Friday, April 15, 2016
Seventh Circuit Says Data-Breached Diners Have Standing to Sue Restaurant
The Seventh Circuit ruled yesterday in Lewert v. P.F. Chang's China Bistro, Inc. that restaurant-goers had standing to pursue their case against the restaurant chain for actions they took to protect themselves after the chain revealed that it had been the victim of a computer-system hack.
The ruling is a win for consumers insofar as it lets them get beyond the pleadings in data-breach cases (so long as they plead that they took measures to protect themselves and will suffer an increased chance of fraudulent charges or stolen identity). (The plaintiffs here now have a chance to move the case forward.) But it says nothing on the merits.
The case arose after P.F. Chang's announced that its computer system had been breached and that some consumer credit- and debit-card data had been stolen. At first, the restaurant didn't know the extent of the breach, so switched to a manual card-processing system at all locations around the country. Later, it announced that data was stolen from just 33 restaurants, including one in Schaumburg, Illinois.
The plaintiffs, diners at P.F. Chang's Northbrook, Illinois, location, worried that their information may have been stolen. One of the plaintiffs noticed fraudulent charges on his card soon after P.F. Chang's announcement; he cancelled his card and purchased an identity-theft-protection service. The other plaintiff did not have fraudulent charges, but he took extra time to monitor his credit-card statement and credit report. Both plaintiffs claimed that they suffered an increased risk of fraudulent charges and stolen identity.
The plaintiffs brought a class action, and P.F. Chang's moved to dismiss for lack of standing. The Seventh Circuit sided with the plaintiffs.
The court said that the plaintiffs' actions to protect themselves were sufficient harms to establish standing: the plaintiffs suffered action harms by taking precautionary steps to protect themselves, and they suffered imminent harms of increased chances of fraudulent charges and stolen identities.
As to causation, the court said that any questions--whether the data breach caused the plaintiffs' injuries--went to the merits. As to redressability, the court said that monetary relief could redress the harms.
https://lawprofessors.typepad.com/conlaw/2016/04/seventh-circuit-says-data-breached-diners-have-standing-to-sue-restaurant.html
