Class action over P.F. Chang data breach can proceedPosted On: Apr. 20, 2016 12:00 AM CST
A federal appeals court has reinstated a putative class action lawsuit filed by two customers of P.F. Chang's China Bistro Inc., who say they were damaged by the restaurant chain's 2014 data breach.
Scottsdale, Arizona-based P.F. Chang, which operates a nationwide chain of restaurants, announced on June 12, 2014 that its computer system had breached and some consumer credit and debit card data had been stolen, according to last week's ruling by the 7th U.S. Circuit Court of Appeals in John Lewert et al. v. P.F. Chang's China Bistro Inc.
News articles indicated the breach may have begun as far back as September 2013, according to the ruling. On Aug. 4, 2013, the chain announced it had determined data was stolen from just 33 restaurants, according to the ruling.
Plaintiff Lucas Kosner, who had dined at a P.F. Chang restaurant in Northbrook, Illinois, in April 2014, and paid with his debit card, subsequently found four fraudulent transactions on the card he had used, according to the ruling.
Mr. Lewert, who had dined at the same restaurant the same month, did not spot any fraudulent charges on his card, but said after the breach was announced he had spent time and effort monitoring his card statements, according to the ruling.
The men filed separate suits before different judges in U.S. District Court in Chicago that were consolidated in August 2014 into a single putative class action lawsuit that sought damages resulting from the breach.
The District Court dismissed the lawsuit in December, 2014, stating the plaintiffs had no standing to sue. “While plaintiffs allege that security breaches can lead to identity theft, they do not allege that it has occurred in this case,” said the ruling.
In unanimously reversing that ruling, a three-judge appeals court panel pointed to its July 2015 ruling in Remijas v. Neiman Marcus Group L.L.C.
In that ruling, the appeals court held plaintiffs had met the standard set in the U.S. Supreme Court's 2013 ruling in Clapper v. Amnesty International USA in showing a “substantial risk of harm” from the 2013 data breach,
“In the present case, several of Lewert and Kosner's alleged injuries fit within the categories we delineated” in the Neiman Marcus case, said the April 14 ruling.
“They describe the same kind of future injuries as the (Neiman Marcus) plaintiffs did: the increased risk of fraudulent charge and identity theft they face because their data has already be stolen. These alleged injuries are concrete enough to support a lawsuit,” said the panel, in remanding the case for further proceedings.
The ruling said also that it was not expressing an opinion on the merits, or suitability, of the case for class certification.