The following post, written by Senior Counsel Andrew Phillips, was first published on McGuireWoods’s Password Protected blog.  We jumped at the chance to reprint it here.

Following the Seventh Circuit’s recent decision in Lewert v. P.F. Chang’s China Bistro, Inc., 2016 U.S. App. LEXIS 6766 (7th Cir. Ill. Apr. 14, 2016), many commentators quickly pronounced the Seventh Circuit fertile territory for consumer data breach class actions.  But, suggesting that such claims will thrive in the Seventh Circuit is a lot like saying the Sasquatch thrives in the Pacific Northwest.  Maybe, but the evidence is, at best, grainy and inconclusive.

The Significance and Insignificance of Lewert 

Last month in Lewert, the Seventh Circuit reversed the trial court’s dismissal of a putative class action brought by alleged victims of a 2014 data breach.  For those following data breach jurisprudence, the Seventh Circuit’s conclusion was hardly a surprise.  Just last July, the Seventh Circuit became the first federal court of appeals to find standing among data breach victims absent a showing of identity theft or unreimbursed fraud.  Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015).  In Remijas, the Court held that Article III’s “concrete and particularized injury” requirement was met by “the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft,” “time and money the class members predictably spent resolving fraudulent charges,” and “time and money customers spent protecting against future identity theft.”  P.F. Chang’s attempted to distinguish Remijas, arguing that the nature of its breach created less risk of identity theft than in Remijas.  Unlike Neiman Marcus, P.F. Chang’s also disputed that the named Plaintiffs’ data had been compromised.  The Seventh Circuit brushed aside these distinctions as immaterial at the pleading stage where Plaintiffs’ allegations are presumed true.

As a threshold matter, Lewert did not really change anything within the Seventh Circuit.   Indeed, the most notable aspect of Lewert may be how closely it hewed to last year’s Remijas decision.  The Seventh Circuit still believes that allegations of a payment card data breach can constitute a “certainly impending future harm” sufficient to satisfy the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 185 L. Ed. 2d 264 (2013).  And, it believes that certain victim activities following a payment card data breach – such as purchasing credit monitoring or expending time and resources to guard against identity theft – constitute “present injuries” for Article III purposes.  However, the Court remained “skeptical” of Plaintiffs’ more creative standing theories, like Plaintiffs’ claim that they would not have dined at P.F. Chang’s had they known of its poor data security or that Plaintiffs’ had a property right in their personally identifiable data.

So, is Lewert a positive development for future retail data breach plaintiffs?  Sure, to a point – it reaffirmed the Seventh Circuit’s divergence from the majority of post-Clapper data breach decisions which have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.  See, e.g., Green v. eBay Inc., No. CIV.A.14-1688, 2015 U.S. Dist. LEXIS 58047, 2015 WL 2066531, at *5 (E.D. La. May 4, 2015) (no standing because there were no allegations that the information had been used or any indication that its use was imminent); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, No. 14-cv-1138, 2015 U.S. Dist. LEXIS 31286, 2015 WL 1119724, at *6 (M.D. Pa. Mar. 13, 2015) (similar); Peters v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, No. 4:14-cv-2872, 2015 U.S. Dist. LEXIS 16451, 2015 WL 589561, *4-*5 (S.D. Tex. Feb. 11, 2015) (similar); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 660 (S.D. Ohio 2014) (similar); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 30 (D.D.C. 2014) (similar).

Consumer Data Breach Class Action:  A Mythical Beast With No Known Habitat

However, does that make the Seventh Circuit a natural habitat for retail data breach class actions?  Not quite.  A habitable environment would be one in which a consumer retail data breach class can actually be certified – not just survive a threshold motion to defense.  Thus far, there is no indication that the Seventh Circuit will be any more inclined to certify these types of classes than other jurisdictions.  Indeed, it is important to remember that no court has certified a consumer retail data breach class to date.  It is the Chupacabra of class actions – a subject of extensive folklore but zero empirical evidence.  The closest any court has ventured is the District of Minnesota’s certification of a class of financial institutions – not retail consumers – impacted by the 2013 Target Corporation data breach.  Target Corp. Customer Data Security Breach Litigation, MDL Case No. 14-2522, 2015 U.S. Dist. LEXIS 123779 (D.Minn. Sept. 15, 2015).  It would be fair to say that unless and until a consumer data breach class action is actually certified, there is no truly hospitable jurisdiction.  Rather, there are only jurisdictions like the Seventh Circuit (and Ninth Circuit) which do not view Clapper as an immediate death knell – and thus defending putative class actions in those jurisdictions may be more expensive.

The Mystery of Vanishing Standing

Notably, the Seventh Circuit only found that Plaintiffs had sufficiently alleged standing at the motion to dismiss stage – where Plaintiffs’ allegations are presumed true.  As the Lewert Court noted, P.F. Chang’s remains free to argue that Plaintiffs lack an injury-in-fact at the merits stage.  For example, the Court noted, “P.F. Chang’s will have the opportunity to present evidence to explain how the breach occurred and which stores it affected. Perhaps it can trace which specific data files were stolen. Perhaps each individual location’s data is behind a separate firewall.”  This language is similar to the In Re Target Court’s statement that, although it was rejecting Target’s standing defense at the pleading stage, “should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  In re Target Corp., 66 F. Supp. 3d at 1159.  In other words, even where a defendant’s standing defense is unsuccessful at the pleading stage, it may still argue at summary judgment that the class representatives were unaffected by the data-breach and therefore lack an injury-in-fact.  And, of course, an uninjured plaintiff cannot represent a class of allegedly injured class-members for a number of reasons – including lack of Article III standing and a failure to meet various Rule 23 requirements for class certification, such as adequacy, typicality, commonality, and predominance.  See, e.g., Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 156, 102 S. Ct. 2364, 72 L. Ed. 2d 740 (1982) (“We have repeatedly held that class representative must be part of the class and possess the same interest and suffer the same injury as the class members.”)

Another recent case suggests that, under some circumstances, a substantial delay between the breach and a ruling on the motion to dismiss – whether by happenstance or defensive strategy – may destroy standing.  In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958 (D. Nev. 2015).  In In re Zapos, the retailer’s servers were breached in January 2012 leading to the alleged theft of the personal information of 24 million Zappos’s customers.  However, due to a series of “stipulated stays and other delays in this case,” Zappos standing challenge was not heard until over three years after the breach.  At that point, the court observed, of the 24 million customers, only twelve were before the court seeking damages, only three of those twelve had determined that the increased threat of identity theft and fraud was sufficiently severe to purchase credit monitoring services, and of those three, not a single one had identified unauthorized purchases or other manifestations of personal information misuse.   On this record, the Zappos Court found “the years that have passed without Plaintiffs making a single allegation of theft or fraud demonstrate that the risk is not immediate” and granted the motion to dismiss based on a lack of standing.   The Court distinguished its decision from other cases within the Ninth Circuit – Adobe and Sony – where standing was found, noting that, in addition to other factors, “perhaps the most distinguishing element between this case and Adobe and Sony is the amount of time from when the breach occurred to when the respective motions to dismiss were ruled upon.”  Id. at 959-60.  Though this analysis will be highly breach specific, there may be situations – such as where the breached entity believes the threat of actual fraud or identity theft is small – where it makes strategic sense to delay attacking standing until sufficient time has passed to bolster the defendant’s lack-of-injury argument.

Predominance:  The Path to Extinction?

Since Clapper, data breach class actions have typically been dismissed or settled before any ruling on class certification, leaving some mystery as to how future class certification efforts will unfold.  However, as with the mysteries of Loch Ness, we can look to the past for possible answers.  Specifically, even if more courts follow the Seventh Circuit’s lead and find standing in data breach class actions, a visit to the pre-Clapper period reminds us that there remain formidable – and perhaps insurmountable – hurdles to a consumer data breach class certification. In re Hannaford is instructive in this regard.  In re Hannaford Bros. Co. Consumer Data Security Breach Litigation, 293 F.R.D. 21 (D. Me. 2013).  Following a massive breach of consumer debit and credit card data, Hannaford grocery stores was hit with a series of class action lawsuits.  Hannaford’s first line of defense was a motion to dismiss on standing grounds, which the court originally granted only to be partially reversed (pre-Clapper) by the First Circuit in a decision holding that those Plaintiffs who incurred post-breach mitigation expenses (such as card replacement or credit monitoring costs) had standing to assert negligence and breach of implied contract claims.  Plaintiffs moved for class certification on the surviving claims.  However, the Hannaford Court denied class certification on predominance grounds, noting that “where things differ” among the individual cardholders included “whether their particular accounts suffered fraudulent charges or not and the actual mitigating steps they took and the costs they incurred.”  In doing so, the district court was particularly concerned that Plaintiffs had not offered expert testimony, which would allow a jury to determine damages on a class-wide basis, and thus any trial would inevitably devolve into “individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”

Although Lewert Court expressed “no opinion … on the suitability of this case for class certification,” some of its language signals serious predominance issues.  Specifically, the Court noted that although “Lewert nor Kosner have unreimbursed fraudulent charges on their payment cards, other class members … might.”  And such disparity in harm, causation and damages would seem to militate against predominance. Moreover, the Lewert Court noted that “all class members should have the chance to show that they spent time and resources tracking down the possible fraud, changing automatic charges, and replacing cards as a prophylactic measure.”  Again, it is difficult to conceive of how these individualized questions of “all class members” would not devolve into a series of mini-trials on liability, causation and damages that are regularly found to defeat class certification on predominance grounds.

For now, a certified consumer data breach class remains more fantasy than fact.  Will they become viable — even commonplace?  Or, will they continue to exist only in the realm of myth and academia – never to be documented in the wild?

About the Author: Andrew Phillips is senior counsel in McGuireWoods’ Atlanta office, where he is editor of the firm’s data privacy and cybersecurity blog Password ProtectedAndrew also holds the CIPP/US credential as a Certified Information Privacy Professional from the International Association of Privacy Professionals (IAPP).  His practice focuses on representing and counseling clients in a wide variety of class action and high stakes civil litigation.