefing in front of the Seventh Circuit Court of Appeals in 2015. 

Target Putative Class Action Proceeds

Target discovered a breach on December 15, 2013, which resulted in approximately 40 million compromised credit and debit card accounts.  The subsequent class actions, on behalf of United States customers, were consolidated into the District of Minnesota.

Last week, the court found that the plaintiffs largely succeeded in establishing standing to sue based on financial injury.  Notably, like the unsuccessful P.F. Chang’s plaintiffs, the Target plaintiffs did not allege that they had unreimbursed charges on their payment cards.  But they alleged unlawful charges that went unreimbursed for substantial periods of time and restricted or blocked bank accounts.  The plaintiffs further alleged that these problems resulted in late payment charges, an inability for the plaintiffs to pay other bills, and additional charged fees.  Judge Magnuson found that these charges and financial damages are “fairly traceable” to Target.

Target made many of the same arguments as P.F. Chang’s in the motion to dismiss, stating that the plaintiffs’ injuries were not “actual or imminent” and that plaintiffs failed to allege that card charges were unreimbursed.  But the court found these arguments unresponsive to the complaint in this case.  Devoting only a page to the threshold standing issue that was pivotal in the P.F. Chang’s case, the court said that “Target ignores much of what is pled . . . .  [Their] arguments gloss over the actual allegations made and set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”

The court did dismiss some of the Target plaintiffs’ claims, including some of the state consumer protection claims, state data-breach notification claims, the bailment claim, and an unjust enrichment cause of action based on the same theory as the overpayment theory presented in the P.F. Chang’s litigation.  But the bulk of the claims remain intact, and will proceed to discovery. It remains to be seen, of course, whether the plaintiffs will succeed in having a court certify a class based on the individualized-type injuries that allowed them to survive the motion to dismiss, but that decision will be months away.