UNITED STATES – Given the increasing connectivity to the internet at home and at work, from smartphones and smart televisions to cloud solutions, resulting in vast amounts of personal information being collected, the risk of a data security incident (e.g., “data breach”) is real. In 2015, almost half of all companies reported experiencing a data security incident within the past 12 months. This current environment and a recent decision by the Seventh Circuit Court of Appeals, should serve as a reminder for companies to make sure their “privacy house” is in order.
On April 14, 2016, the Seventh Circuit Court of Appeals (“Seventh Circuit” or “Court”) sought to bring clarity to whether, and when, an alleged victim of a mass data breach has standing to sue not the thief, but the information-carrying entity that was thieved. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 U.S. App. LEXIS 6766, April 14, 2016). In a unanimous opinion authored by Chief Judge Diane Wood, the Seventh Circuit reversed the district court decision that denied standing to two putative class action plaintiffs — each former patrons of Chicago-area P.F. Chang’s restaurants — who sued the restaurant chain for third party theft of consumer information. The Seventh Circuit, in a plaintiff-friendly ruling, held that customers of a restaurant, who merely allege that the debit or credit card information was stolen on the restaurant’s watch, may have sufficient “injury” to proceed with the lawsuit.
In P.F. Chang’s, national restaurant chain defendant P.F. Chang’s, announced on June 12, 2014, that its computer system had been breached, with certain consumer debit and credit card information stolen. P.F. Chang’s did not immediately know how many consumers were impacted, whether the breach was widespread or confined to particular locations, or for how long the breach had occurred. As a safeguard, P.F. Chang’s switched to a manual card-processing system at all locations throughout the continental United States and encouraged customers to monitor their card statements. Within three months, on August 4, 2014, P.F. Chang’s announced that data had been stolen from “just 33 restaurants”, and reported that the only affected restaurant in Illinois was at the Woodfield Mall in the Chicago suburb of Schaumburg.
In the April that directly preceded the June 2014 data breach announcement, plaintiffs John Lewert and Lucas Kosner each, on separate occasions, dined at the P.F. Chang’s restaurant located in the different Chicago suburb of Northbrook. Although the Northbrook location was not listed in P.F. Chang’s’ 33 self-reported data breach locations, Kosner, on June 8, 2014, allegedly noticed four fraudulent transactions on the same card he had used when he had dined there. Kosner cancelled his card immediately. He then learned of the P.F. Chang’s data breach later that same month and “drew the conclusion that his debit-card data were among those compromised by the breach.” Based on this concern, Kosner allegedly purchased a credit card monitoring service for $106.89 “to protect against identity theft, including against criminals using the stolen card’s data to open new credit or debit cards in his name.” Lewert, for his part, experienced consequences that the Court called “less troubling.” Unlike Kosner, Lewert spotted no fraudulent charges on his card, did not cancel his card, and thus did not suffer the “associated inconvenience or costs.” Instead, Lewert alleged that he spent “time and effort monitoring his card statements and his credit report” in the wake of the P.F. Chang’s data breach announcement.
Kosner and Lewert sued P.F. Chang’s in the U.S. District Court for the Northern District of Illinois (in Chicago) with claims relating to the data breach. In so doing, they sought to represent a class of all “similarly situated customers whose payment data may have been compromised.” The two actions were consolidated on June 24, 2014 and — once combined with the claims of the other putative class members — exceeded $5 million in aggregate value. The consolidated action conferred jurisdiction in federal court under the Class Action Fairness Act (“CAFA”). The district court, upon considering the plaintiffs’ allegations, then dismissed the case on the basis that plaintiffs lacked the requisite injuries to confer standing.
On appeal, the Seventh Circuit reviewed the district court’s order de novo and reversed. The Court acknowledged the black law principle, under Article III of the Constitution, that plaintiffs must have “suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Applying that standard to the instant case, the Seventh Circuit cited its 2015 decision in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) to note that this “is not our first time to examine standing in a case involving data breach.” In Remijas, the Seventh Circuit held that the data breach which plaintiffs alleged was more than mere “possible future injury” to satisfy Article III. Namely, the Remijas plaintiffs, like the P.F. Chang’s plaintiffs, established that their future injuries were “sufficiently imminent” by alleging the increased risk of “fraudulent credit or debit card charges” and of “identity theft.” As the Seventh Circuit opined, plaintiffs “should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing[.]” Finding that Kosner and Lewert “describe the same kind of future injuries as the Remijas plaintiffs did,” the Court held that such injuries, as alleged, “are concrete enough to support a lawsuit.”
Moreover, the Seventh Circuit noted that “injuries sufficient for standing” include the “time and money the class members predictably spent resolving fraudulent charges” despite the bank repaying those charges. The Court further noted that standing-sufficient injuries include “the identity theft that had already occurred and in the time and money customers spent protecting against future identity theft or fraudulent charges.” As in Remijas, the Court determined that Kosner and Lewert alleged sufficient injuries. Notably, the Court reached this determination even if the fraudulent charges “did not result in injury” to either plaintiff’s “wallet”, because “he has spent time and effort resolving” the fraudulent charges and, particularly in the case of Kosner, “took measures to mitigate” the risk by purchasing “credit card monitoring for $106.89.” The Court also held, albeit without detailed analysis, that the alleged “time and effort” Lewert spent “monitoring both his card statements and his other financial information” was sufficient to support standing. In so holding, the Court rejected P.F. Chang’s’ contention that plaintiffs’ mitigation was unreasonable since the only risk facing these plaintiffs related to “fraudulent charges to affected cards, not identity theft.” In the Seventh Circuit’s view, “this factual assumption has yet to be tested,” as “information stolen from payment cards can be used to open new cards in the consumer’s name.” Thus, as a “matter of pleading, nothing suggests that the plaintiffs’ mitigation efforts were unreasonable.”
The Seventh Circuit also refused to adopt P.F. Chang’s’ assertion that plaintiffs failed to plausibly allege data theft by virtue of not having dined at the Woodfield restaurant that was the singular Illinois location listed on P.F. Chang’s’ data breach list. According to the Seventh Circuit, P.F. Chang’s “addressed all customers who had dined at all of its stores in the United States and admitted that it did not know how many stores were affected.” (Emphasis in original.) Though acknowledging that there is a “factual dispute about the scope of the breach,” the Court concluded that “it does not destroy standing.” As the Court explained: “When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”
To be sure, the Seventh Circuit also noted that it was “skeptical” of plaintiffs’ other asserted injuries, though did not chronicle what those alleged injuries were. Instead, the Seventh Circuit turned to the final two elements of standing: causation and redressibility, concluding that plaintiffs satisfied each. Plaintiffs alleged “enough facts to push” the allegation that “the Northbrook restaurant was among those hit by the hackers” even though it was not included in P.F. Chang’s’ list of 33. In turn, the Court ruled that “a favorable judgment would redress the plaintiffs’ injuries” because at least some of those injuries are “easily quantifiable,” including: credit monitoring services, credit card points, un-reimbursed fraud charges and even fraud response time and effort.
The Seventh Circuit thus parted ways with the district court to conclude that “plaintiffs have alleged enough to support Article III standing,” though cautioned that the ruling expresses “no opinion on the merits or on the suitability of this case for class certification.”
The P.F. Chang’s decision suggests that the threshold of what constitutes an “injury” in the event of a data security incident may not be as high as once thought. Therefore, companies should implement or revisit their data privacy and IT security programs to reduce the risk of, and be prepared to appropriately respond to, a data security incident.
As a first step, companies should get a sense of what personal information they maintain about individuals (e.g., employees, consumers, business contacts) and whether the IT security measures in place are appropriate for the sensitivity of the personal information. Employees, vendors and others with access to company systems that maintain personal information should receive appropriate training on handling such information and their access to company systems limited to what is necessary for their role. Companies should also assess whether they have appropriate privacy terms in place with vendors in the event the vendor experiences a data security incident on their systems involving the company’s personal information.
In order to be prepared to respond to a data security incident, companies should also consider implementing a formal, written Data Security Incident Response Plan that details the steps that the company will take in response to a data security incident — including the designation of company and external personnel to assist with the response. To test the effectiveness of this plan, companies could conduct a “tabletop” exercise with key stakeholders to get a sense of how the Data Security Incident Response Plan works in practice.
In light of widespread access to the internet and the sophistication of criminals seeking to access company systems, there is no surefire way to prevent a data security incident; and the P.F. Chang’s ruling demonstrates that companies, victims themselves to criminal acts, may face litigation that cannot be easily dismissed at the pleadings phase. But companies can take steps to protect against the risk of breach and be prepared to respond appropriately. Indeed, if anything, P.F. Chang’s — in potentially inviting further data breach lawsuits that will bring data breach protective practices under public scrutiny — provides yet another cautionary reminder of why companies should take those steps.
