The United States Court of Appeals for the Seventh Circuit (which hears appeals for federal courts located in Illinois, Indiana and Wisconsin) recently dealt a blow to the P.F. Chang’s restaurant chain. In so doing, it may have made life easier on cyber breach victims. And in the more immediate future, it means that P.F. Chang’s is going to have to continue to defend a federal class action suit.
Reports about cyber security are as ubiquitous as fast food restaurants. But despite the proliferation of these incidents, class action plaintiffs have frequently run into a wall known as “standing.” The concept of standing is pretty basic. Courts can’t rule on cases unless there is an actual injury. “Standing” is more official sounding than the school yard concept of “no harm no foul,” but it is essentially the same theory.
And in many cases, victims of a cyber breach are hard pressed to prove more than anxiety over the prospect of future harm. A typical scenario goes like this. A customer of a retail establishment learns hackers have breached the establishment’s computer system and stolen credit card information. The customer is justifiably concerned about the prospect of identity theft, but any fraudulent charges are handled by the credit card company, and at the time of filing, there hasn’t been any identity theft. A number of courts presented with that scenario have concluded there is no standing.
And in the P.F. Chang’s case the federal district court ruled the plaintiffs had no standing, because they failed to demonstrate any injury arising from a cyber breach involving credit card information at 33 P.F. Chang’s restaurants. But on appeal, the Seventh Circuit disagreed. It found the two named plaintiffs – John Lewert and Lucas Kostner – had suffered sufficient injuries to allow the case to proceed.
The court found that, because Lewert and Kostner brought their case after their data had allegedly been stolen, their claims of potential identity theft and fraudulent credit card charges constituted harm sufficiently “concrete and particularized” to satisfy the standing requirement. In addition, the two plaintiffs alleged actual present injuries in addition to the future risks to justify standing.
Kostner identified fraudulent charges made on his card after dining at Chang’s. While his credit card company covered the charges, Kostner spent time and effort resolving them. He also paid a little over $100 for credit monitoring. While Lewert had no out of pocket expenses, he did allege that he’d spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft.
The consequence of the Seventh Circuit’s ruling is that the class action, which seeks over $5,000,000 in damages, is permitted to proceed. And the lesson is, it doesn't take much harm to satisfy the standing requirement. Any business that accepts credit card payments (and who doesn’t?) should take note.