Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Chang’s constituted a “certainly impending” future injury sufficient to confer Article III standing.  This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible.

The class action against P.F. Chang’s (Lewert v. P.F. Chang’s China Bistro) stems from a breach of the computer systems at P.F. Chang’s restaurants, announced in June 2014.  The breach resulted in the theft of credit and debit card information belonging to consumers who dined at certain P.F. Chang’s restaurants.  Although P.F. Chang’s initial announcement of the breach indicated that the restaurant chain was not certain how many locations had been affected, P.F. Chang’s later announced in August 2014 that the breach had only affected thirty-three restaurant locations.

The two plaintiffs in Lewert both ate at a P.F. Chang’s restaurant that was not included in the list of affected locations, but both brought claims for the breach.  One plaintiff observed four fraudulent charges on the debit card shortly after dining at PF Chang’s, cancelled his card, and purchased a credit monitoring service.  The other plaintiff “spent time and effort” monitoring his credit report and credit card statements after hearing about the breach.  The district court dismissed the suit on Article III grounds, holding that the allegations of future harm of identity theft or fraudulent charges were too speculative to satisfy Article III.

The Seventh Circuit, however, held that these allegations were sufficient to demonstrate Article III standing, relying on its July 2015 holding in Remijas v. Neiman Marcus Group in the process.  In Remijas, the Seventh Circuit held that the increased risk of fraudulent charges or identity theft following a data breach affecting the plaintiffs’ credit or debit card information could satisfy the post-Clapper “certainly impeding” standard for Article III standing.  Although P.F. Chang’s argued that Remijas could be distinguished on the grounds that P.F. Chang’s, unlike Neiman Marcus, disputed whether the plaintiffs’ information was disclosed in the breach, the Seventh Circuit disagreed.  Instead, the Seventh Circuit held that the plaintiffs had “plausibly alleged” that their data was stolen, because P.F. Chang’s initial statement regarding the breach was directed to all P.F. Chang’s customers and did not distinguish between restaurant locations.  As the court stated, when “the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”  The court characterized P.F. Chang’s assertions that only thirty-three restaurants were affected as a “factual dispute” that should be resolved at a later stage in the case.

The Seventh Circuit pointed to several post-breach statements made by P.F. Chang’s as the primary basis for its holdings, including statements about the scope of the breach and advice to affected individuals.  The court’s holding not only establishes the Seventh Circuit as friendly territory for data breach class action plaintiffs, but also highlights the importance of thoroughly vetting communications to consumers following a data breach.