On Thursday, April 14, 2016, the United States Court of Appeals for the Seventh Circuit reversed a lower court’s ruling and held that customers suing P.F. Chang’s China Bistro Inc. did have standing to sue for fraud-prevention expenses.  The decision reaffirms the Seventh Circuit’s ruling last summer in Remijas et al. v. The Neiman Marcus Group LLC, which found that the increased risk of fraudulent charges and identity theft is enough for standing.  It is now clearly established in the Seventh Circuit that when a business experiences a data breach, customers have Article III standing under the U.S. constitution to sue that business even if the customers do not know for sure that their data was stolen, and customers experienced harm no greater than having to monitor their accounts in anticipation of potential harm.

On June 12, 2014, P.F. Chang’s announced that its computer system had been breached and some consumer credit and debit card data had been stolen.  At the time, the restaurant chain did not know how many consumers were affected, whether the breach was general or limited to specific locations, or how long the breach lasted.  Later that summer, on August 4, 2014, P.F. Chang’s announced that it had determined that data was stolen from 33 restaurants.  The two plaintiffs in the lawsuit both dined at a restaurant location that was not one of the 33 restaurants that P.F. Chang’s said was affected.  Nonetheless, one plaintiff claims that after dining at P.F. Chang’s, and prior to learning of the data breach, he discovered that four fraudulent transactions had been made using his debit card.  He cancelled his card and spent $106.89 on a credit monitoring service.  The other plaintiff claims that he did not find any fraudulent charges, nor did he cancel his card or suffer any of the associated inconvenience or costs.  He did allege, however, that after learning of the data breach, he spent time and effort monitoring his card statements and his credit report to ensure that no fraudulent charges had been made on that card and that no fraudulent accounts had been opened in his name. 

In its argument before the appeals court, P.F. Chang’s accepted the holding of Remijas that the time and money spent resolving fraudulent charges are cognizable injuries for standing.  However, P.F. Chang’s argued that unlike in Remijas, and similar data breaches, the P.F. Chang’s breach posed a risk of only fraudulent charges to affected cards, not of identity theft.  The appeals court rejected this argument as a “factual assumption that has yet to be tested.”  P.F. Chang’s also argued that unlike in Remijas, it contests whether plaintiffs’ data was exposed in the breach at all in the first place.  The court said this was immaterial because at the pleadings stage it had to accept all plausible claims by the plaintiffs as true. 

The appeals court also addressed the plaintiffs’ other asserted injuries, and, while not reaching a decision on those injuries, did note that it was “skeptical” of the plaintiffs’ claims.  Specifically, the plaintiffs seek to recoup the cost of their meals, alleging that they would not have dined at P.F. Chang’s had they known of the poor data security.  The court said it only adopted such arguments where the product itself was dangerous or defective.  The plaintiffs also claim they have a property right to their personally identifiable data.  The court noted that federal precedent and Illinois state court precedent do not support such a contention.

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com