[BreachExchange] Back at it Again (with Standing Opinions): Seventh Circuit Reiterates Article III Standing in Data Breach Class Actions

Wed Apr 20 20:06:09 EDT 2016

http://www.natlawreview.com/article/back-it-again-standing-opinions-seventh-circuit-reiterates-article-iii-standing-data

On July 20, 2015, the Seventh Circuit issued its opinion in *Remijas v.
Neiman Marcus Group*, 794 F. 3d 688 (7th Circ. 2015), which immediately
became the low-water mark for Article III standing in data breach cases. In
short, *Remijas *became the first Circuit decision to expressly and
expansively recognize that risk of future injury and time and money spent
protecting against identity theft as a result of a data breach were
sufficient to confer Article III standing.

In a blog post shortly thereafter, we discussed the import of *Remijas*
<http://www.natlawreview.com/article/barbarians-gate-seventh-circuit-finds-article-iii-standing-data-breach-class-actions>
going forward in data breach class actions.  Notably, we predicted that, in
light of *Remijas*’s sea change in Article III standing, certifiability and
causation would be the next frontier for data breach class actions.

On April 14, 2016, the Seventh Circuit again reiterated its expansive view
of Article III standing, and again foreshadowed that Article III standing
is, quite literally, just the beginning for data breach plaintiffs.  In *Lewart
v. P.F. Chang’s China Bistro, Inc.*, the Seventh Circuit hammered home its
holding in *Remijas*, stating that:

   -

   “[T]he increased risk of fraudulent credit-or debit-card charges, and
   the increased risk of identity theft” are sufficient to confer Article III
   standing;
   -

   “[T]ime and money the class members predictably spent resolving
   fraudulent charges” is sufficient to confer Article III standing; and
   -

   “[T]he time and money customers spent protecting against future identity
   theft or fraudulent charges” is sufficient to confer Article III standing.

These allegations of harm, in most data breach class action complaints, are
boilerplate.  In other words, the Seventh Circuit has made Article III
standing in data breach actions in its Circuit a mere formality.  That
said, this victory for the plaintiffs’ bar is pyrrhic at best.

The facts of the *P.F. Chang’s *breach amply demonstrate that causation
will be a potentially insurmountable hurdle for data breach plaintiffs.
Specifically, P.F. Chang’s determined that “only 33 stores were affected”
by the breach—and the plaintiffs dined at none of them.  While the Court
punted as to this “factual dispute about the scope of the breach,” it
foretells a dark future for the plaintiffs.  Apart from the obvious impact
on the plaintiffs’ individual claims, the plaintiffs could not conceivably
be typical and adequate representatives of the class of consumers that did
dine at those 33 affected stores.  This issue—in addition to, as the
*Remijas* Court noted, the differences in bank reimbursement
policies—highlights the myriad problems with certifying and prevailing on
the merits of a data breach class action.

At the end of the day, while the Seventh Circuit may have all but removed
the Article III standing arrow from defendants’ quivers, the Court has laid
the groundwork for defeating data breach class actions at either an early
summary judgment or class certification.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160420/f33ced5e/attachment.html>