P.F. Chang’s has a reason to celebrate this holiday season: A judge recently dismissed a data breach class action lawsuit against the Chinese-inspired food restaurant chain citing the failure of the two plaintiffs in describing any injury for which relief could be granted. The ruling itself is available here.
In the action, the plaintiffs John Lewert and Lucas Kosner filed a class action complaint against P.F. Chang’s arising from a data breach involving theft of customers’ credit card and debit card data. The plaintiffs alleged that P.F. Chang’s had failed to comply with reasonable security standards arising from the data breach, which one report estimated that nearly seven million cards were compromised as a result of the breach, dating as far back as September 18, 2013.
Following the discovery by the U.S. Secret Service of the data compromise, it was confirmed by P.F. Chang’s that identity thieves had used personal identifying data to steal individual’s identities and open financial accounts and receive government benefits under those names, inter alia.
In the lawsuit, the plaintiffs had alleged that they incurred several types of damages in that they overpaid for products/services purchased from P.F. Chang’s, which included overpayment for putative compliance with industry standard measures for the collection and safeguarding of personally identifiable information. The plaintiffs also claimed that they had suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. The plaintiffs further claimed damages arising from costs associated with identity theft and the increased risk of identity theft, and claimed opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards.
In ruling on P.F. Chang’s motion to dismiss, the court did not deny there was a theft of customers’ credit card information from the security breach. However, the court relied on authority that future injury regarding the release of data is not a current injury in fact. Accordingly the court ruled that the plaintiffs had suffered no injury and found unconvincing the argument that the plaintiffs had been overcharged since there was no indication that P.F. Chang’s had charged more for people who paid via credit/debit cards as compared to those who paid by cash.
The court also ruled that there was no economic injury involved with the time the plaintiffs incurred to replace any credit card and so no opportunity costs or damages arose from this aspect. Finally, the court held that a party cannot manufacture standing unless they can show that the harm of identity theft is imminent. The court found that the potential threat of identity theft was eliminated after the customers in this case cancelled the cards that were involved in the security breach.
This ruling is being appealed to the Seventh Circuit. We will continue to monitor the impact of this ruling on future data breaches involving similar factual and legal issues.