For the second time in less than a year, the 7th Circuit has found standing by plaintiffs seeking class certification for a data breach.
On April 14, 2016 the 7th Circuit issued its opinion in Lewert v. P.F. Chang’s China Bistro, Inc. PF Chang Opinion (7th Circuit April 14, 2016) (01168901xAE57E)
P.F. Chang had a credit card breach in 2014 involving 33 restaurants in the Chicago area. Customers affected by the breach sought class certification which the district court denied on grounds plaintiffs had no standing.
The Court of Appeals reversed the lower court, finding that class representatives alleged sufficient harm by way of fraudulent credit card charges, $106 in credit monitoring costs and time monitoring potential identity theft.
This is the second time the 7th Circuit has found standing for data breach claimants, the first being the Neiman Marcus decision issued last summer. Rejimilas v Neiman Marcus 7th Circuit Opinion (2015) (01129892xAE57E) P.F. Chang tried to distinguish Neiman Marcus because its breach involved only credit cards so there was no risk of wider identity theft. In rejecting this argument, the court said that it is unknown whether a stolen credit card can lead to identity theft.
Plaintiffs argued that they were damaged in the amount of their meal because they would not have eaten at P.F. Chang’s had they known data security was ineffective. The court’s response was tepid.
Plaintiffs also alleged that their identity has value, just as a stolen car has value. The court stated that a court that previously found value in personal identity had limited scope.
P.F. Chang highlights (again) the importance of an insured’s first response to a breach. The fact that Neiman Marcus offered credit monitoring helped persuade the court that the store anticipated harm to its customers. And P.F. Chang’s suggestion that customers monitor credit reports also raised the specter of future