Seventh Circuit Applies Spokeo and Requires Actual Injury to Establish Article III Standing in FACTA Case

On December 13, 2016, the Seventh Circuit Court of Appeals became the first post-Spokeo circuit court to address the issue of Article III standing in a putative class action brought for an alleged violation of the Fair and Accurate Credit Transactions Act (“FACTA” or “the Act”), 15 U.S.C. § 1681c(g), which is itself an amendment to the Fair Credit Reporting Act (“FCRA”). Generally, FACTA prohibits a vendor or retailer who accepts a credit or debit card as a means of payment from printing more than the last five (5) digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 15 U.S.C. § 1681c(g)(1). Willful violations of the Act could subject a defendant to any actual damages sustained by the consumer, or statutory damages of not less than $100.00 and not more than $1,000.00. 15 U.S.C. § 1681n(a). The Act also provides for the potential recovery of punitive damages along with reasonable attorney’s fees and costs. Id. Thus, per the plain language of the statute, actual damages are not necessarily a precondition for a FACTA suit. Aggregated statutory damages in a class claim, as one might imagine, could prove ruinous for a defendant.

In Spokeo v. Robbins, the United States Supreme Court held that a plaintiff could not establish Article III standing by relying solely on a “bare procedural violation” divorced from any real-world harm, because “Article III standing requires a concrete injury even in the context of a statutory violation.” In the five months since Spokeo was decided however, district court decisions as to whether a plaintiff may enjoy standing to bring actions premised upon statutory violations alone have been far from consistent.

In Meyers v. Nicolet Restaurant of De Pere, the Seventh Circuit dismissed a plaintiff’s putative class claim for lack of Article III standing, as he sought only those damages that are statutorily provided-for under FACTA. More specifically, Mr. Meyers alleged that, after dining at Nicolet Restaurant of De Pere, he was given a receipt that did not truncate the expiration date of his credit card. He subsequently filed suit on behalf of all customers who had similarly been provided with receipts that were not compliant with FACTA’s requirements. While Mr. Meyers admitted seeking only statutory damages, he argued that standing was conferred upon him because, in enacting FACTA, Congress granted him the legal right to receive a receipt that truncated his credit card’s expiration date. The Seventh Circuit disagreed, finding it significant that Mr. Meyers discovered the violation immediately, and that no one ever saw the violative receipt. The Seventh Circuit found it difficult to imagine how the presence of the expiration date could have increased the risk that Mr. Meyer’s identity would be compromised, and accordingly held that, without a showing of injury apart from the failure to truncate a credit card’s expiration date, the injury-in-fact requirement under Article III could not be satisfied.

While district courts continue to interpret Spokeo in cases implicating various “no-injury” consumer and privacy statutes, this decision provides defendants with additional grounds to potentially move for dismissal. Conversely, plaintiffs are sure to use it is a roadmap to creatively tailor pleadings to establish an injury in fact.

The Seventh Circuit’s opinion in Meyers v. Nicolet Restaurant of De Pere can be found here.

Plaintiffs in P.F. Chang’s Data Breach Litigation Survive Standing Challenge

In response to an April 2014 data breach, P.F. Chang’s Bistro, Inc. effected a rapid response plan in an attempt to minimize potential injury to its consumers. The restaurant announced that its computer system had been hacked and card data had been stolen, conceding that it did not know how many consumers were affected, whether the breach was limited to certain locations, or how long the breach lasted. As an additional precautionary measure, P.F. Chang’s also switched to a manual card-processing system and encouraged all customers to monitor their credit reports for new activity.

Last week, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700, (7th Cir. Apr. 14, 2016), the Seventh Circuit Court of Appeals again held that two plaintiffs who filed a class action suit against it had the Article III standing required to survive dismissal. Citing to its July, 2015 decision in Remijas v. Neiman Marcus Group, LC, 794 F.3d 688 (7th Cir. 2015)), the Court concluded that the P.F. Chang’s plaintiffs’ alleged injuries were sufficient to support a lawsuit – the consumers were at an increased risk of fraudulent charges and identity theft.

In reaching its decision, the Seventh Circuit pointed to P.F. Chang’s remedial efforts to prevent consumers’ exposure to the breach. Specifically, P.F. Chang’s addressed customers who dined at all of its restaurants in its initial press release, and advised consumers to monitor their credit reports, “rather than simply the statements for existing affected cards.” The court explained that by doing so, the company implicitly acknowledged that there could be a substantial risk of harm from the data breach. P.F. Chang’s eventually determined that only thirty-three of its restaurant locations had been affected, an argument which the court stated could create a factual dispute on the merits, but that would not destroy standing.

The Seventh Circuit’s decision underscores that the initial Article III hurdle for data breach plaintiffs is not high, and should serve to mold a company’s public reaction to a potential breach.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

Illinois Appellate Court Finds Increased Risk of Harm from Data Breach Insufficient to Confer Standing

As has been previously reported here, a series of recent federal court decisions has suggested a trend in data breach litigation – that an increased risk of harm will be sufficient to satisfy the injury-in-fact requirement for Article III standing. In fact, less than three weeks ago, the Seventh Circuit Court of Appeals revived a previously-dismissed data breach class action lawsuit, ruling that plaintiffs did not have to wait until hackers actually committed identity theft in order to establish standing. On August 6, 2015, the Illinois Appellate Court held exactly the opposite.

In Maglio v. Advocate Health and Hospitals Corporation, several plaintiffs sued Advocate Health and Hospital after computers containing patients’ personal information were stolen. 2015 IL App (2d) 140782 (August 6, 2015). Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they faced an increased risk of identity theft and identity fraud. Advocate Health moved to dismiss the complaint, arguing that mere stolen information is insufficient to establish standing, because an increased risk of identity theft and/or identity fraud is too speculative to constitute cognizable injury-in-fact.

Affirming the trial court’s dismissal of the action, the Illinois Appellate Court agreed with the defendant’s argument, concluding that the increased risk of harm arising out of a data breach is inadequate to confer standing on consumers. The Illinois Appellate Court noted the similarity between Illinois’ and federal standing principles, and relied for the most part on federal decisions, including Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013) – a case which the Seventh Circuit interpreted as not completely foreclosing on the use future injuries to support Article III standing. Yet, in stark contrast to recent federal court decisions, the Illinois Appellate Court opined that where no identity theft had yet occurred, the elevated risk of such harm was too speculative and conclusory to be considered a distinct and palpable injury.

The plaintiffs in Maglio also tried to achieve standing by alleging that they suffered emotional injury as a result of the data breach, such as anxiety, and that their privacy had been invaded. Again, the court found such allegations to be speculative and therefore insufficient, absent allegations of actual disclosure of personal information.

We expect to see fewer data breach class actions being filed in Illinois state courts – long criticized as plaintiff-friendly venues – and an uptick in federal court filings. The full opinion is available here.

Seventh Circuit Revives Consumer Class Action Relating To Neiman Marcus Data Breach

On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.

This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.

On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.

Please continue to monitor our blog for the latest news on data breach litigation and other privacy laws.