Financial Services Law Developments: FYI: 7th Cir Holds Data Breach Plaintiffs Alleged Enough For Art III Standing, But Ruling May Not Hold Up Under Spokeo

Monday, May 23, 2016

FYI: 7th Cir Holds Data Breach Plaintiffs Alleged Enough For Art III Standing, But Ruling May Not Hold Up Under Spokeo

Reversing the trial court's ruling dismissing the action for lack of standing, the U.S. Court of Appeals for the Seventh Circuit recently held that the increased risk of fraudulent credit or debit card charges and possible identity theft due to a data breach that already occurred was "certainly impending future harm", and was sufficient for Article III standing.

In addition, the Court also held that time and money the plaintiffs allegedly spent resolving fraudulent charges and plausible identity theft, also were sufficient injuries for Article III standing.

However, this opinion was issued prior to the Supreme Court of the United States' ruling in Spokeo v. Robins, which clarified that harm sufficient to confer Article III standing cannot be hypothetical or conjectural; it must be "actual or imminent." It is not clear whether the Seventh Circuit's ruling in this case will withstand scrutiny under Spokeo v. Robins.

A copy of the opinion is available at: Link to Opinion

A restaurant chain experienced a computer hack which resulted in credit and debit-card data being stolen. On June 12, 2014, the restaurant announced this computer hack and as a precaution encouraged its customers to monitor their card statements.

Months after the original announcement, the restaurant determined the data was stolen from only 33 restaurants, including only one from Illinois. The plaintiffs did not dine at this location.

The plaintiffs each brought their own suit against the restaurant chain seeking damages resulting from the data security breach, on behalf of themselves and on behalf of a putative class.

The first plaintiff allegedly dined at the restaurant chain in April, 2014 and supposedly noticed fraudulent charges on his debit card two months later. This plaintiff allegedly then learned about the data breach at the restaurant and claimed that he purchased a credit monitoring service to protect against identity theft. He spent $106.89 on the service.

The second plaintiff dined at the same restaurant location as the first plaintiff, but did not have any fraudulent charges on his debit card. However, the second plaintiff alleged he spent spend time and effort monitoring his credit card statements and his credit report to ensure that no fraudulent charges had been made on his card.

The two suits were consolidated. In the aggregate, the claims they asserted on behalf of the class exceeding $5,000,000 and minimal diversity existed. The district court dismissed the consolidated action for lack of standing.

As you recall, to invoke federal jurisdiction, plaintiffs must demonstrate that they have suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.

The Seventh Circuit previously examined standing in a case involving a data breach. In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), a department store experienced a data breach that potentially exposed the payment–card data of all customers who paid with cards during the previous year. The Seventh Circuit identified two future injuries that were sufficiently imminent: the increased risk of fraudulent credit or debit-card charges, and the increased risk of identity theft. The Seventh Circuit held in Remijas that these were not mere "allegations of possible future injury," but instead were the type of "certainly impending" future harm that the Supreme Court requires to establish standing.

The Seventh Circuit in Remijas also held there was no need to speculate as to whether customer information had been stolen and what information was taken where a data theft that had already occurred.

Moreover, the Seventh Circuit in Remijas found injuries sufficient for standing in the time and money the class members spent resolving fraudulent charges, as well as in the identity theft that had already occurred or in the time and money spent protecting against future identity theft. The Seventh Circuit in Remijas held that the fact that the data breach had already occurred made the risk of identity theft and fraudulent charges sufficiently immediate to justify mitigation.

In the instant case, the plaintiffs alleged the same sort of future injuries as were discussed in Remijas. The Seventh Circuit found it is plausible to infer a substantial risk of harm from a data breach because a primary incentive for hacks is to make fraudulent charges or assume the consumers' identities.

The Seventh Circuit held that both named plaintiffs alleged sufficient facts to support standing. According to the Court, one plaintiff had already allegedly experienced fraudulent charges, although the bank was able to stop the charges before they went through, and the other plaintiff allegedly spent time and effort monitoring his financial information as a guard against fraudulent charges and identity theft.

The defendant restaurant chain argued that the plaintiffs' mitigation was unreasonable because there was no threat of identity theft. However, the plaintiffs alleged that the defendant had encouraged customers to monitor their credit reports, rather than simply their credit and debit card statements for existing affected cards. The First Circuit previously found that expenses for replacing cards and purchasing a credit monitoring service were reasonably mitigation after a data breach. See Anderson v. Hannahford Bros. Co., 659 F.3d 151, 162 (1st Cir. 2011). Thus, Seventh Circuit here ruled that the plaintiffs' mitigation was reasonable.

The defendant also contested whether the plaintiffs' data was actually exposed in the breach. The Seventh Circuit found this immaterial as the plaintiffs' factual allegations must only be plausible at the pleadings stage. The Court held that the plaintiffs did plausibly allege their data was stolen, as the defendant addressed customers who had dined at all of its stores in the United states, and admitted it did not originally know how many stores were affected. The Court noted that although this creates a factual dispute, it does not destroy standing.

The Seventh Circuit also briefly discussed the plaintiffs' other alleged injuries. The Court found that at least some of the plaintiffs' injuries qualify as immediate and concrete injuries to support Article III standing.

The Seventh Circuit then addressed causation and redressability. The Court found that the plaintiffs alleged that the defendant's location they both visited was among the locations involved in the data breach and included enough facts to meet the plausibility standard. The defendant alleged alternative causes for the plaintiffs' claim, but the Court held that merely identifying potential alternative causes does not defeat standing.

As to redressability, the Court held that the plaintiffs and those in the putative class (should it be certified), allegedly have quantifiable financial injuries including purchasing a credit monitoring service, loss of point accrual (if it has monetary value), and reimbursement for fraudulent charges. The Seventh Circuit held that a favorable judgment would redress the plaintiffs' injuries.

The Seventh Circuit lastly addressed the defendant's alternative argument that the plaintiffs failed to state a claim upon which relief could be granted. The Court did not address this argument as the district court dismissed the plaintiffs' claims for lack of subject matter jurisdiction. The Court noted it could only grant additional relief if the appellee files a cross-appeal and the defendant in this case did not do so.

In sum, the Seventh Circuit concluded that the plaintiffs alleged enough to support Article III standing, and reversed the trial court's ruling.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 18th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

and

California Finance Law Developments

and

Insurance Recovery Services

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.