On December 10, 2014, a United States District Court in the Northern District of Illinois dismissed the class action complaints filed by two customers of P.F. Chang’s China Bistro who alleged damages resulting from a data security breach that affected 33 P.F. Chang’s restaurants in 18 states.1 The plaintiffs asserted that P.F. Chang’s alleged failure to comply with reasonable data security standards breached an implied contract with its customers to protect their credit card information and also constituted a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. The court granted P.F. Chang’s motion to dismiss the claims on the basis that the plaintiffs failed to allege they suffered an injury sufficient to establish standing.
The plaintiffs—two P.F. Chang’s customers—filed suit against P.F. Chang’s following P.F. Chang’s June 12, 2014 announcement of a data security breach involving the theft of customers’ credit and debit card data. The plaintiffs alleged that they had incurred several types of damages stemming from P.F. Chang’s data security breach. First, the plaintiffs alleged that their purchase from P.F. Chang’s included a charge for the protection of their personal information, and that by virtue of P.F. Chang’s failure to provide that protection, the plaintiffs had overpaid for those services. The plaintiffs also claimed monetary damages for losses arising from fraudulent charges and resulting bank fees. They claimed an opportunity cost for the inability to accrue rewards points during the time it took to cancel and replace their stolen credit cards. Finally, the plaintiffs claimed damages due to the costs associated with identity theft and the increased risk of identity theft. P.F. Chang’s moved to dismiss the complaint, arguing that the plaintiffs failed to allege an injury sufficient to confer standing.
In a seven-page opinion, U.S. District Judge John W. Darrah addressed each claim of damages, assessing whether the allegation of injury was sufficient to confer standing on the plaintiffs. The court first held that the allegation of overpayment did not state an injury because the plaintiffs did not allege that P.F. Chang’s charged a higher price for goods purchased with a credit or debit card. In addition, because the plaintiffs did not allege “an unreimbursed charge on their credit or debit card,” they failed to allege any monetary damages with respect to fraudulent charges. Finally, the court held that opportunity costs do not constitute a “cognizable injury” and that the speculation of future harm through the increased risk of identity theft was also insufficient to allege an injury in fact. Noting that “[s]tanding is an indispensable part of the plaintiff’s case,” the court dismissed the case due to the plaintiffs’ failure to allege they suffered any cognizable injury stemming from the P.F. Chang’s data security breach.
This decision comes in the wake of a Minnesota court’s denial of Target’s motion to dismiss claims by financial institutions for losses they suffered as a result of Target’s 2013 holiday-season security breach.2 Click here for a Client Alert regarding the Minnesota decision. The different result in Target may be due to the fact that the Minnesota decision dealt with claims against Target by financial institutions, rather than consumers. However, Target also faces a consumer class action alleging damages similar to those addressed by the Illinois court in the P.F. Chang’s case, and Target’s motion to dismiss the consumer class actions was recently argued before the Minnesota district court. Judge Darrah’s holding that the plaintiffs lacked standing in the suit against P.F. Chang’s could carry implications for the forthcoming decision from the Minnesota court on Target’s motion to dismiss its consumer class actions.