Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company. Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.
In June 2014, P.F. Chang’s announced that its computer system had been breached and that some consumer credit- and debit-card data had been stolen. In August 2014, the company clarified that data had been stolen from just 33 of its restaurants. Two plaintiffs brought a class action against P.F. Chang’s based on the data breach.
One of the named plaintiffs had dined at P.F. Chang’s, noted fraudulent charges on his debit card, and then purchased a credit-monitoring service. The other named plaintiff dined at P.F. Chang’s, but did not spot any fraudulent transactions and did not purchase credit monitoring. He did, however, claim that he spent time and effort reviewing his card statements and credit reports after P.F. Chang’s announced the breach. Neither of the named plaintiffs dined at one of the 33 restaurants that P.F. Chang’s identified as having been affected by the breach.
The Seventh Circuit concluded that both plaintiffs had adequately alleged standing to sue. First, the court reasoned that both faced an increased risk of fraudulent charges and identity theft, and that this heightened risk satisfied the “certainly impending” standard of Clapper v. Amnesty International USA. Second, the court held that the time, effort, and (for one plaintiff) money spent monitoring statements and credit reports were cognizable, presently existing injuries.
P.F. Chang’s had argued that neither plaintiff dined at one of the 33 restaurants affected by the data breach. The court concluded that this was immaterial at the pleadings stage, and that the extent of the data breach was a disputed question of fact. Since P.F. Chang’s had chosen to direct its initial notice about the breach to diners at all of its restaurants, the court found it “plausible that all of its locations were in fact affected.”
Like Remijas before it, Lewart creates difficult choices for businesses in the event of a data breach. Remijas found a plausible injury in part because the defendant had taken the initiative to provide affected consumers with free fraud-protection services. In that case, the Seventh Circuit reasoned that a company would not offer such services if the risk of fraudulent charges or identity theft were not great. Now, in Lewart, the Seventh Circuit has found a plausible injury in part because the defendant warned more consumers than turned out to be necessary.
When a data breach occurs, companies that do business in the Seventh Circuit should carefully consider how their post-breach conduct will be viewed in the event they are sued and the plaintiff’s standing is challenged. What may seem like good customer service at the time or erring on the side of caution could later be construed by a court as “evidence” that the threat to consumers was sufficiently serious to support standing, at least in the early stages of a case.