Hacking cases shine spotlight on faulty defenses, consumer rights

http://www.chicagolawbulletin.com/Articles/2016/04/21/Adam-Glazer-forum-4-21-16.aspx

By now, virtually every consumer knows of or was affected by highly publicized hacking incidents involving large companies’ computer systems.

The 21st century crime of data breaching, most recently aimed at certain lawyers’ papers in Panama City, Panama, also famously victimized Target, Home Depot, Ashley Madison, Sony, eBay and, ironically, the ID theft-protection firm Lifelock, among others.

When these companies get hacked, the real victims, of course, are the consumers whose data is breached, often resulting in fraudulent charges made to their credit and debit cards or the theft of their identities. The hackers themselves are usually unreachable, and so consumers increasingly focus their ire on the companies, such as P.F. Chang’s China Bistros.

In June 2014, the restaurant chain was forced to publicly announce a breach of its computer system that accessed some credit and debit card data. The number of customers involved, and the location of the restaurants affected, was not yet known. In response, P.F. Chang’s temporarily switched to manual card-processing at all U.S. restaurants and encouraged customers to monitor their credit card statements for fraudulent activity.

By August, P.F. Chang’s reported the data loss was limited to 33 restaurants with the only Illinois location being in Woodfield Mall in Schaumburg. Enter Lucas Kosner, who in April 2014 put his meal at the P.F. Chang’s in Northbrook on his debit card. In June, shortly before the P.F. Chang’s hacking announcement, Kosner canceled that card after four fraudulent charges appeared and purchased a credit monitoring service for $106.89.

John Lewert also charged his meal using a debit card at the Northbrook P.F. Chang’s in April 2014, but suffered no fraudulent charges, did not cancel his card and hired no service to protect against identity theft.

Following the P.F. Chang’s announcement in June, however, he did claim to have spent time and effort tracking his card statements and credit report for fraudulent activity.

Both Kosner and Lewert filed putative class actions in Chicago federal court, later consolidated, seeking to recover damages emanating from the data breach. P.F. Chang’s moved to dismiss, arguing the plaintiffs had not suffered cognizable damages, and the district court agreed, dismissing their claims for lack of standing.

On appeal, the 7th U.S. Circuit Court of Appeals compared the case to another hacking incident potentially exposing some 350,000 customer credit card accounts at Neiman Marcus. Neiman’s allegedly learned of the security breach in mid-December 2013, but kept it quiet to avoid disrupting the lucrative holiday shopping season.

Ultimately, Neiman’s disclosed the breach on Jan. 10, 2014, and sought to aid customers potentially affected by offering one year of complimentary credit monitoring and identity theft protection. (Yet, a Neiman’s senior vice president soon found himself testifying before the U.S. Senate Judiciary Committee about the extent of the breach.)

In response to the inevitable class-action complaints filed on behalf of the 350,000 potentially affected customers, Neiman’s too moved to dismiss for lack of standing. The district court in that case likewise granted the motion, and plaintiffs appealed.

To demonstrate standing, plaintiffs “must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.” Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015).

In both the Neiman Marcus and the recent P.F. Chang’s appellate decisions, each written by Chief Judge Diane P. Wood, the focus was on the injuries claimed. Both sets of plaintiffs alleged increased risk of future fraudulent charges and greater susceptibility to identity theft.

The defendants claimed such damages were too speculative, but in each case the 7th Circuit found they comprised the type of “certainly impending” harm required to establish standing under Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013).

The Remijas plaintiffs alleged 9,200 customers already incurred fraudulent charges from the theft of personal data, and the accompanying aggravation and lost value of their time to set things straight, while the heightened risk of theft facing the remaining 340,800 affected customers required their taking immediate preventive measures.

Neiman downplayed the risk of future harm from identity theft or fraudulent charges, particularly when major credit card companies typically reimburse customers for fraudulent charges. The plaintiffs countered that they must spend time and money replacing cards and monitoring credit scores and that full reimbursement is not guaranteed.

The 7th Circuit found it “telling” that Neiman incurred the expense of offering customers credit monitoring and identity-theft protection, which it would not do for “ephemeral” risk.

In suing P.F. Chang’s, Kosner similarly alleged fraudulent charges made to his debit card. Although his bank canceled these charges, he spent time and effort resolving them, in addition to plunking down the $106.89 for credit monitoring. Fellow diner Lewert incurred no financial damages following the P.F. Chang’s hacking, but he too spent time and effort monitoring his card statements and other financial records.

P.F. Chang’s somehow claimed these mitigation efforts were not only unreasonable, but distinct from theNeiman’s case because the only risk posed by its data breach was of fraudulent charges, not identity theft. The 7th Circuit quickly dismissed this distinction as “a factual assumption that has yet to be tested.”

The court then noted how P.F. Chang’s August announcement encouraged customers to monitor not just their card statements, but also their credit reports, suggesting the very risk to their identities it rejected on appeal.

And P.F. Chang’s internal conclusion that its Northbrook restaurant was not affected, after first requiring all restaurants to implement manual card-processing, merely creates a factual dispute about the breach’s scope, “but it does not destroy standing.” Lewert v. P.F. Chang’s China Bistro Inc., No. 14-3700 (7th Cir., April 14).

In reversing and remanding both dismissals, the court found plausible allegations of stolen data and imminent harm justifying mitigation efforts. Defendants’ arguments challenging the extent or reasonableness of the asserted damages merely created factual disputes inappropriate for resolution on a Federal Rule Civil Procedure 12(b)(1) standing motion.

While permitting discovery to proceed seems appropriate and unremarkable in both cases, of some concern is the court’s construing the defendants’ responsible remediation efforts against them.

This aspect of the decisions seems to stray from the spirit of Federal Rule of Evidence 407, and could unfortunately deter other hacked retailers from providing credit monitoring or cautioning customer to monitor their credit reports.