P.F. Chang's Customers Lack Standing To Sue Restaurant for Security Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 15 — Customers of eatery P.F. Chang's China Bistro Inc. lack standing to sue the company following the breach of some 7 million payment cards, the U.S. District Court for the Northern District of Illinois ruled Dec. 10.

Judge John W. Darrah said allegations of overpayment for the restaurant's products and services, fraudulent charges, opportunity costs, future identity theft and mitigation expenses weren't sufficient to establish an injury in fact.

Standing has proved to be an important threshold issue in data breach cases, with many federal district courts struggling over whether injuries like a future risk of identity theft are sufficient to support standing.

Here, the court dismissed the case for lack of subject matter jurisdiction. Two days later, on Dec. 12, named plaintiffs John Lewert and Lucas Kosner appealed the decision to the U.S. Court of Appeals for the Seventh Circuit.

Breach Disclosed in June

In June 2014, P.F. Chang's revealed that customer credit and debit card data from an unknown number of accounts had been stolen. One report estimated that almost 7 million cards were compromised, according to the court.

Each named plaintiff filed separate class actions against P.F. Chang's, alleging breach of implied contract and violations of state consumer fraud statutes. Both actions were later consolidated.

The defendant moved to dismiss the complaints, in part due to lack of standing. The court granted the motion, finding all of the plaintiffs' allegations concerning damages unavailing.

No Overpayment for Credit Card Usage

The court found unpersuasive the plaintiffs' argument that the cost of the food they purchased included the cost of sufficient protection for personally identifiable information. They didn't allege that P.F. Chang's charged more for goods when a customer paid with a credit card, the court said, looking to its earlier decision in In re Barnes & Noble Pin Pad Litig., No. 1:12-cv-08617, 2013 BL 234605 (N.D. Ill. Sept. 3, 2013).

Although Kosner alleged that his bank had notified him that he had fraudulent activity on his credit card, the plaintiffs failed to allege that he suffered monetary damages from the charges or that those charges resulted from the data breach, the court said.

“In order to have suffered an actual injury, Plaintiffs must have had an unreimbursed charge on their credit cards,” the court said, citing In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011).

Nor was the court convinced by the plaintiffs' opportunity costs argument. Kosner alleged that he was without his debit card for two to three days after the breach and lost the ability to accrue rewards points on his card during that time. But he failed to allege that he would have used the debit card to accrue points, the court said. “Simply being without a debit card between ‘learning of the fraudulent charge[s] and receiving a new credit card' isn't a cognizable injury, the court said, quoting Barnes & Noble.

Identity Theft Not Imminent

Finally, the court looked to a U.S. Supreme Court decision to find allegations that identity theft might occur, as well as expenses taken to mitigate possible identity theft, are insufficient for purposes of standing.

In Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013), the Supreme Court concluded that speculation of future harm isn't an actual injury.

“Again, while Plaintiffs allege that security breaches can lead to identity theft, they do not allege that it has occurred in this case,” the court said. “Rather, they allege that identity theft may not happen for years, which is not imminent harm.”

Siprut PC represented Lewert. Lite DePalma Greenberg LLC Gordon Law Offices Ltd. represented Kosner. Lewis Brisbois Bisgaard & Smith LLP represented P.F. Chang's.

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Lewert_v_PF_Changs_China_Bistro_Inc_Docket_No_114cv04787_ND_Ill_J.

Full text of the notice of appeal is available at http://www.bloomberglaw.com/public/document/Lewert_v_PF_Changs_China_Bistro_Inc_Docket_No_114cv04787_ND_Ill_J/1.


Request Bloomberg Law: Privacy & Data Security