Data Protection Report - Norton Rose Fulbright

After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit.  In a ruling last week, the appellate panel found that customers whose payment card information was stolen in the breach have standing to sue, even if they don’t allege any actual losses from identity theft or payment card fraud.

The plaintiffs contend that they suffered various types of harm as a result of the security breach at P.F. Chang’s, including an increased risk of identity theft and the time and expense they incurred to monitor their accounts for identity theft.  One plaintiff also alleged that a fraudulent charge was attempted on his debit card shortly after the breach, though he suffered no financial losses because the bank caught and rejected the charge and the plaintiff promptly cancelled the card.

Article III of the U.S. Constitution requires plaintiffs in federal court to demonstrate an “actual controversy” – that they have “suffered a concrete and particularized injury that is fairly traceable to the challenged conduct.”  The majority of courts that have considered standing issues in similar data breach cases, where plaintiffs only allege that their information has been compromised, but not that they subsequently suffered identity theft or fraud, have dismissed the suits.   These courts have held that allegations of an increased threat of future identity theft and fraud or the expenditure of costs to mitigate potential harm (like credit monitoring) do not constitute a concrete injury-in-fact for Article III standing.

The 7th Circuit’s opinion in P.F. Chang’s builds upon its July 2015 ruling in Remijas v. Neiman Marcus, where it went against the majority grain to hold that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

P.F. Chang’s had attempted to distinguish its case from Neiman Marcus by arguing that, unlike in the latter case, the data breach it suffered did not expose data that would increase the risk of identity theft for impacted persons, just of potential fraudulent charges on the impacted cards.  P.F. Chang’s also contested whether the plaintiffs’ card information was actually among that which was stolen during the breach.  The 7th Circuit held that both assertions were based on factual assumptions that go to the merits of the case but did not impact the standing analysis.  Otherwise, the court found that the P.F. Chang’s plaintiffs had alleged the same risk of future injuries as the Neiman Marcus plaintiffs – the increased risk of fraudulent charges and identity theft – which are, in the 7th Circuit’s view, concrete enough to support standing.

Our Take

The 7th Circuit is an outlier in this space.  The few courts that have agreed that plaintiffs need not allege actual fraud or identity theft to survive motions to dismiss for lack of standing have required something more than the mere theft of personal or payment card data alone.  For example, in the Sony Gaming Networks data breach case, the Southern District of California found there to be a “credible threat of impending harm” after the theft of customer data because it was publicly posted following the breach.  Similarly, Adobe Systems, Inc.’s motion to dismiss a data breach class action against it was rejected by the Northern District of California due to the sophisticated nature of the attack and because the stolen data was known to be decrypted and had surfaced on websites used by hackers.  In both cases, the elevated exposure of the data pushed the plaintiff’s allegations of harm from attenuated speculation to “credible threat(s) of impending harm.”  As another example, in the Target data breach litigation, the court found that plaintiffs had alleged actual harm in the form of unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.

Though it is in the minority, the 7th Circuit’s holdings in Neiman Marcus and now P.F. Chang’s may stifle the trend of conscientious companies being overly expansive when selecting the scope of persons to alert about breaches and the credit monitoring services they will provide free of charge.  In Neiman Marcus, the court pointed to the fact that the company had offered to pay customers for credit monitoring services as evidence itself that the plaintiffs had suffered a concrete injury.  And in P.F. Chang’s, the court pointed to the company’s first post-breach statement (which cautiously alerted customers who had dined at all of its U.S. locations that their information could have been compromised) as creating a factual dispute about the scope of the breach, even though its subsequent forensic analysis evidently showed that only 33 stores, none of which the plaintiffs had dined at, were impacted.

* Mia Havel is admitted to practice law in Massachusetts and the District of Columbia. Her practice is supervised by principals of the firm admitted in Colorado.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.