August 23, 2019

August 23, 2019

Subscribe to Latest Legal News and Analysis

August 22, 2019

Subscribe to Latest Legal News and Analysis

August 21, 2019

Subscribe to Latest Legal News and Analysis

August 20, 2019

Subscribe to Latest Legal News and Analysis

Back at it Again (with Standing Opinions): Seventh Circuit Reiterates Article III Standing in Data Breach Class Actions

On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases. In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.

In a blog post shortly thereafter, we discussed the import of Remijas going forward in data breach class actions.  Notably, we predicted that, in light of Remijas’s sea change in Article III standing, certifiability and causation would be the next frontier for data breach class actions.

On April 14, 2016, the Seventh Circuit again reiterated its expansive view of Article III standing, and again foreshadowed that Article III standing is, quite literally, just the beginning for data breach plaintiffs.  In Lewart v. P.F. Chang’s China Bistro, Inc., the Seventh Circuit hammered home its holding in Remijas, stating that:

  • “[T]he increased risk of fraudulent credit-or debit-card charges, and the increased risk of identity theft” are sufficient to confer Article III standing;

  • “[T]ime and money the class members predictably spent resolving fraudulent charges” is sufficient to confer Article III standing; and

  • “[T]he time and money customers spent protecting against future identity theft or fraudulent charges” is sufficient to confer Article III standing.

These allegations of harm, in most data breach class action complaints, are boilerplate.  In other words, the Seventh Circuit has made Article III standing in data breach actions in its Circuit a mere formality.  That said, this victory for the plaintiffs’ bar is pyrrhic at best.

The facts of the P.F. Chang’s breach amply demonstrate that causation will be a potentially insurmountable hurdle for data breach plaintiffs.  Specifically, P.F. Chang’s determined that “only 33 stores were affected” by the breach—and the plaintiffs dined at none of them.  While the Court punted as to this “factual dispute about the scope of the breach,” it foretells a dark future for the plaintiffs.  Apart from the obvious impact on the plaintiffs’ individual claims, the plaintiffs could not conceivably be typical and adequate representatives of the class of consumers that did dine at those 33 affected stores.  This issue—in addition to, as the Remijas Court noted, the differences in bank reimbursement policies—highlights the myriad problems with certifying and prevailing on the merits of a data breach class action.

At the end of the day, while the Seventh Circuit may have all but removed the Article III standing arrow from defendants’ quivers, the Court has laid the groundwork for defeating data breach class actions at either an early summary judgment or class certification.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

David S. Almeida, Business Attorney, Sheppard Mullin law firm
Partner

David S. Almeida is a partner in the Business Trial Practice Group in the firm's Chicago office. 

David's areas of practice are varied and include all aspects of consumer protection law, including defense of alleged consumer fraud, unfair and/or deceptive business practices claims, many of which are often associated with online and offline privacy issues, direct marketing, mobile and electronic commerce platforms, loyalty programs and various promotions practices.

312-499-6318
Associate

Mark Eisen is an associate in the Business Trial Practice Group in the firm's Chicago office.

312-499-6310