<div dir="ltr"><a href="http://www.natlawreview.com/article/back-it-again-standing-opinions-seventh-circuit-reiterates-article-iii-standing-data">http://www.natlawreview.com/article/back-it-again-standing-opinions-seventh-circuit-reiterates-article-iii-standing-data</a><br><p class="">On July 20, 2015, the Seventh Circuit issued its opinion in <strong><i>Remijas v. Neiman Marcus Group</i></strong>,
794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water
mark for Article III standing in data breach cases. In short, <i>Remijas </i>became
the first Circuit decision to expressly and expansively recognize that
risk of future injury and time and money spent protecting against
identity theft as a result of a data breach were sufficient to confer
Article III standing.</p>
<p class="">In a blog post shortly thereafter, we <a href="http://www.natlawreview.com/article/barbarians-gate-seventh-circuit-finds-article-iii-standing-data-breach-class-actions">discussed the import of <i>Remijas</i></a> going forward in data breach class actions. Notably, we predicted that, in light of <i>Remijas</i>’s sea change in Article III standing, certifiability and causation would be the next frontier for data breach class actions.</p>
<p class="">On April 14, 2016, the Seventh Circuit again
reiterated its expansive view of Article III standing, and again
foreshadowed that Article III standing is, quite literally, just the
beginning for data breach plaintiffs. In <strong><i>Lewart v. P.F. Chang’s China Bistro, Inc.</i></strong>, the Seventh Circuit hammered home its holding in <i>Remijas</i>, stating that:</p>
<ul><li>
<p class="">“[T]he increased risk of fraudulent credit-or
debit-card charges, and the increased risk of identity theft” are
sufficient to confer Article III standing;</p>
</li><li>
<p class="">“[T]ime and money the class members predictably
spent resolving fraudulent charges” is sufficient to confer Article III
standing; and</p>
</li><li>
<p class="">“[T]he time and money customers spent protecting
against future identity theft or fraudulent charges” is sufficient to
confer Article III standing.</p>
</li></ul><p class="">These allegations of harm, in most data
breach class action complaints, are boilerplate. In other words, the
Seventh Circuit has made Article III standing in data breach actions in
its Circuit a mere formality. That said, this victory for the
plaintiffs’ bar is pyrrhic at best.</p>
<p class="">The facts of the <i>P.F. Chang’s </i>breach amply
demonstrate that causation will be a potentially insurmountable hurdle
for data breach plaintiffs. Specifically, P.F. Chang’s determined that
“only 33 stores were affected” by the breach—and the plaintiffs dined at
none of them. While the Court punted as to this “factual dispute about
the scope of the breach,” it foretells a dark future for the
plaintiffs. Apart from the obvious impact on the plaintiffs’ individual
claims, the plaintiffs could not conceivably be typical and adequate
representatives of the class of consumers that did dine at those 33
affected stores. This issue—in addition to, as the <i>Remijas</i> Court
noted, the differences in bank reimbursement policies—highlights the
myriad problems with certifying and prevailing on the merits of a data
breach class action.</p>
<p class="">At the end of the day, while the Seventh Circuit
may have all but removed the Article III standing arrow from defendants’
quivers, the Court has laid the groundwork for defeating data breach
class actions at either an early summary judgment or class
certification.</p><br></div>