Back at it Again (with the Standing Opinions): Seventh Circuit Reiterates Article III Standing in Data Breach Class Actions

Sheppard Mullin Richter & Hampton LLP

On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases.  In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.

In a blog post shortly thereafter, we discussed the import of Remijas going forward in data breach class actions.  Notably, we predicted that, in light of Remijas’s sea change in Article III standing, certifiability and causation would be the next frontier for data breach class actions.

On April 14, 2016, the Seventh Circuit again reiterated its expansive view of Article III standing, and again foreshadowed that Article III standing is, quite literally, just the beginning for data breach plaintiffs.  In Lewart v. P.F. Chang’s China Bistro, Inc., the Seventh Circuit hammered home its holding in Remijas, stating that:

  • “[T]he increased risk of fraudulent credit-or debit-card charges, and the increased risk of identity theft” are sufficient to confer Article III standing;
  • “[T]ime and money the class members predictably spent resolving fraudulent charges” is sufficient to confer Article III standing; and
  • “[T]he time and money customers spent protecting against future identity theft or fraudulent charges” is sufficient to confer Article III standing.

These allegations of harm, in most data breach class action complaints, are boilerplate.  In other words, the Seventh Circuit has made Article III standing in data breach actions in its Circuit a mere formality.  That said, this victory for the plaintiffs’ bar is pyrrhic at best.

The facts of the P.F. Chang’s breach amply demonstrate that causation will be a potentially insurmountable hurdle for data breach plaintiffs.  Specifically, P.F. Chang’s determined that “only 33 stores were affected” by the breach—and the plaintiffs dined at none of them.  While the Court punted as to this “factual dispute about the scope of the breach,” it foretells a dark future for the plaintiffs.  Apart from the obvious impact on the plaintiffs’ individual claims, the plaintiffs could not conceivably be typical and adequate representatives of the class of consumers that did dine at those 33 affected stores.  This issue—in addition to, as the Remijas Court noted, the differences in bank reimbursement policies—highlights the myriad problems with certifying and prevailing on the merits of a data breach class action.

At the end of the day, while the Seventh Circuit may have all but removed the Article III standing arrow from defendants’ quivers, the Court has laid the groundwork for defeating data breach class actions at either an early summary judgment or class certification.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.