The federal Seventh Circuit Court of Appeals has reiterated its approach to standing in data breach cases: allegations of “increased risk of fraudulent charges and identity theft” are sufficient to meet the requirements for Article III standing for data breach victims in federal court. Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700 (7th Cir. Apr. 14, 2016). A copy of the opinion is available here.
The decision follows a July 20, 2015 decision by the Seventh Circuit which also reversed the lower court’s granting of a motion to dismiss based on lack of standing. Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. Jul. 20, 2015). In the Neiman Marcus decision, the appellate court addressed customer claims arising from the 2013 cyberattack on Neiman Marcus stores. The district court had dismissed the claims for lack of standing, holding that none of the damages alleged by the plaintiffs alleged an injury in fact sufficient to confer Article III standing under Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). The Seventh Circuit reversed. (See Data Breach Plaintiffs Bag a Win on Standing — Seventh Circuit Finds Against Neiman Marcus, Jul. 28, 2015.)
Applying the same reasoning and citing its earlier Neiman Marcus ruling, the Seventh Circuit held that victims of a P.F. Chang’s data breach in 2014 similarly alleged sufficient facts to confer standing. The defendant tried to distinguish Neiman Marcus, arguing that: (1) the plaintiffs’ attempts at mitigation (the source of plaintiffs’ alleged injuries) were unreasonable; and (2) the plaintiffs’ data were not alleged to have been exposed in the breach. The court rejected both arguments. First, it noted that if the defendant wanted to present evidence as to whether the mitigation expenses alleged by plaintiffs were reasonable, “it is free to do so, but this goes to the merits.” Further, the court stated that “[s]s a matter of pleading, nothing suggests that the plaintiffs’ mitigation efforts were unreasonable.” (Slip Op. at 7) Second, the court held that it was immaterial whether the data were or were not alleged to have been exposed. At the pleading stage, the allegations must be accepted as true and the plaintiffs “plausibly allege that their data was stolen”, which the court held is sufficient to allege an injury for standing purposes. Id. at 7-8.
The appellate court stopped short of accepting all of plaintiffs’ alleged injuries as sufficient to confer standing. For example, the court rejected the notion that the cost of the plaintiffs’ meals at P.F. Chang’s constitutes an injury. The court found no case law support for the argument that plaintiffs suffered purportedly because they “would not have dined at P.F. Chang’s had they known of its poor data security.” Id. at 9. The court also rejected the argument that plaintiffs had a property right to their personally identifiable data – such that the theft of such data is analogous to the “theft of one’s car” for standing purposes. The court noted that there was no federal or state authority to support such a proposition.
The P.F. Chang’s ruling provides further guidance to parties litigating data breach standing issues in the Seventh Circuit. The decision reiterates the approach taken in Neiman Marcus, but also limits certain theories of recovery asserted by plaintiffs. The concept of what injuries a data breach victim incurs remains in flux. While the Seventh Circuit has spoken decisively on the types of allegations that are sufficient to confer standing in federal court at the pleading stage, other federal and state jurisdictions continue to grapple with the issue. Moreover, issues of actual damages calculations and trial verdicts for alleged damages remain murky and case-specific, as the data breach cases continue to work their way through the courts.