By Zachariah DeMeola, Guest Editor, BakerHostetler.
Link to original post: http://bit.ly/1pOpf9K
One obstacle for named plaintiffs in proposed data breach class actions is the extent to which plaintiffs must allege an injury-in-fact to have standing. Disputes often arise about whether proactive efforts to mitigate against the potential misuse of stolen data, such as utilizing credit monitoring services, are sufficient to confer Article III standing. Since the U.S. Supreme Court issued its decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), which held that standing could not be established if the speculative danger of possible future acts was not “certainly impending,” federal courts have dismissed many putative class actions arising out of data breaches for a lack of standing. These courts have applied Clapper to conclude that a data breach alone does not constitute an injury, and evidence regarding the potential future misuse of data is often too attenuated to confer standing.
The Seventh Circuit, however, recently bucked that trend in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), which held that plaintiffs may have standing without alleging actual misuse of their stolen data. Our sister blog, the Data Privacy Monitor, recently discussed Remijas here. In Remijas, hackers allegedly gained access to payment card data for 350,000 Neiman Marcus customers, 9,200 of whom experienced fraudulent charges on their payment cards (all were reimbursed). The Seventh Circuit reversed the district court’s order dismissing the case for lack of standing, determining that the theft of data necessarily implied harm because the misuse of data was the only plausible explanation for the data breach. Moreover, the court used the fact that Neiman Marcus purchased credit monitoring or identity theft protection services for affected customers to support this conclusion, noting that Neiman Marcus would not have done so if the risk could be disregarded. And so, Remijas concluded, the purchase of mitigation services for those who had not yet alleged unauthorized charges was not “speculative” but was sufficiently concrete to confer standing.
The Seventh Circuit is now revisiting Remijas in Lewert v. P.F. Chang’s China Bistro, Inc., Case No. 14-3700. In Lewert, two plaintiffs alleged that nearly 7 million payment cards used to make purchases at 30 P.F. Chang’s restaurants were compromised due to a breach dating back to 2013. Although both plaintiffs made purchases at the defendant’s restaurants, neither plaintiff alleged that they dined at the 30 restaurants involved in the breach. One of the plaintiffs alleged that there were four attempts to make fraudulent charges on his account, although all charges were declined by his bank, and he was promptly issued new payment cards. The other plaintiff did not allege any attempt to make unauthorized charges on his account. Prior to Remijas, the district court granted P.F. Chang’s motion to dismiss for lack of standing. Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *1 (N.D. Ill. Dec. 10, 2014). The Lewert plaintiffs appealed, and the Seventh Circuit ordered the parties to specifically address the application of Remijas to their case.
The parties have briefed their positions, and oral argument was held on January 13, 2016. The plaintiffs maintain that the alleged infiltration of the defendant’s payment system may not be limited to the 30 restaurants identified by P.F. Chang, and could include the restaurants where the plaintiffs dined. The plaintiffs also pointed to indications that some information, purportedly stolen from other P.F. Chang customers, had been sold on the black market. Thus, relying on Remijas, the plaintiffs concluded that the data breach itself created an impending and substantial risk of future harm sufficient to confer standing.
The Seventh Circuit has an opportunity in Lewert to refine Article III standing requirements in data breach cases by restricting the Remijas holding to a narrower set of facts than is present in PF Chang’s, and they should use the opportunity to do so. First, the Remijas case involved the presence of actual, as opposed to hypothetical, fraud. The plaintiffs in the PF Chang’s case appear to make the argument that even though they don’t allege that they dined at any of the 30 restaurants involved in the breach, it is possible that their payment card information will be subject to unauthorized access in the future. In Remijas, there were already 9200 instances of fraud directly attributable to the data breach. Second, there doesn’t appear to be the same cost of dealing with identity theft in the PF Chang’s case that motivated the court to allow standing in Remijas. The Remijas court noted that even if those 9,200 individuals had already been reimbursed for the fraudulent charges incurred, they still had the frustration and cost of dealing with identity theft, closing accounts, getting new accounts and more. In the P.F. Chang’s case, alleged unauthorized charges were denied by the bank, and the plaintiff’s bank simply issued him a new card after denying the charges. Whatever the outcome, the decision promises to be an important one for the data breach class action defense bar.
BakerHostetler successfully defends class actions around the country. Our team consists of seasoned class action litigators who have represented clients in state and federal courts and in multidistrict litigation in areas such as consumer fraud, securities, antitrust, ERISA, RICO, insurance and data breach.
About Zachariah J. DeMeola
Zack DeMeola is an associate in the Denver office of Baker Hostetler LLP. He focuses his litigation practice on privacy and data breach issues, class action litigation defense, and complex commercial matters. Zack places high value on staying ahead of technology and its effect on developing law, as well as creative and thoughtful advocacy to implement effective solutions for clients in and out of the courtroom. He has represented clients in the e-commerce, retail, health care, pharmaceutical, and public safety communications industries and advises clients on industry and regulatory trends regarding privacy and social media legal issues. In 2015, Zack was recognized as one of seven Colorado “up and coming lawyers” by Colorado Law Weekly. Zack previously practiced in the Litigation & Dispute Resolution, Privacy, and Social Media law groups of Mayer Brown LLP in Los Angeles. Zack graduated from William & Mary Law School in 2010, where he received the George Wythe and Ewell Awards for leadership and service. Zack also obtained a Master’s degree in American Studies from the College of William and Mary, and is a graduate of the University of Pennsylvania, where he graduated with a Bachelor’s of Arts.