SAN FRANCISCO (Legal Newsline) – A federal judge has denied a California hotel's motion dismissal in a data breach lawsuit brought by a former customer.
Judge Vince Chhabria made the decision on April 13 and concluded that the plaintiff Lee Walters had faced imminent harm due to his personal information being at risk of being stolen.
From Feb. 16, 2016, to July 7, 2016, malware infected The Kimpton Hotel & Restaurant Group Inc. computers. In August 2016, the company notified customers who used cards for payment during that time. Walters was a visitor at Kimpton Hotel on May 29, 2016. He alleges that after his stay, his paycard information was stolen.
Similar cases where a misuse of data was not actually suffered have been dismissed, but the Ninth Circuit, in which Walters v. Kimpton Hotel is being handled, is known for making such decisions in favor of customers that take legal action.
"The Kimpton court sits in the Ninth Circuit, which has held that increased risk of identity theft following the theft of personal data is sufficient," Glen Kopp and Ryan Philp of Houston-based law firm Bracewell LLP told Legal Newsline. "The Sixth and Seventh circuits have taken a similar approach, but other circuits have dismissed plaintiff suits on comparable allegations."
Chhabria's decision was based on former cases that came out of the Sixth and Seventh circuits. For example, in Galaria v. Nationwide Mut. Ins. Co., it was found that “no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.”
In Lewert v. P.F. Chang’s China Bistro, it was found that “it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.”
It is unclear what the next move will be for Walters, who claims that his purchase of credit monitoring services and other expenses were enough damage to claim negligence, breach of contract and a violation of California's unfair competition law against Kimpton Hotel.
"As for whether Walters will be able to prove injury going forward, that is a different question and we are in somewhat uncharted territory because other consumer suits that have survived pleading stage motions have settled," Kopp and Philp said.
"As a general matter, the plaintiff will need to provide evidence that meets the prevailing standard in the Ninth Circuit, which establishes that a credible threat of real and immediate harm, if proven, is sufficient to establish imminent harm."
This denial of the dismissal motion is likely to serve as a cautionary tale to other companies who may be vulnerable to hackers.
"This Kimpton decision serves as yet another reminder to companies that they may have to defend against consumer suits in the unfortunate event of a data breach," Kopp and Philp said.