[BreachExchange] P.F. Chang's Ruling: Is the Tide Shifting?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 21 20:32:16 EDT 2016


http://www.databreachtoday.com/pf-changs-ruling-tide-shifting-a-9054

Does a federal appellate court's decision allowing a breach-related
class-action lawsuit against restaurant chain P.F Chang's to move forward -
and a similar, earlier decision in a case against Neiman Marcus - signal a
change in tide for post-breach lawsuits? Legal experts offer widely varying
opinions.

Last week, the Seventh Circuit Court of Appeals overturned a lower court's
ruling that rejected the case against P.F. Chang's. The higher court ruled
the case could proceed because the risk of "future injuries" suffered by
consumers impacted by the breach are "sufficiently imminent."

Back in July 2015, the Seventh Circuit also reversed a lower court's
decision to dismiss the Neiman Marcus case, which seeks damages for
consumers who had card data exposed as a result of the luxury retailer's
2013 data breach (see Is Neiman Marcus Case a Game-Changer?).

In that ruling, the court found that Neiman Marcus' decision to provide
potentially affected customers with a year of free credit monitoring and
identity theft protection amounted to acknowledgement of significant risk.
The panel also found that consumers impacted by the breach "should not have
to wait until hackers commit identity theft or credit card fraud in order
to give the class standing."

Contrasting Viewpoints

The rulings in these two cases could signal a substantial change in how
federal courts view harm in the wake of a retail breach, says cybersecurity
attorney Chris Pierson, who also serves as CISO of invoicing and payments
provider Viewpost.

But John Buzzard, the former head of FICO's Card Alert Service, who now
works as director of product management for security firm Rippleshot Fraud
Analytics, argues that the appellate court rulings won't have a lasting
impact.

Commenting on the two cases, Pierson notes: "In the [P.F. Chang's] case,
the Seventh Circuit has found that sufficiently imminent allegations of
possible future injury are present, such as the increased risk of identity
theft and increased risk of fraudulent charges. It is difficult to
reconcile the fact that federal laws already provide for mitigation of
nearly all the risk of fraudulent charges with this decision. Simply put,
customers are not liable for charges under federal law if they report them
in a timely manner, with some caveats, which are usually waived by banks."

Nevertheless, the court's determination in the P.F. Chang's case that
future injuries related to the breach were "imminent" could support the
filing of more consumer class-action suits after card breaches, Pierson
adds.

"The tides appear to be changing for data breach cases as it relates to
being able to achieve standing under Article III [of the Constitution]," he
says. "This shift is akin to environmental law cases involving the release
of toxic chemicals into ground water, where a future, but likely, impending
harm will occur. So, too, is this notion of an objective reasonable
likelihood of injury occurring that is noted in the P.F. Chang's and Neiman
Marcus cases."

Buzzard offers a far different assessment.

"I don't expect there to be a precedent-setting judgment here, but I know
that many people equate the movement through the judicial system as
positive proof that the responsible and negligent parties will be
sanctioned in some way," he says. "Instead, anticipate blustering and
posturing but not a major judgment that will have resoundingly negative
effects for years to come."

The Issue of 'Harm'

Many previous consumer class-action lawsuits claiming harm in the wake of a
payments breach have been dismissed or settled outside the courtroom.
Because issuing banks ensure consumers are not liable for fraud that
results from stolen card data, proving harm has been difficult (see No
Injury: Michaels POS Malware Lawsuit Dismissed).

"Since the application of law is based on fact, a future application of
'harm' seems a bit far-fetched," says financial fraud expert Shirley
Inscoe, an analyst at consultancy Aite. "For the good of our legal system,
it is best to stick to the proven facts of any case. And the proven fact is
that very few victims of data breaches become identity theft victims, which
is not a good argument for the litigants. Financial institutions monitor
breached cards carefully or replace them, so fraudulent transactions are
minimized as well after the breach is detected."

Inscoe argues that if the P.F. Chang's case goes to trial, "it will be
extremely difficult to prove any damage done to consumers that would enable
them to win. "As demonstrated in prior cases, consumers are made whole
financially by their financial institutions because they are protected
under Regulation E [Electronic Funds Transfer Act]. It is so easy to file
these claims, and banks are typically so quick to restore the funds to the
account, that true grounds for a class-action lawsuit seem far-fetched."

Similarly, Avivah Litan, an analyst with consultancy Gartner, says in the
wake of a breach of payment-related information, "the only harm that
consumers can incur, in my opinion, is negligible, e.g. time spent
disputing the fraudulent charge and the costs of the services consumed,
such as the meal at P.F. Chang's, that resulted in payment card fraud
because of the data breach."

If the courts, indeed, redefine "harm" to include such costs, Litan says,
"then get ready for an onslaught of lawsuits against breached retailers and
other entities taken on by overzealous lawyers. This would be very bad
news, in my opinion, should this happen."

P.F. Chang's Suit

On April 14, the Seventh Circuit overturned a lower court's 2015 ruling to
dismiss the 2014 class-action suit filed against P.F. Chang's. The suit
stemmed from P.F. Chang's 2013 data breach, which affected 33 locations
between October 2013 and June 2014.

"We concluded that several of those plaintiffs' injuries were concrete and
particularized enough to support Article III [of the U.S. Constitution]
standing," the Seventh Circuit's ruling reads. "First, we identified two
future injuries that were sufficiently imminent: the increased risk of
fraudulent credit- or debit-card charges, and the increased risk of
identity theft. These, we found, were not mere 'allegations of possible
future injury,' but instead were the type of 'certainly impending' future
harm that the Supreme Court requires to establish standing."

In the Neiman Marcus case, an appellate court panel ruled that consumers
were at risk because of the breach.

In September, the court denied Neiman Marcus' petition to have its case
reheard before the entire Seventh Circuit of judges, rather than just a
panel. Neiman Marcus appealed to the Supreme Court in December and was
granted in January an extension to file a motion to have its case heard.

Neither P.F. Chang's nor Neiman Marcus responded to Information Security
Media Group's request for comment.

What's Next?

So what will happen next in the P.F. Chang's case?

Here's how Pierson sizes it up: "Given the changing nature of data breach
cases not being dismissed for lack of standing, this case is likely to
either settle or face one more hurdle prior to discovery taking place. P.F.
Chang's may seek to file for a motion for summary judgment ahead of
discovery. Given the time that has lapsed since the breach, the priority of
management time focused on the electronic discovery aspects of this case,
and the potential settlement risk, taking into account insurance, P.F.
Chang's may seek to resolve this matter before the end of the year."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160421/fec9c68a/attachment.html>


More information about the BreachExchange mailing list