John Lewert v. P.F. Chang's China Bistro, Inc
2016 U.S. App. LEXIS 6766
| 7th Cir. | 2016Background
- P.F. Chang’s disclosed in June 2014 that its payment-card system had been breached and cardholder data stolen; initially it treated the breach as potentially nationwide, later identifying 33 affected restaurants (only one in Illinois).
- Plaintiffs John Lewert and Lucas Kosner dined at a Northbrook, IL P.F. Chang’s in April 2014 and paid with debit cards; Kosner experienced fraudulent transactions and purchased credit monitoring for $106.89; Lewert alleges time spent monitoring accounts.
- Plaintiffs filed consolidated class actions (claims exceed $5,000,000) invoking CAFA jurisdiction; the district court dismissed for lack of Article III standing under Rule 12(b)(1).
- On appeal, the Seventh Circuit considered whether the plaintiffs alleged a concrete, particularized injury fairly traceable to P.F. Chang’s breach and redressable by relief.
- The court evaluated both (1) imminent/future risks (fraudulent charges and identity theft) and (2) concrete present injuries (fraud resolution efforts, purchase of credit monitoring, time spent monitoring accounts).
- The Seventh Circuit reversed the dismissal, finding some alleged injuries adequate for Article III standing and remanded for further proceedings; it did not decide merits or class-certification suitability.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III injury — risk of future fraud/identity theft | Breach already occurred; increased and imminent risk of fraudulent charges and identity theft supports standing | Risk speculative if plaintiffs’ cards were not actually compromised or breach limited to other locations | Court: Risk of imminent fraud/identity theft from an actual breach is a concrete injury under Remijas; plaintiffs plausibly allege their data was stolen, supporting standing |
| Present mitigation/time/money spent | Time/effort monitoring accounts and purchase of credit monitoring are concrete injuries incurred to mitigate imminent harm | Mitigation unreasonable if breach posed only limited risk (e.g., only card charges, not identity theft) | Court: Such mitigation is cognizable where breach has occurred and risk is immediate; reasonableness of mitigation is a merits/factual issue |
| Causation and traceability | Plaintiffs allege their Northbrook data was compromised and thus harms are traceable to P.F. Chang’s breach | P.F. Chang’s contests that plaintiffs’ data was compromised and that fraudulent charges stem from its breach | Court: Plaintiffs have pleaded plausible facts on exposure; causation disputes are factual defenses for merits discovery, not jurisdiction at pleading stage |
| Other asserted injuries (meal cost; property right in data; state-law damages) | Plaintiffs contend meal cost and a property interest in personal data constitute injury; Illinois consumer statute protects data loss | P.F. Chang’s denies these show Article III injury; Illinois law requires actual damages | Court: Skeptical—purchase cost claims more apt for defective/dangerous-product cases; no general recognized property interest in PII; Illinois law requires actual damages — these theories unlikely to establish standing here |
Key Cases Cited
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs had standing based on imminent risk of fraud/identity theft and mitigation expenses)
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (future injury must be certainly impending to confer standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing requires concrete, particularized injury traceable to defendant and redressable)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility pleading standard)
- Hollingsworth v. Perry, 133 S. Ct. 2652 (2013) (standing elements summarized)
- Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014) (interpreting Video Privacy Protection Act; does not create general property interest in PII)
- Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) (credit-monitoring and card-replacement costs recognized as reasonable mitigation after data breach)
- Price Waterhouse v. Hopkins, 490 U.S. 228 (1989) (shifting burdens in multi-defendant causation contexts)