CHICAGO (Legal Newsline) - The U.S. Court of Appeals for the Seventh Circuit, in a decision released last week, once again sided with plaintiffs in a data breach class action lawsuit.
In its April 14 opinion, a three-judge panel of the Seventh Circuit reversed an order by the U.S. District Court for the Northern District of Illinois, Eastern Division, that dismissed a class action brought against restaurant chain P.F. Chang’s for a 2014 data breach.
Chief Judge Diane Wood authored the 12-page decision, joined by judges William Bauer and David Hamilton.
The panel concluded that the plaintiffs -- John Lewert and Lucas Kosner -- alleged “enough” to support standing. However, the court did not express an opinion on the merits of the case for class certification.
Lewert and Kosner brought separate lawsuits, which were later consolidated, after finding out the restaurant chain’s computer system had been hacked, and debit and credit card data had been stolen.
The breach occurred between Oct. 19, 2013 and June 11, 2014. The U.S. Secret Service made P.F. Chang’s aware of the breach June 11, 2014, and the company made an announcement the next day.
The plaintiffs, who contend P.F. Chang’s failed to take adequate measures to protect its customers’ data from theft, seek damages resulting from the theft on behalf of themselves and a class.
The Northern District of Illinois dismissed the action for lack of standing, concluding the plaintiffs had not suffered the requisite personal injury.
The Seventh Circuit disagreed, pointing to its previous decision in Remijas v. Neiman Marcus Group LLC.
The federal appeals court, in its July 2015 ruling, found that the risk of harm to the 300,000-plus people whose credit card numbers were exposed as a result of a 2014 data breach suffered by Neiman Marcus was “very real and immediate.”
“In the present case, several of Lewert and Kosner’s alleged injuries fit within the categories we delineated in Remijas,” Wood wrote in last week’s ruling. “They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen.
“These alleged injuries are concrete enough to support a lawsuit.”
The panel noted that Lewert is at risk for both fraudulent charges and identity theft. Kosner, the judges also noted, already has cancelled his debit card, but is still at risk for identity theft.
“Other members of the would-be class will be in the same position as one or the other named plaintiff,” Wood wrote.
The Seventh Circuit went even further.
“Similarly, Lewert and Kosner have alleged sufficient facts to support standing based on their present injuries,” Wood wrote. “Kosner asserts that he already has experienced fraudulent charges. Even if those fraudulent charges did not result in injury to his wallet (he stated that his bank stopped the charges before they went through), he has spent time and effort resolving them. He also took measures to mitigate his risk by purchasing credit monitoring for $106.89.
“Lewert alleged that he has spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft.”
While P.F. Chang’s contests whether the plaintiffs’ data was exposed in the breach -- the chain’s later analysis led it to conclude only 33 stores were affected -- the Seventh Circuit said that is “immaterial.”
“At the pleading stage, the plaintiffs’ factual allegations must ‘[]cross the line from conceivable to plausible.’ Once they have crossed this threshold, we accept them for purposes of a motion to dismiss as true,” Wood wrote for the panel. “The same is true of allegations of standing.”
The judge continued, “P.F. Chang’s will have the opportunity to present evidence to explain how the breach occurred and which stores it affected. Perhaps it can trace which specific data files were stolen. Perhaps each individual location’s data is behind a separate firewall. Or perhaps it is being too optimistic and the breach was greater than it suggests. At this stage, no one knows.
“When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”
The Seventh Circuit remanded the case to the Northern District of Illinois for further proceedings consistent with its opinion.
“All class members should have the chance to show that they spent time and resources tracking down the possible fraud, changing automatic charges, and replacing cards as a prophylactic measure,” Wood wrote.
Some have argued the Seventh Circuit’s decision could have a “huge effect” on data breach litigation.
From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.