Plaintiffs in P.F. Chang’s Data Breach Litigation Survive Standing Challenge
April 26, 2016
News and Views, Data, Don'ts and Do's
April 26, 2016
In response to an April 2014 data breach, P.F. Chang’s Bistro, Inc. effected a rapid response plan in an attempt to minimize potential injury to its consumers. The restaurant announced that its computer system had been hacked and card data had been stolen, conceding that it did not know how many consumers were affected, whether the breach was limited to certain locations, or how long the breach lasted. As an additional precautionary measure, P.F. Chang’s also switched to a manual card-processing system and encouraged all customers to monitor their credit reports for new activity.
Last week, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700, (7th Cir. Apr. 14, 2016), the Seventh Circuit Court of Appeals again held that two plaintiffs who filed a class action suit against it had the Article III standing required to survive dismissal. Citing to its July, 2015 decision in Remijas v. Neiman Marcus Group, LC, 794 F.3d 688 (7th Cir. 2015)), the Court concluded that the P.F. Chang’s plaintiffs’ alleged injuries were sufficient to support a lawsuit – the consumers were at an increased risk of fraudulent charges and identity theft.
In reaching its decision, the Seventh Circuit pointed to P.F. Chang’s remedial efforts to prevent consumers’ exposure to the breach. Specifically, P.F. Chang’s addressed customers who dined at all of its restaurants in its initial press release, and advised consumers to monitor their credit reports, “rather than simply the statements for existing affected cards.” The court explained that by doing so, the company implicitly acknowledged that there could be a substantial risk of harm from the data breach. P.F. Chang’s eventually determined that only thirty-three of its restaurant locations had been affected, an argument which the court stated could create a factual dispute on the merits, but that would not destroy standing.
The Seventh Circuit’s decision underscores that the initial Article III hurdle for data breach plaintiffs is not high, and should serve to mold a company’s public reaction to a potential breach.