Lewert v. P.F. Chang's China Bistro, Inc.

• Decision Date: 14 April 2016
• Docket Number: No. 14–3700.,14–3700.
• Parties: John LEWERT, on behalf of himself and all others similarly situated, et al., Plaintiffs–Appellants, v. P.F. CHANG'S CHINA BISTRO, INC., Defendant–Appellee.
• Court: U.S. Court of Appeals — Seventh Circuit

819 F.3d 963

John LEWERT, on behalf of himself and all others similarly situated, et al., Plaintiffs–Appellants,

v.P.F. CHANG'S CHINA BISTRO, INC., Defendant–Appellee.

No. 14–3700.

United States Court of Appeals, Seventh Circuit.

Argued Jan. 13, 2016.

Decided April 14, 2016.

Joseph Siprut, Attorney, Siprut PC, Chicago, IL, for Plaintiffs–Appellants.

Jon P. Kardassakis, Attorney, Lewis Brisbois Bisgaard & Smith LLP, Los Angeles, CA, Thomas Alexander Lidbury, Attorney, Lewis Brisbois Bisgaard & Smith LLP, Chicago, IL, for Defendant–Appellee.

Before WOOD, Chief Judge, and BAUER and HAMILTON, Circuit Judges.

WOOD, Chief Judge.

About two months after they dined at P.F. Chang's China Bistro, in Northbrook, Illinois, John Lewert and Lucas Kosner received the unwelcome news that the restaurant's computer system had been hacked and debit-and credit-card data had been stolen. Lewert and Kosner brought separate suits, which were later consolidated, seeking damages resulting from the theft on behalf of themselves and a class. Concluding that they had not suffered the requisite personal injury, the district court dismissed for lack of standing. FED.R.CIV.P. 12(b)(1). In light of Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir.2015), we reverse and remand for further proceedings.

I

P.F. Chang's operates a chain of restaurants throughout the United States. On June 12, 2014, the company announced that its computer system had been breached and some consumer credit- and debit-card data had been stolen. At the time, it did not know how many consumers were affected, whether the breach was general or limited to specific locations, or how long the breach lasted. As a precaution, it switched to a manual card-processing system at all locations in the continental United States and encouraged its customers to monitor their card statements. News articles indicated that the breach might have begun as far back as September 2013. Later that summer, on August 4, 2014, P.F. Chang's announced that it had determined that data was stolen from just 33 restaurants. The only affected restaurant in Illinois, it reported, was at the Woodfield Mall in Schaumburg (a suburb of Chicago).

Kosner dined at a different P.F. Chang's, located in Northbrook, on April 21, 2014, and paid with his debit card. On June 8, 2014, four fraudulent transactions were made with the card he had used, and so he cancelled it immediately. Later in June, Kosner learned about the breach at P.F. Chang's. Putting two and two together, he noted that the fraudulent charges on his card had appeared shortly after he dined at P.F. Chang's, and he drew the conclusion that his debit-card data were among those compromised by the breach. Based on that concern, he purchased a credit monitoring service to protect against identity theft, including against criminals using the stolen card's data to open new credit or debit cards in his name. He spent $106.89 on the service.

On April 3, 2014, Lewert dined at the same P.F. Chang's in Northbrook as Kosner later patronized. Lewert, too, paid with his debit card. The consequences for Lewert were less troubling: he did not spot any fraudulent charges on his card, nor did he cancel his card and suffer the associated inconvenience or costs. Lewert did allege, however, that after P.F. Chang's initially announced the breach in June 2014, he spent time and effort monitoring his card statements and his credit report to ensure that no fraudulent charges had been made on that card and that no fraudulent accounts had been opened in his name.

Lewert and Kosner seek to represent a class of all similarly situated customers whose payment data may have been compromised. Their actions were consolidated on June 24, 2014. In the aggregate, the claims they assert on behalf of the class exceed $5,000,000 in value. Minimal diversity exists: Lewert and Kosner are citizens of Illinois, while P.F. Chang's is a Delaware corporation with its principal place of business in Arizona. Putting to one side the central issue of Article III standing, to which we return, the district court therefore had jurisdiction under the Class Action Fairness Act (CAFA), 28 U.S.C. § 1332(d)(2). As we said, the district court dismissed the consolidated action for lack of standing.

II

We consider de novo the question whether a plaintiff satisfies the standing criteria imposed by Article III of the Constitution. Reid L. v. Ill. State Bd. of Educ., 358 F.3d 511, 515 (7th Cir.2004). The district court "must accept as true all material allegations of the complaint, drawing all reasonable inferences therefrom in the plaintiff's favor, unless standing is challenged as a factual matter." Id. The plaintiffs, as the "part[ies] invoking federal jurisdiction," bear the burden of establishing Article III standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). They must demonstrate that they have "suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision." Hollingsworth v. Perry, ––– U.S. ––––, 133 S.Ct. 2652, 2661, 186 L.Ed.2d 768 (2013) (citing Lujan, 504 U.S. at 560–61, 112 S.Ct. 2130 ).

A

This is not our first time to examine standing in a case involving a data breach. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir.2015), the high-end department store Neiman Marcus experienced a data breach that potentially exposed the payment-card data of all customers who paid with cards during the previous year. Id. at 690. The store alerted all potentially affected customers and offered a credit monitoring service to each of them. Id. The plaintiffs had shopped at Neiman Marcus during the time the information was exposed to the invader. Id. They brought a class action based on the breach. Id. at 691.

We concluded that several of those plaintiffs' injuries were concrete and particularized enough to support Article III standing. First, we identified two future injuries that were sufficiently imminent: the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft. Id. at 691–94. These, we found, were not mere "allegations of possible future injury," but instead were the type of "certainly impending" future harm that the Supreme Court requires to establish standing. Id. at 692 (internal quotation marks omitted) (quoting Clapper v. Amnesty Int'l USA, ––– U.S. ––––, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013) ). In Clapper, the plaintiffs expressed only their fear that the government might have intercepted their private communications. Clapper, 133 S.Ct. at 1148. The Supreme Court held that this injury was too speculative to support standing to challenge the Foreign Intelligence Surveillance Act. Id. In contrast, the alleged data theft in Remijas had already occurred. Remijas, 794 F.3d at 693. In the latter situation, we held, "there is ‘no need to speculate as to whether [the Neiman Marcus customers'] information has been stolen and what information was taken.’ " Id. (alteration in original) (quoting In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1214 (N.D.Cal.2014) ). The plaintiffs "should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such injury will occur." Id. (quoting Clapper, 133 S.Ct. at 1147 ).

Remijas also found injuries sufficient for standing in the time and money the class members predictably spent resolving fraudulent charges (even if the bank ultimately repaid those charges), as well as in the identity theft that had already occurred and in the time and money customers spent protecting against future identity theft or fraudulent charges. Id. at 694. While mitigation expenses qualify as "actual injuries" only when the harm is imminent, the data breach in Remijas had already occurred. This made the risk of identity theft and fraudulent charges sufficiently immediate to justify mitigation efforts. Id. (citing Clapper, 133 S.Ct. at 1152 ).

In the present case, several of Lewert and Kosner's alleged injuries fit within the categories we delineated in Remijas. They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen. These alleged injuries are concrete enough to support a lawsuit. P.F. Chang's acknowledges that it experienced a data breach in June of 2014. It is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is "sooner or later[ ] to make fraudulent charges or assume those consumers' identities[.]" Id. at 693. Lewert is at risk for both fraudulent charges and identity theft. Kosner has already cancelled his debit card, but he is still at risk of identity theft. Other members of the would-be class will be in the same position as one or the other named plaintiff.

Similarly, Lewert and Kosner have alleged sufficient facts to support standing based on their present injuries. Kosner asserts that he already has experienced fraudulent charges. Even if those fraudulent charges did not result in injury to his wallet (he stated that his bank stopped the charges before they went through), he has spent time and effort resolving them. He also took measures to mitigate his risk by purchasing credit monitoring for $106.89. Lewert alleged that he has spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft.

P.F. Chang's accepts Remijas's holding that the time and money spent resolving fraudulent charges are cognizable injuries for Article III standing. (We emphasize that we speak only of allegations—whether any compensable losses occurred is a question for the merits.) But it does argue that the plaintiffs'...