BreachExchange mailing list archives
Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Mon, 18 Apr 2016 17:02:54 -0600
http://www.natlawreview.com/article/seventh-circuit-relying-defendant-s-post-breach-statements-allows-data-breach-class#sthash.i8I4GsQW.dpuf Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district courtâs dismissal of a class action complaint over a 2014 data breach at P.F. Changâs restaurants. In reversing the district courtâs holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Changâs constituted a âcertainly impendingâ future injury sufficient to confer Article III standing. This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible. The class action against P.F. Changâs (Lewert v. P.F. Changâs China Bistro) stems from a breach of the computer systems at P.F. Changâs restaurants, announced in June 2014. The breach resulted in the theft of credit and debit card information belonging to consumers who dined at certain P.F. Changâs restaurants. Although P.F. Changâs initial announcement of the breach indicated that the restaurant chain was not certain how many locations had been affected, P.F. Changâs later announced in August 2014 that the breach had only affected thirty-three restaurant locations. The two plaintiffs in Lewert both ate at a P.F. Changâs restaurant that was not included in the list of affected locations, but both brought claims for the breach. One plaintiff observed four fraudulent charges on the debit card shortly after dining at PF Changâs, cancelled his card, and purchased a credit monitoring service. The other plaintiff âspent time and effortâ monitoring his credit report and credit card statements after hearing about the breach. The district court dismissed the suit on Article III grounds, holding that the allegations of future harm of identity theft or fraudulent charges were too speculative to satisfy Article III. The Seventh Circuit, however, held that these allegations were sufficient to demonstrate Article III standing, relying on its July 2015 holding in Remijas v. Neiman Marcus Group in the process. In Remijas, the Seventh Circuit held that the increased risk of fraudulent charges or identity theft following a data breach affecting the plaintiffsâ credit or debit card information could satisfy the post-Clapper âcertainly impedingâ standard for Article III standing. Although P.F. Changâs argued that Remijas could be distinguished on the grounds that P.F. Changâs, unlike Neiman Marcus, disputed whether the plaintiffsâ information was disclosed in the breach, the Seventh Circuit disagreed. Instead, the Seventh Circuit held that the plaintiffs had âplausibly allegedâ that their data was stolen, because P.F. Changâs initial statement regarding the breach was directed to all P.F. Changâs customers and did not distinguish between restaurant locations. As the court stated, when âthe corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.â The court characterized P.F. Changâs assertions that only thirty-three restaurants were affected as a âfactual disputeâ that should be resolved at a later stage in the case. The Seventh Circuit pointed to several post-breach statements made by P.F. Changâs as the primary basis for its holdings, including statements about the scope of the breach and advice to affected individuals. The courtâs holding not only establishes the Seventh Circuit as friendly territory for data breach class action plaintiffs, but also highlights the importance of thoroughly vetting communications to consumers following a data breach. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160418/2fc10bdc/attachment.html>
Current thread:
- Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed Audrey McNeil (Apr 18)