Does a Data Breach Alone Support Standing for a Class Action Lawsuit?
Recent decisions by the Seventh Circuit have moved the court closer to holding that a data breach alone is a sufficient basis to move forward with bringing a class action against a company. One of the threshold requirements for bringing a federal lawsuit is standing. In order to have standing, a litigant must “prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013).
Defendants in the Seventh Circuit have challenged whether being exposed to a data breach meets the “concrete and particularized injury” requirement. The Seventh Circuit has repeatedly said yes. In doing so, the court held that the increased risk of fraudulent credit card or debit charges and the increased risk of identity theft were “sufficiently imminent future injuries” to support standing. The Seventh Circuit also held that the time and money spent by class members resolving fraudulent charges is an injury sufficient to support standing. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015).
Recently, the Seventh Circuit had the opportunity to again address this issue. In Lewert v. P.F. Chang's China Bistro, Inc.. No. 14-3700, 2016 WL 1459226 (7th Cir. Apr. 14, 2016) the plaintiffs contended that they suffered damages as a result of an acknowledged data breach. However, unlike the Neiman Marcus case, P.F. Chang's determined that the data breach only affected customers of certain locations, which did not include the locations visited by the named plaintiffs. Despite this distinction, the Seventh Circuit held there was standing for all customers. In reaching this conclusion, the court noted that when the data breach was first discovered, P.F. Chang's reported that it affected all locations and took steps to temporarily switch all locations to a manual procedure during its investigation. Although subsequent analytics allowed P.F. Chang's to determine that only 33 locations were involved, these initial actions created a question of fact sufficient to support standing for customers of all locations. By allowing these actions to support standing for all customers, not just those at the affected locations, the Seventh Circuit demonstrated an openness to expanding standing further in data breach actions.
Legal defense costs already cause one of the largest financial impacts to companies following a data breach, accounting for an average cost of over one million dollars per data breach (Ponemon Institute© Research Report, 2015 Cost of Data Breach Study: United States). These recent rulings from the Seventh Circuit are likely to increase the number of class actions filed against companies who have had data breaches and could drive up the already high legal costs resulting from a breach.
For guidance on responding to breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Judy Okenfuss, Isaac Colunga, or Stephen Reynolds. Judy Okenfuss is a Managing Partner of Ice Miller who focuses her practice in defending manufacturers, distributers, and retailers against all types of litigation, including class actions. Isaac Colunga is a Partner in the Business Litigation who represents clients in courts around the country in consumer class actions, most recently in federal district courts in California, Florida, Illinois, Maryland, Michigan, Missouri, New Jersey, and Ohio. Stephen Reynolds, a former computer programmer and IT analyst, is a Partner in Ice Miller’s Litigation and Intellectual Property Group and co-chair of Ice Miller’s Data Security and Privacy Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.