On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases. In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.
In a blog post shortly thereafter, we discussed the import of Remijas going forward in data breach class actions. Notably, we predicted that, in light of Remijas’s sea change in Article III standing, certifiability and causation would be the next frontier for data breach class actions.
On April 14, 2016, the Seventh Circuit again reiterated its expansive view of Article III standing, and again foreshadowed that Article III standing is, quite literally, just the beginning for data breach plaintiffs. In Lewart v. P.F. Chang’s China Bistro, Inc., the Seventh Circuit hammered home its holding in Remijas, stating that:
“[T]he increased risk of fraudulent credit-or debit-card charges, and the increased risk of identity theft” are sufficient to confer Article III standing;
“[T]ime and money the class members predictably spent resolving fraudulent charges” is sufficient to confer Article III standing; and
“[T]he time and money customers spent protecting against future identity theft or fraudulent charges” is sufficient to confer Article III standing.
These allegations of harm, in most data breach class action complaints, are boilerplate. In other words, the Seventh Circuit has made Article III standing in data breach actions in its Circuit a mere formality. That said, this victory for the plaintiffs’ bar is pyrrhic at best.
The facts of the P.F. Chang’s breach amply demonstrate that causation will be a potentially insurmountable hurdle for data breach plaintiffs. Specifically, P.F. Chang’s determined that “only 33 stores were affected” by the breach—and the plaintiffs dined at none of them. While the Court punted as to this “factual dispute about the scope of the breach,” it foretells a dark future for the plaintiffs. Apart from the obvious impact on the plaintiffs’ individual claims, the plaintiffs could not conceivably be typical and adequate representatives of the class of consumers that did dine at those 33 affected stores. This issue—in addition to, as the Remijas Court noted, the differences in bank reimbursement policies—highlights the myriad problems with certifying and prevailing on the merits of a data breach class action.
At the end of the day, while the Seventh Circuit may have all but removed the Article III standing arrow from defendants’ quivers, the Court has laid the groundwork for defeating data breach class actions at either an early summary judgment or class certification.