In Lewert v. PF Chang’s China Bistro, Inc., Nos. 14 C 4787, 14 C 4923 (7th Cir. April 14, 2016), the Seventh Circuit had another opportunity to explain that standing in the data breach context can be found when the threat of injury is imminent. Just as in Remijas v. Neiman Marcus, which it relies on extensively, the Court holds that when a computer system is hacked, the intent was to steal credit and debit card information. Therefore, it is entirely plausible, according to the Court, to infer standing to sue.
PF Chang’s system was hacked in 2014. One of the named plaintiffs, Lewert, experienced fraudulent charges while the other, Kosner, had not suffered any fraudulent charges. “[S]everal of Lewert and Kosner’s alleged injuries fit within the categories we delineated in Remijas. They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen…Lewert is at risk for both fraudulent charges and identity theft. Kosner has already cancelled his debit card, but he is still at risk of identity theft. Other members of the would–be class will be in the same position as one or the other named plaintiff.”
The Court further held that there was sufficient present injury to support standing: “…Lewert and Kosner have alleged sufficient facts to support standing based on their present injuries. Kosner asserts that he already has experienced fraudulent charges. Even if those fraudulent charges did not result in injury to his wallet (he stated that his bank stopped the charges before they went through), he has spent time and effort resolving them. He also took measures to mitigate his risk by purchasing credit monitoring for $106.89. Lewert alleged that he has spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft.”
Significantly, the Court did not address whether the case could be dismissed for failure to state a claim. Unlike other circuits, the Seventh Circuit has long found standing in the data breach context, but has dismissed such actions for failure to state a claim because there are no damages. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007). In addition, the latest line of Seventh Circuit decisions on standing, while seemingly out of sync with other circuits, must be understood as limited to the hacking context, in which it is more likley that information will be stolen.