[BreachExchange] Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed

Mon Apr 18 19:02:54 EDT 2016

http://www.natlawreview.com/article/seventh-circuit-relying-defendant-s-post-breach-statements-allows-data-breach-class#sthash.i8I4GsQW.dpuf

Last week, the Seventh Circuit handed down another friendly ruling for data
breach class action plaintiffs, reversing a district court’s dismissal of a
class action complaint over a 2014 data breach at P.F. Chang’s
restaurants.  In reversing the district court’s holding that the plaintiffs
had not demonstrated Article III standing, the Seventh Circuit ruled that
the risk of future fraudulent charges and identity theft created by the
breach as reported by P.F. Chang’s constituted a “certainly impending”
future injury sufficient to confer Article III standing.  This decision
builds on an earlier ruling from the Seventh Circuit that revived a data
breach suit filed against Neiman Marcus, and will create further incentives
for future plaintiffs to file data breach class action lawsuits in the
federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally
possible.

The class action against P.F. Chang’s (Lewert v. P.F. Chang’s China Bistro)
stems from a breach of the computer systems at P.F. Chang’s restaurants,
announced in June 2014.  The breach resulted in the theft of credit and
debit card information belonging to consumers who dined at certain P.F.
Chang’s restaurants.  Although P.F. Chang’s initial announcement of the
breach indicated that the restaurant chain was not certain how many
locations had been affected, P.F. Chang’s later announced in August 2014
that the breach had only affected thirty-three restaurant locations.

The two plaintiffs in Lewert both ate at a P.F. Chang’s restaurant that was
not included in the list of affected locations, but both brought claims for
the breach.  One plaintiff observed four fraudulent charges on the debit
card shortly after dining at PF Chang’s, cancelled his card, and purchased
a credit monitoring service.  The other plaintiff “spent time and effort”
monitoring his credit report and credit card statements after hearing about
the breach.  The district court dismissed the suit on Article III grounds,
holding that the allegations of future harm of identity theft or fraudulent
charges were too speculative to satisfy Article III.

The Seventh Circuit, however, held that these allegations were sufficient
to demonstrate Article III standing, relying on its July 2015 holding in
Remijas v. Neiman Marcus Group in the process.  In Remijas, the Seventh
Circuit held that the increased risk of fraudulent charges or identity
theft following a data breach affecting the plaintiffs’ credit or debit
card information could satisfy the post-Clapper “certainly impeding”
standard for Article III standing.  Although P.F. Chang’s argued that
Remijas could be distinguished on the grounds that P.F. Chang’s, unlike
Neiman Marcus, disputed whether the plaintiffs’ information was disclosed
in the breach, the Seventh Circuit disagreed.  Instead, the Seventh Circuit
held that the plaintiffs had “plausibly alleged” that their data was
stolen, because P.F. Chang’s initial statement regarding the breach was
directed to all P.F. Chang’s customers and did not distinguish between
restaurant locations.  As the court stated, when “the corporation reacts as
if that breach could affect all of its locations, it is certainly plausible
that all of its locations were in fact affected.”  The court characterized
P.F. Chang’s assertions that only thirty-three restaurants were affected as
a “factual dispute” that should be resolved at a later stage in the case.

The Seventh Circuit pointed to several post-breach statements made by P.F.
Chang’s as the primary basis for its holdings, including statements about
the scope of the breach and advice to affected individuals.  The court’s
holding not only establishes the Seventh Circuit as friendly territory for
data breach class action plaintiffs, but also highlights the importance of
thoroughly vetting communications to consumers following a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160418/2fc10bdc/attachment.html>