[BreachExchange] Kimpton Data Breach Decision Highlights Lingering Confusion on Standing Issues

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 25 19:11:26 EDT 2017


http://www.natlawreview.com/article/kimpton-data-breach-
decision-highlights-lingering-confusion-standing-issues

When data thieves steal payment card data, consumers suffer no legally
cognizable injuries.  Card issuers absorb the fraudulent charges and
replace the affected cards.  Because fraudulent charges are not billed to
consumers, they do not show up on consumers’ credit reports or otherwise
affect their credit ratings.  Moreover, because the thieves end up
possessing terminated and useless payment card numbers, they cannot inflict
any future harm. Thus, consumers have no need for credit monitoring
services – whether for free or otherwise – in the wake of a payment card
data breach.  With no out of pocket losses, no risk of future losses, and
no reasonable basis to expend resources on credit monitoring, a consumer
whose payment card data has been stolen has no standing to bring suit in
federal court.

Nonetheless, decisions in data breach cases show that confusion on these
standing issues persists.  One recent example is a decision finding that a
consumer has standing to sue Kimpton Hotels in connection with the theft of
payment card data from the hotel chain’s payment system between February
and July 2016. See Walters v. Kimpton Hotel & Restaurant Group, LLC, No.
16-cv-05387-VC (Apr. 13, 2017).  The plaintiff’s amended complaint alleges
that the criminals used “malicious software designed to steal credit card
data on computers that operate the payment processing systems for Kimpton
hotels and restaurants.”  Although plaintiff further alleges that Kimpton
possessed personally identifiable information about its customers, the data
theft pleaded in the amended complaint solely consisted of “collect[ed]
payment card data—cardholder name, card number, expiration date and
internal verification code.”  As Kimpton took pains to point out in its
motion to dismiss and reply brief, such payment card information – which
does not include addresses, birth dates or Social Security numbers – could
not be used to steal the plaintiff’s identity, let alone cause him any
financial loss. Because issuers bore the cost of fraud losses and had
terminated compromised accounts, Kimpton contended that plaintiff had not
suffered any actual loss and lacked any reasonable apprehension that he
might suffer a future loss.

Kimpton’s arguments eluded the court. In a terse three-page decision, the
court found that plaintiff’s allegation that he engaged in activities to
monitor his credit “are sufficient to demonstrate injury for standing
purposes.”  Misunderstanding the full import of Kimpton’s arguments, the
court went on to state that it “respectfully disagrees that a plaintiff
must actually suffer the misuse of his data or an unauthorized charge
before he has an injury for standing purposes.”  The court suggests that
there was some reasonable apprehension of future harm merely by virtue of
the data thieves’ possession of the stolen card data, notwithstanding that
there is zero risk that any terminated account could even be used, let
alone harm plaintiff’s credit rating. Based on plaintiff’s gratuitous
actions to protect himself against a non-existent threat, the court in
Walters found standing to bring a consumer payment card data breach claim.

Walters (and like-minded cases cited therein to support this result)
highlight the challenges that some courts face in understanding who may be
harmed when a data breach occurs.  Such confusion creates incentives for
plaintiffs to lard their complaints with generic allegations about the
threat of identity theft and how it can harm consumers, in hopes that
courts will conflate that unrelated crime with the smash-and-grab tactics
of payment card thieves, who steal credit and debit card numbers that will
be used for a few quick purchases before the cards are shut down.  To avoid
such confusion, lawyers defending payment card data breach cases need to
consider how to simplify standing issues in their briefing and argument, so
as to help courts understand that consumers do not bear the costs of these
crimes and, therefore, lack standing to sue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170425/fb3d67c4/attachment.html>


More information about the BreachExchange mailing list