Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Chang’s constituted a “certainly impending” future injury sufficient to confer Article III standing.  This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible.

The class action against P.F. Chang’s (Lewert v. P.F. Chang’s China Bistro) stems from a breach of the computer systems at P.F. Chang’s restaurants, announced in June 2014.  The breach resulted in the theft of credit and debit card information belonging to consumers who dined at certain P.F. Chang’s restaurants.  Although P.F. Chang’s initial announcement of the breach indicated that the restaurant chain was not certain how many locations had been affected, P.F. Chang’s later announced in August 2014 that the breach had only affected thirty-three restaurant locations.

The two plaintiffs in Lewert both ate at a P.F. Chang’s restaurant that was not included in the list of affected locations, but both brought claims for the breach.  One plaintiff observed four fraudulent charges on the debit card shortly after dining at PF Chang’s, cancelled his card, and purchased a credit monitoring service.  The other plaintiff “spent time and effort” monitoring his credit report and credit card statements after hearing about the breach.  The district court dismissed the suit on Article III grounds, holding that the allegations of future harm of identity theft or fraudulent charges were too speculative to satisfy Article III.

The Seventh Circuit, however, held that these allegations were sufficient to demonstrate Article III standing, relying on its July 2015 holding in Remijas v. Neiman Marcus Group in the process.  In Remijas, the Seventh Circuit held that the increased risk of fraudulent charges or identity theft following a data breach affecting the plaintiffs’ credit or debit card information could satisfy the post-Clapper “certainly impeding” standard for Article III standing.  Although P.F. Chang’s argued that Remijas could be distinguished on the grounds that P.F. Chang’s, unlike Neiman Marcus, disputed whether the plaintiffs’ information was disclosed in the breach, the Seventh Circuit disagreed.  Instead, the Seventh Circuit held that the plaintiffs had “plausibly alleged” that their data was stolen, because P.F. Chang’s initial statement regarding the breach was directed to all P.F. Chang’s customers and did not distinguish between restaurant locations.  As the court stated, when “the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”  The court characterized P.F. Chang’s assertions that only thirty-three restaurants were affected as a “factual dispute” that should be resolved at a later stage in the case.

The Seventh Circuit pointed to several post-breach statements made by P.F. Chang’s as the primary basis for its holdings, including statements about the scope of the breach and advice to affected individuals.  The court’s holding not only establishes the Seventh Circuit as friendly territory for data breach class action plaintiffs, but also highlights the importance of thoroughly vetting communications to consumers following a data breach.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.