Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here. The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation. The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.

The Data Breach

The P.F. Chang’s data breach follows a common storyline. On June 12, 2014, P.F. Chang’s announced that unauthorized actors had breached its systems and compromised customer credit and debit cards. The company posted a notice to its website informing all customers who had dined at any P.F. Chang’s location. At the time, P.F. Chang’s had not yet completed its investigation and could not identify the scope of affected restaurants. As a precautionary measure, P.F. Chang’s temporarily switched to a manual card-processing system at all locations across the continental United States.

Almost immediately (on June 25), the plaintiffs filed class action lawsuits against P.F. Chang’s in the Northern District of Illinois. Notably, the two named plaintiffs both dined at a P.F. Chang’s restaurant in Northbrook, Illinois, which P.F. Chang’s claimed was later determined to have been unaffected by the breach (i.e., not among the 33 restaurants from which card data was stolen). One plaintiff alleged he saw unauthorized charges on his debit card statement shortly after the announced breach, cancelled his card, and paid $107 for a credit monitoring service. The other plaintiff had no fraudulent debit card charges, but alleged that he spent time and effort monitoring his card statements and credit reports.

Court Tracks Neiman Marcus, Finds Present and Imminent Future Injuries

In reversing the district court’s dismissal, the Seventh Circuit examined both future and present injuries, and held that both were sufficient to support standing.

Future Injuries: Relying on its prior decision in Neiman Marcus, the Seventh Circuit found that the alleged future injuries were “imminent” because P.F. Chang’s had acknowledged a data breach, and thus it was reasonable to “infer a substantial risk of harm . . . because a primary incentive for hackers is ‘sooner or later[] to make fraudulent charges or assume those consumers’ identities.” These alleged injuries as to both named plaintiffs (one who had experienced fraudulent charges and the other who had not) were sufficient to establish standing, just as they were in Neiman Marcus.[1] Other putative class members, the court ruled, would be “in the same position as one or the other named plaintiff.”

Present Injuries: On standing to sue for present injuries analyzed the reasonableness of the two named plaintiffs’ remedial steps—expending time and effort to reverse fraudulent charges and procuring identity theft monitoring services, and spending time monitoring account activity, respectively. P.F. Chang’s had argued that plaintiffs should not have expended time or money to guard against identity theft because unlike in Neiman Marcus and other breaches, P.F. Chang’s breach posed a risk only of fraudulent charges to affected cards, not of identity theft.

The Seventh Circuit rejected that argument, pointing to what it described as P.F. Chang’s “implicit” admission that card data could be used to open new cards because P.F. Chang’s “encouraged consumers to monitor their credit reports (in part for new-account activity) rather than simply the statements for existing affected cards.” Thus, the company’s cautionary reminder to monitor credit reports—a statement that many states statutorily require companies to include in breach notifications—rendered the plaintiffs’ purchase of credit monitoring service and efforts to guard against identity theft reasonable mitigation for the breach.[2] The court made this finding even though it earlier noted that in the case of the plaintiff who had seen fraudulent card charges, his bank had blocked those charges.

The court also held that the named plaintiffs plausibly alleged that their data was actually stolen, even though P.F. Chang’s later determined that the Northbrook, Illinois, restaurant where they dined was not compromised in the breach. Again, the court relied on two of P.F. Chang’s communications as evidence to support the inference that all customers, regardless of restaurant, may have been affected: first, P.F. Chang’s June 2015 announcement, made before the investigation was completed, which was addressed to customers from “all of its stores”; and second, P.F. Chang’s decision to temporarily switch to manual card processing. The court reasoned as follows: “When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts [by implementing a universal, though temporary, switch to manual card-processing in all locations], it is certainly plausible that all of its locations were in fact affected.” In other words, even though neither plaintiff had unreimbursed charges on their payment cards, and even though P.F. Chang’s investigation showed that the named plaintiffs did not dine at an affected location, the court, citing P.F. Chang’s post-breach actions and statements, found that the plaintiffs “plausibly” alleged that their data was stolen under Twombly pleading standards. Any argument made by P.F. Chang’s to the contrary “creates a factual dispute about the scope of the breach [to be addressed at a later stage of the litigation], but it does not destroy standing.”

What Does This Opinion Mean?

The P.F. Chang’s opinion is troubling in a number of respects, most significantly because (once again) the court looked to post-breach activities to draw inferences about harm to individuals, and used specific post-breach statements to support those inferences. In the wake of a data breach, a host of legal, ethical, and reputational considerations drive hard decisions about communicating with the affected (and potentially affected) populations. First, state breach notification rules—some of which proscribe specific contents in notification communications—encourage, and at times require, quick notification to consumers in order to give consumers a chance to take steps to mitigate any potential risk. State Attorneys General and other regulators champion speedy notification (and can be very critical when notifications take “unreasonably” long), and because a company is usually required to note the date the incident was discovered, there is tremendous pressure to communicate and notify early. Second, the conventional practice is to communicate in a way that treats all customers fairly and equally—even if doing so results in over-notification beyond the affected population—and to provide a certain level of transparency. As a result, it is common for companies to err on the side of early and broad notification even before all of the facts are known. The P.F. Chang’s decision, and the Neiman Marcus opinion before that, upends that conventional thinking, and should force companies to think very carefully about what and how they communicate, and to whom. Here are some considerations for companies in a post-P.F. Chang’s world:

  • Early Announcements Are Risky. P.F. Chang’s serves as a cautionary tale for making public announcements regarding a security incident before the internal and forensic investigation is complete. To the extent that reputational and other considerations demand early communications, organizations should be very careful in disseminating information too broadly (e.g., sending an e-mail alert to all employees about a potential security incident) or in over-disclosing to external stakeholders. Organizations should also anticipate (and even embrace) the predictable tension between the communications team and the legal team on what should be said, when, and to whom. This is a healthy process that will result in a risk-appropriate communication strategy.
  • One Size May Not Fit All For Precautionary Messages. It is critical to understand the nuances of the state-specific notification requirements. Many states (including Hawaii, Michigan, Missouri, North Carolina, Vermont, Virginia and Wyoming) explicitly require that the reporting company include specific recommendations to consumers on risk mitigation, including an admonition to monitor credit reports. These statements are not optional.[3] However, notwithstanding variations across state rules, a commonly accepted practice is for organizations to issue a standard notification that complies with substantially all of the states’ various requirements (except Massachusetts), and supplement certain notifications based on state-specific requirements (e.g., instructions on contacting a specified state agency/regulator). This means that all of the various state-required language and disclosures are often provided to all individuals, even if not entirely applicable. Although they often reflect sound security practices that consumers should follow in any circumstance, organizations should recognize the risk in delivering risk mitigation recommendations, and perhaps provide them only to consumers whose states’ law explicitly requires it.
  • Carefully Identify and Describe Protective Measures. Certain state statutes require disclosure of the measures taken to contain, mitigate or minimize the incident. For example, Michigan requires that the company “generally describe what the [company] providing the notice has done to protect data from further security breaches.” Wyoming requires a description in general terms of “the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches.” Similar requirements exist in North Carolina, Vermont and Virginia. It was these statements, however, that the Seventh Circuit used in P.F. Chang’s to infer the scope of individuals who were affected. Thus, although statutorily required, P.F. Chang’s demonstrates how organizations should thoughtfully articulate the containment/remedial measures taken in response to an incident. Indeed, just as in P.F. Chang’s, in certain situations taking a potentially affected system offline can be an effective containment and mitigation strategy that helps to protect consumers, but communicating that measure should be done carefully, with analysis of the downstream effects that such statements may have.

Ultimately, one can question the Seventh Circuit’s policy decision to use state-required notification statements to infer harm (both present and future), but given the Court’s opinion, no one should question the need to carefully consider how the timing and content of post breach communications may affect litigation strategy and tactics.