19 April 2016
On April 14, 2016, the United States Court of Appeals for the Seventh Circuit held that the two plaintiffs in Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700 (7th Cir. Apr. 14, 2016) have standing to pursue claims arising from a 2014 data breach suffered by that restaurant chain. The court, in an opinion written by Chief Judge Diane Wood, reversed the district court’s dismissal of this putative class action for lack of standing in light of Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). The decision in Lewert thus reaffirms Remijas and further clarifies the law of standing in data breach actions in the Seventh Circuit. While the effect of Remijas and Lewert on litigation in other circuits remains to be seen, the Seventh Circuit’s decision in Lewert is likely to be another significant point of reference for data breach litigants going forward.
The Lewert action arose out of the compromise of payment card systems at P.F. Chang’s restaurants in 2014. The two plaintiffs had dined at a P.F. Chang’s restaurant in Illinois prior to the announcement of the breach. One plaintiff did not incur fraudulent charges or cancel his card but spent time monitoring his card statements and credit report after he saw the restaurant’s press release. Another plaintiff experienced four fraudulent charges on his debit card, cancelled his card and purchased a credit monitoring service. Both plaintiffs subsequently filed suit. The district court consolidated the suits before dismissing them for failure to allege injury and thus Article III standing.
The panel expressly relied upon the Seventh Circuit’s holding in Remijas in finding that the two plaintiffs in Lewert had alleged both present injuries and future injuries that were sufficiently “imminent” to support standing. Because one plaintiff had not cancelled his card, the court concluded that he was still at risk of both fraud and identity theft. And the court concluded that the other plaintiff faced a risk of identity theft even though he had cancelled his card. The plaintiffs alleged present injury, in the court’s judgment, through the fraudulent charges and credit monitoring charges one plaintiff sustained, as well as the time and effort both of them spent responding to the risks and harms imposed by the breach. While the court noted various factual disputes that could ultimately negate the plaintiffs’ claims of actual injury—e.g., whether their debit card numbers were in fact among the data compromised in the breach and whether the plaintiffs’ faced any actual risk of identity theft—the court found the allegations sufficient at the pleading stage. (The court expressed skepticism toward, but ultimately declined to consider, whether the other injuries the plaintiffs alleged were sufficient to establish standing. For example, the plaintiffs had alleged injuries based on the cost of their meals at P.F. Chang’s on the theory that they would not have dined there had they known about its supposedly poor data security.)
Having found the allegations of “immediate and concrete injuries sufficient to support Article III standing[,]” the court proceeded to find the plaintiffs’ allegations of the other elements of Article III standing—causation and redressability—to be sufficient at the pleading stage. On that basis, the court reversed and remanded the case to the district court. The Seventh Circuit declined to address the restaurant chain’s argument that the plaintiffs had failed to state a claim upon which relief could be granted. (The district court did not previously reach those arguments.)
The Seventh Circuit’s decision in Lewert provides another guidepost for data breach litigation going forward. While its effect on other data breach actions remains to be seen, it serves as a reminder that case law in this area continues to develop, raising further questions for companies managing legal risks arising from criminal cyber attacks upon their systems.