This guest post was authored by our colleague Stephen A. Grossman, a partner and chair of Montgomery McCracken’s Data Privacy and Cybersecurity practice, and co-chair of its E-Discovery practice. He can be reached at sgrossman@mmwr.com or 856-488-7767.

We have previously written here and here on the evolution of standing in data breach/theft cases. P.F. Chang’s China Bistro is the latest defendant to lose its bid to dismiss a class-action complaint for lack of standing. Last Thursday, the 7th Circuit Court of Appeals revived plaintiffs’ consolidated complaints against P.F. Chang’s arising out of the restaurant’s disclosure on June 12, 2014 that a data breach resulted in the theft of customers’ credit-card and debit-card data for an unspecified number of accounts. P.F. Chang’s announced later that summer on August 4, 2014 that data was stolen from 33 of its 204 U.S.-based restaurants.

Both plaintiffs – Lucas Kosner and John Lewert – dined at P.F. Chang’s and paid with their debit card two months before the restaurant disclosed the data breach. Kosner later found four fraudulent transactions on his debit card and cancelled it. After learning about the data breach, Kosner believed his debit-card data were among those compromised. He then purchased a credit monitoring service to protect against identity theft, spending $106.89. Lewert, however, had no fraudulent charges. Instead, he spent “time and effort monitoring his card statements and his credit report” to ensure that no fraudulent charges or accounts appeared. Kosner and Lewert, however, did not dine at one of the 33 restaurants involved in the breach.

P.F. Chang’s moved to dismiss plaintiffs’ complaints for lack of standing and for failure to state a cause of action, which the District Court did not address. Instead, the District Court dismissed plaintiffs’ complaints, concluding that plaintiffs had not alleged a sufficient injury-in-fact. To establish Article III standing, plaintiffs must demonstrate that the injury they suffered is (i) concrete and particularized; (ii) fairly traceable to the challenged conduct; and (iii) likely to be redressed by a favorable judicial decision. An injury that is “certainly impending” can establish injury in fact for the purposes of standing, but “[a]llegations of possible future injury are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013). The District Court found that the harm suffered, if any, was not imminent or “certainly impending” to establish an injury-in-fact because (i) plaintiffs had not suffered any unreimbursed damages for the fraudulent charges; (ii) identity theft had not occurred; and (iii) identity theft protection was not necessary and incurring such costs “in anticipation of non-imminent harm” “cannot manufacture standing.”

The 7th Circuit Court of Appeals reversed “in light of” its decision in Remijas v. Neiman Marcus Group (issued after the District Court’s dismissal in P.F. Chang’s), which we reported on here. Chief Judge Wood (who also wrote the Neiman Marcus opinion) outlined the injuries that are “concrete and particularized enough to support Article III standing” if the data breach has already occurred:

  1. The increased risk of fraudulent credit- or debit-card charges;
  2. The increased risk of identity theft;
  3. The time and money customers predictably spent resolving fraudulent charges (even if the bank ultimately repaid those charges), as well as in the identity theft that had already occurred; and
  4. The time and money customers spent protecting against future identity theft or fraudulent charges.

In short, when a data breach has already occurred, mitigation expenses qualify as “actual injuries” because the risk of identity theft and fraudulent charges are sufficiently immediate to justify mitigation efforts.

The Court of Appeals found that several of Kosner and Lewert’s alleged injuries fit within those categories, particularly the increased risk of fraudulent charges and identity theft because their data had already been stolen. In addition, P.F. Chang’s did not dispute under Neiman Marcus that the time and money plaintiffs spent resolving fraudulent charges are cognizable injuries for Article III standing.

The Court of Appeals cautioned, however, that its decision was based on whether plaintiffs’ allegations – which are accepted as true for the purposes of a motion to dismiss – are plausible. Whether any compensable loss occurred or whether plaintiffs could establish causation are “question[s] for the merits” of the case. The Court of Appeals observed that P.F. Chang’s data breach disclosure addressed customers who dined at all of its restaurants and admitted initially that it did not know how many stores were affected. Even though P.F. Chang’s later concluded that only 33 of its stores were compromised, and plaintiffs did not dine at those stores, the Court of Appeals found that “[t]his creates a factual dispute about the scope of the breach, but it does not destroy standing.”

As in Neiman Marcus, the Court of Appeals used P.F. Chang’s post-breach remedial actions as a factor in whether plaintiffs demonstrated a “concrete and particularized injury that is fairly traceable” to the data breach. Further, without any evidence that customers suffered any unreimbursed fraudulent credit- or debit-card charges, the Court of Appeals speculated that other class members might.

Given the precedent of Neiman Marcus, the outcome in P.F. Chang’s is not surprising, but it does suggest that, at least in the 7th Circuit, there is a basic equation to establish standing:

Evidence of a data breach

Temporal customer activity to the data breach

+ Time spent protecting against future identity theft or fraudulent charges

Article III standing

We’ll see how plaintiffs fare on remand if the District Court addresses P.F. Chang’s motion to dismiss for failure to state a claim