A federal appeals court has reinstated a class-action lawsuit filed by two P.F. Chang's China Bistro patrons who claim they were harmed by the chain’s 2014 data breach, Business Insurance reported this week.
Scottsdale, Ariz.-based P.F. Chang’s China Bistro said in June 2014 that some consumer credit card and debit card data has been stolen. The company eventually said that 33 restaurants had been breached as far back as September 2013.
A 7th U.S. Circuit Court of Appeals panel of three judges ruled last week that the case of the two plaintiffs, who had filed separate suits that were consolidated and then dismissed for standing in December 2014, could proceed because they had shown a “substantial risk of harm” in the breach.
One plaintiff, Lucas Kosner, dined at a Northbrook, Ill., P.F. Chang’s in April 2014, and paid with his debit card. He later found four fraudulent transactions on the card he had used and cancelled the card.
John Lewert dined at the same restaurant, also in April 2014. He did not find any fraudulent charges on his card, but he claimed after the breach was announced that he had spent time and effort monitoring his card statements.
“After learning about the data breach, Kosner believed his debit-card data were among those compromised. He then purchased a credit monitoring service to protect against identity theft, spending $106.89,” wrote Stephen A. Grossman, a partner and chair of the data privacy and cyber security practice at the law firm of Montgomery McCracken, at Lexology.com.
“Lewert, however, had no fraudulent charges. Instead, he spent ‘time and effort monitoring his card statements and his credit report’ to ensure that no fraudulent charges or accounts appeared,” Grossman said.
The men filed separate suits before different judges in U.S. District Court in Chicago. The suits were consolidated in August 2014 into a single putative class-action lawsuit that sought damages resulting from the breach.
The District Court dismissed the lawsuit in December 2014, stating that the plaintiffs had no standing to sue.
“While plaintiffs allege that security breaches can lead to identity theft, they do not allege that it has occurred in this case,” the District Court ruled.
Grossman said that this is an evolution of standing in data breach/theft cases, based on the 7th Circuit Court’s Remijas v. Neiman Marcus Group ruling, which was issued after the district court’s dismissal of the initial P.F. Chang’s suit.
The Court of Appeals found that several of Kosner’s and Lewert’s alleged injuries fit findings in the Neiman Marcus ruling, including “the increased risk of fraudulent charges and identity theft because their data had already been stolen.”
Grossman said that “given the precedent of Neiman Marcus, the outcome in P.F. Chang’s is not surprising, but it does suggest that, at least in the 7th Circuit, there is a basic equation to establish standing: evidence of a data breach, temporal customer activity to the data breach [and] time spent protecting against future identity theft or fraudulent charges.”
Grossman added, “We’ll see how plaintiffs fare on remand if the district court addresses P.F. Chang’s motion to dismiss for failure to state a claim.”
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless