May 14, 2021

Volume XI, Number 134

Advertisement

May 14, 2021

Subscribe to Latest Legal News and Analysis

May 13, 2021

Subscribe to Latest Legal News and Analysis

May 12, 2021

Subscribe to Latest Legal News and Analysis

Seventh Circuit Sets Relatively Low Threshold to Establish Standing in Data Breach Class Actions

With the proliferation of storage of personal data and the increase in hacking efforts and phishing scams, Wisconsin courts are likely to see more data breach class actions on the horizon. Wisconsin businesses handling personal data should be aware of the reasoning of the recent Seventh Circuit decision Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. Apr. 14, 2016), as well as applicable Wisconsin cybersecurity statutes.

The facts of the Lewert case are remarkably simple. Plaintiffs John Lewert and Lucas Kosner dined separately at P.F. Chang’s China Bistro in Northbrook, Illinois. Lewert and Kosner later received notifications that the restaurant’s computer system had been hacked, and customer debit card and credit card data had been stolen. The notice did not provide that Lewert’s or Kosner’s specific data had been compromised.

Lewert and Kosner filed a purported class action against P.F. Chang’s, asserting breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices law. Their purported class encompassed “all similarly situated customers whose payment data may have been compromised,” with the aggregate total in claims exceeding $5,000,000. The district court dismissed their case for lack of standing, holding that plaintiffs failed to allege that they had sustained actual injury in fact.

The Seventh Circuit reversed, holding that Lewert and Kosner had Article III standing even though neither of them lost even a penny to fraudulent card charges. Kosner claimed injury because he spent $106.89 for a credit-monitoring service to protect against identity theft after his bank stopped fraudulent card charges. Lewert spent only “time and effort monitoring his card statements and his credit report to ensure that no fraudulent charges had been made on [his] card and that no fraudulent accounts had been opened in his name.” Id. The Seventh Circuit held that Article III standing was supported by these injuries, as well as the future injuries, i.e., the risk of fraudulent charges and identity theft.

The court held that the plaintiffs plausibly alleged that their individual data was stolen, in light of P.F. Chang’s announcement of, and reaction to, the data breach:

In its June statement, P.F. Chang's addressed customers who had dined at all of its stores in the United States and admitted that it did not know how many stores were affected. It is easy to infer that it considered the risk to all stores significant enough to implement a universal, though temporary, switch to manual card-processing.

Id. at *4.

The court reasoned that P.F. Chang’s might later prove the limited scope of the breach through tracing the specific data files stolen, or the chain might learn that it was “being too optimistic and the breach was greater.” Id. The court concluded that P.F. Chang’s reaction to the breach was relevant to the breadth of the breach:

At this stage, no one knows. When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.

Id. Despite this liberal standing approach, the Seventh Circuit expressed skepticism towards plaintiffs’ claims that the cost of their meals constituted an injury, that they had a property right to their personally identifiable data, and that the Illinois Consumer Fraud and Deceptive Business Practices Act protected their personally identifiable information in the absence of actual damages.

Had Lewert and Kosner been potential victims of a data breach in Wisconsin, the Seventh Circuit’s Lewert standing standard would apply, but the plaintiffs would need to prove liability under Wisconsin law. In Wisconsin, consumers fearing injury from a data breach have limited statutory remedies. See In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1163 (D. Minn. 2014) (dismissing Wis. Stat. § 100.20 claim made by putative class because Wisconsin’s Deceptive Trade Practices Act “provides a private right of action only for violations of orders issued by the Wisconsin Department of Agriculture.”). Thus, absent a violation—which would require actual pecuniary loss, issuance of an administrative order, and a subsequent violation of that order—Wis. Stat. § 100.20 is unlikely to provide a recovery for individual consumers.

Wisconsin’s data breach notice statute, Wis. Stat. § 134.98, requires businesses serving Wisconsin consumers to “make reasonable efforts to notify each subject of [ ] personal information” obtained by an unauthorized person within 45 days of the data breach. Wis. Stat. § 134.98(2)(a)-(b), (3)(a). A violation of Wis. Stat. § 134.98 is unlikely to provide direct relief for a private plaintiff, but the statute provides, in what appears slightly inconsistent direction, that failure to comply with Wis. Stat. § 134.98 does not constitute “negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.” Wis. Stat. § 134.98(4) (emphasis added). It is not clear what more evidence beyond a statutory violation is needed to “constitute” negligence or a breach of a legal duty. Any business facing a data breach situation should take care to comply fully with Wis. Stat. § 134.98, as an alleged violation may be sufficient “evidence” of negligence or breach to withstand a motion to dismiss, or possibly even a motion for summary judgment.

Advertisement
© 2021 Foley & Lardner LLPNational Law Review, Volume VI, Number 139
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

James McKeown, Foley Lardner, antitrust attorney, litigation department lawyer, distribution disputes legal counsel, enforcement agency law
Partner

Jim McKeown is a partner with Foley & Lardner LLP and a member of the firm’s Management Committee. He is the former chair of the firm’s national Antitrust Practice and is a member of the Litigation Department and the Sports and Automotive Industry Teams. Mr. McKeown’s litigation practice includes antitrust litigation (including class action defense), distribution disputes, and general litigation. An experienced trial lawyer, he has represented clients in a number of high profile antitrust and sports cases, and he has defended several lawsuits in which the plaintiffs...

414-297-5530
Chelsey B. Metcalf, Foley, Dispute Resolution Lawyer, Civil Litigation Attorney
Associate

Chelsey Metcalf is an associate and litigation lawyer with Foley & Lardner LLP. She is a member of the firm’s Business Litigation & Dispute Resolution Practice.

As a law student, Ms. Metcalf gained experience as a summer associate at Foley, where she worked on academic, statutory, and case law research and writing projects. At the University of Wisconsin Law School, she served as a project assistant to two professors. Ms. Metcalf was also a student attorney at the Frank J. Remington Center in Madison, where she represented two clients...

414.319.7072
Advertisement
Advertisement