P.F. Chang's Ruling: Is the Tide Shifting?Sizing Up the Impact of Court Decision on Post-Breach Class Action Lawsuit
Does a federal appellate court's decision allowing a breach-related class-action lawsuit against restaurant chain P.F Chang's to move forward - and a similar, earlier decision in a case against Neiman Marcus - signal a change in tide for post-breach lawsuits? Legal experts offer widely varying opinions.
See Also: The Global State of Online Digital Trust
Last week, the Seventh Circuit Court of Appeals overturned a lower court's ruling that rejected the case against P.F. Chang's. The higher court ruled the case could proceed because the risk of "future injuries" suffered by consumers impacted by the breach are "sufficiently imminent."
Back in July 2015, the Seventh Circuit also reversed a lower court's decision to dismiss the Neiman Marcus case, which seeks damages for consumers who had card data exposed as a result of the luxury retailer's 2013 data breach (see Is Neiman Marcus Case a Game-Changer?).
In that ruling, the court found that Neiman Marcus' decision to provide potentially affected customers with a year of free credit monitoring and identity theft protection amounted to acknowledgement of significant risk. The panel also found that consumers impacted by the breach "should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing."
The rulings in these two cases could signal a substantial change in how federal courts view harm in the wake of a retail breach, says cybersecurity attorney Chris Pierson, who also serves as CISO of invoicing and payments provider Viewpost.
But John Buzzard, the former head of FICO's Card Alert Service, who now works as director of product management for security firm Rippleshot Fraud Analytics, argues that the appellate court rulings won't have a lasting impact.
Commenting on the two cases, Pierson notes: "In the [P.F. Chang's] case, the Seventh Circuit has found that sufficiently imminent allegations of possible future injury are present, such as the increased risk of identity theft and increased risk of fraudulent charges. It is difficult to reconcile the fact that federal laws already provide for mitigation of nearly all the risk of fraudulent charges with this decision. Simply put, customers are not liable for charges under federal law if they report them in a timely manner, with some caveats, which are usually waived by banks."
Nevertheless, the court's determination in the P.F. Chang's case that future injuries related to the breach were "imminent" could support the filing of more consumer class-action suits after card breaches, Pierson adds.
"The tides appear to be changing for data breach cases as it relates to being able to achieve standing under Article III [of the Constitution]," he says. "This shift is akin to environmental law cases involving the release of toxic chemicals into ground water, where a future, but likely, impending harm will occur. So, too, is this notion of an objective reasonable likelihood of injury occurring that is noted in the P.F. Chang's and Neiman Marcus cases."
Buzzard offers a far different assessment.
"I don't expect there to be a precedent-setting judgment here, but I know that many people equate the movement through the judicial system as positive proof that the responsible and negligent parties will be sanctioned in some way," he says. "Instead, anticipate blustering and posturing but not a major judgment that will have resoundingly negative effects for years to come."
The Issue of 'Harm'
Many previous consumer class-action lawsuits claiming harm in the wake of a payments breach have been dismissed or settled outside the courtroom. Because issuing banks ensure consumers are not liable for fraud that results from stolen card data, proving harm has been difficult (see No Injury: Michaels POS Malware Lawsuit Dismissed).
"Since the application of law is based on fact, a future application of 'harm' seems a bit far-fetched," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "For the good of our legal system, it is best to stick to the proven facts of any case. And the proven fact is that very few victims of data breaches become identity theft victims, which is not a good argument for the litigants. Financial institutions monitor breached cards carefully or replace them, so fraudulent transactions are minimized as well after the breach is detected."
Inscoe argues that if the P.F. Chang's case goes to trial, "it will be extremely difficult to prove any damage done to consumers that would enable them to win. "As demonstrated in prior cases, consumers are made whole financially by their financial institutions because they are protected under Regulation E [Electronic Funds Transfer Act]. It is so easy to file these claims, and banks are typically so quick to restore the funds to the account, that true grounds for a class-action lawsuit seem far-fetched."
Similarly, Avivah Litan, an analyst with consultancy Gartner, says in the wake of a breach of payment-related information, "the only harm that consumers can incur, in my opinion, is negligible, e.g. time spent disputing the fraudulent charge and the costs of the services consumed, such as the meal at P.F. Chang's, that resulted in payment card fraud because of the data breach."
If the courts, indeed, redefine "harm" to include such costs, Litan says, "then get ready for an onslaught of lawsuits against breached retailers and other entities taken on by overzealous lawyers. This would be very bad news, in my opinion, should this happen."
P.F. Chang's Suit
On April 14, the Seventh Circuit overturned a lower court's 2015 ruling to dismiss the 2014 class-action suit filed against P.F. Chang's. The suit stemmed from P.F. Chang's 2013 data breach, which affected 33 locations between October 2013 and June 2014.
"We concluded that several of those plaintiffs' injuries were concrete and particularized enough to support Article III [of the U.S. Constitution] standing," the Seventh Circuit's ruling reads. "First, we identified two future injuries that were sufficiently imminent: the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft. These, we found, were not mere 'allegations of possible future injury,' but instead were the type of 'certainly impending' future harm that the Supreme Court requires to establish standing."
In the Neiman Marcus case, an appellate court panel ruled that consumers were at risk because of the breach.
In September, the court denied Neiman Marcus' petition to have its case reheard before the entire Seventh Circuit of judges, rather than just a panel. Neiman Marcus appealed to the Supreme Court in December and was granted in January an extension to file a motion to have its case heard.
Neither P.F. Chang's nor Neiman Marcus responded to Information Security Media Group's request for comment.
So what will happen next in the P.F. Chang's case?
Here's how Pierson sizes it up: "Given the changing nature of data breach cases not being dismissed for lack of standing, this case is likely to either settle or face one more hurdle prior to discovery taking place. P.F. Chang's may seek to file for a motion for summary judgment ahead of discovery. Given the time that has lapsed since the breach, the priority of management time focused on the electronic discovery aspects of this case, and the potential settlement risk, taking into account insurance, P.F. Chang's may seek to resolve this matter before the end of the year."