Following the Seventh Circuit’s recent decision in Lewert v. P.F. Chang’s China Bistro, Inc., 2016 U.S. App. LEXIS 6766 (7th Cir. Ill. Apr. 14, 2016), many commentators quickly pronounced the Seventh Circuit fertile territory for consumer data breach class actions. But, suggesting that such claims will thrive in the Seventh Circuit is a lot like saying the Sasquatch thrives in the Pacific Northwest. Maybe, but the evidence is, at best, grainy and inconclusive.
The Significance and Insignificance of Lewert
Last month in Lewert, the Seventh Circuit reversed the trial court’s dismissal of a putative class action brought by alleged victims of a 2014 data breach. For those following data breach jurisprudence, the Seventh Circuit’s conclusion was hardly a surprise. Just last July, the Seventh Circuit became the first federal court of appeals to find standing among data breach victims absent a showing of identity theft or unreimbursed fraud. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, the Court held that Article III’s “concrete and particularized injury” requirement was met by “the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft,” “time and money the class members predictably spent resolving fraudulent charges,” and “time and money customers spent protecting against future identity theft.” P.F. Chang’s attempted to distinguish Remijas, arguing that the nature of its breach created less risk of identity theft than in Remijas. Unlike Neiman Marcus, P.F. Chang’s also disputed that the named Plaintiffs’ data had been compromised. The Seventh Circuit brushed aside these distinctions as immaterial at the pleading stage where Plaintiffs’ allegations are presumed true.
As a threshold matter, Lewert did not really change anything within the Seventh Circuit. Indeed, the most notable aspect of Lewert may be how closely it hewed to last year’s Remijas decision. The Seventh Circuit still believes that allegations of a payment card data breach can constitute a “certainly impending future harm” sufficient to satisfy the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 185 L. Ed. 2d 264 (2013). And, it believes that certain victim activities following a payment card data breach – such as purchasing credit monitoring or expending time and resources to guard against identity theft – constitute “present injuries” for Article III purposes. However, the Court remained “skeptical” of Plaintiffs’ more creative standing theories, like Plaintiffs’ claim that they would not have dined at P.F. Chang’s had they known of its poor data security or that Plaintiffs’ had a property right in their personally identifiable data.
So, is Lewert a positive development for future retail data breach plaintiffs? Sure, to a point – it reaffirmed the Seventh Circuit’s divergence from the majority of post-Clapper data breach decisions which have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing. Continue Reading