The threshold question in data breach lawsuits has been whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.   As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Recent developments in this case should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count”. (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage.  The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

The Seventh Circuit reversed the District Court’s dismissal of the plaintiffs’ complaint based on Remijas v. Neiman Marcus Grp., LLC., 794 F.3d 688 (7th Cir. 2015), another Seventh Circuit data breach case.  In particular, the Seventh Circuit reversed the District Court’s findings based on the following:

  • The Seventh Circuit held in Remijas that the plaintiffs met their burden in showing their “injuries were concrete and particularized enough to support Article III standing. Likewise, in P.F Chang’s, the Seventh Circuit found allegations of an increased risk of fraudulent charges and identity theft met the plaintiffs’ burden.
  • The Seventh Circuit also found the plaintiffs in P.F. Chang’s met their burden to show causation and that a favorable judgment would redress those injuries. Here, the P.F. Chang’s Court held Plaintiffs alleged sufficient facts to plausibly show their information was likely included in the hack at P.F. Chang’s. And, the plaintiffs were able to establish their financial injuries, which include lost opportunity to accrue points on his credit card while waiting for a replacement and time and resources spent to track any fraudulent charges, were sufficient to show a favorable judgment could redress plaintiffs’ alleged injuries.

Since the Seventh Circuit’s decision, the P.F. Chang’s case has been remanded back down to the trial court and the parties have continued to litigate issues related to P.F. Chang’s motion to dismiss. For example, On December 13, 2016, the District Court entered an order stating that because plaintiffs’ complaint was dismissed by the District Court for lack of standing, the District Court did not address P.F. Chang’s additional arguments for dismissal.  The District further ordered the parties to submit briefs discussing the issues that remained unresolved after the Seventh Circuit found plaintiffs had standing to bring suit. Last February P.F. Chang’s filed a motion for leave to file additional briefs in support of its motion to dismiss. In its briefs, P.F. Chang’s argued plaintiffs’ complaint should be dismissed because the plaintiffs’ purchases formed express contracts rather than implied contracts and plaintiffs’ allegations did not support allegations that P.F. Chang’s violated the Illinois Consumer Fraud Act.  Plaintiffs filed a brief in opposition which argued that P.F. Chang’s “filed a new, full-throated motion to dismiss.”

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss.  It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.