Seventh Circuit (Again) Finds Consumers Have Standing To Sue Over Data Breaches

Patterson Belknap Webb & Tyler LLP

On April 14, 2016, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company.  Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.

In June 2014, P.F. Chang’s announced that its computer system had been breached and that some consumer credit- and debit-card data had been stolen.  In August 2014, the company clarified that data had been stolen from just 33 of its restaurants.  Two plaintiffs brought a class action against P.F. Chang’s based on the data breach.

One of the named plaintiffs had dined at P.F. Chang’s, noted fraudulent charges on his debit card, and then purchased a credit-monitoring service.  The other named plaintiff dined at P.F. Chang’s, but did not spot any fraudulent transactions and did not purchase credit monitoring. He did, however, claim that he spent time and effort reviewing his card statements and credit reports after P.F. Chang’s announced the breach.  Neither of the named plaintiffs dined at one of the 33 restaurants that P.F. Chang’s identified as having been affected by the breach.

The Seventh Circuit concluded that both plaintiffs had adequately alleged standing to sue.  First, the court reasoned that both faced an increased risk of fraudulent charges and identity theft, and that this heightened risk satisfied the “certainly impending” standard of Clapper v. Amnesty International USA.  Second, the court held that the time, effort, and (for one plaintiff) money spent monitoring statements and credit reports were cognizable, presently existing injuries.

P.F. Chang’s had argued that neither plaintiff dined at one of the 33 restaurants affected by the data breach.  The court concluded that this was immaterial at the pleadings stage, and that the extent of the data breach was a disputed question of fact.  Since P.F. Chang’s had chosen to direct its initial notice about the breach to diners at all of its restaurants, the court found it “plausible that all of its locations were in fact affected.”

Like Remijas before it, Lewart creates difficult choices for businesses in the event of a data breach.  Remijas found a plausible injury in part because the defendant had taken the initiative to provide affected consumers with free fraud-protection services.  In that case, the Seventh Circuit reasoned that a company would not offer such services if the risk of fraudulent charges or identity theft were not great.  Now, in Lewart, the Seventh Circuit has found a plausible injury in part because the defendant warned more consumers than turned out to be necessary.

When a data breach occurs, companies that do business in the Seventh Circuit should carefully consider how their post-breach conduct will be viewed in the event they are sued and the plaintiff’s standing is challenged.  What may seem like good customer service at the time or erring on the side of caution could later be construed by a court as “evidence” that the threat to consumers was sufficiently serious to support standing, at least in the early stages of a case.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.