UNITED STATES – On August 25, 2017, the Seventh Circuit Court of Appeals offered a stern reminder of its distaste for “hollow class-action settlements” that benefit the plaintiffs’ lawyers but not the plaintiffs themselves. See In re Subway Footlong Sandwich Mktg. & Sales Practices Litig., No. 16-1652, 2017 U.S. App. LEXIS 16260 (7th Cir. 2017). In In re Subway, the Seventh Circuit evaluated a class action settlement that arose from claims (not ultimately supported in the lawsuit) that Subway’s “foot long sub” sandwiches (“footlong subs”) did not always live up to their twelve-inch billing. In reversing the district court’s approval of the settlement, the Seventh Circuit reinforced the significance of Rule 23(a) of the Federal Rules of Civil Procedure — requiring that class action representatives “fairly and adequately protect the interests of the class” — and Rule 23(e)(2) — requiring that class action settlements be “fair, reasonable and adequate.” The Seventh Circuit also reinforced the uniqueness of the class action context, in which settlement agreements not only can be, but must be, scrutinized by the district court judge with “the high duty of care that the law requires of fiduciaries.” In so ruling, the Seventh Circuit made clear that district courts facing proposed class action settlements, and the lawyers who prepared them, each have an obligation to ensure that the real people who brought the case are the ones who receive Rule 23’s protection.Read more…
UNITED STATES – Given the increasing connectivity to the internet at home and at work, from smartphones and smart televisions to cloud solutions, resulting in vast amounts of personal information being collected, the risk of a data security incident (e.g., “data breach”) is real. In 2015, almost half of all companies reported experiencing a data security incident within the past 12 months. This current environment and a recent decision by the Seventh Circuit Court of Appeals, should serve as a reminder for companies to make sure their “privacy house” is in order.
On April 14, 2016, the Seventh Circuit Court of Appeals (“Seventh Circuit” or “Court”) sought to bring clarity to whether, and when, an alleged victim of a mass data breach has standing to sue not the thief, but the information-carrying entity that was thieved. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 U.S. App. LEXIS 6766, April 14, 2016). In a unanimous opinion authored by Chief Judge Diane Wood, the Seventh Circuit reversed the district court decision that denied standing to two putative class action plaintiffs — each former patrons of Chicago-area P.F. Chang’s restaurants — who sued the restaurant chain for third party theft of consumer information. The Seventh Circuit, in a plaintiff-friendly ruling, held that customers of a restaurant, who merely allege that the debit or credit card information was stolen on the restaurant’s watch, may have sufficient “injury” to proceed with the lawsuit.
In P.F. Chang’s, national restaurant chain defendant P.F. Chang’s, announced on June 12, 2014, that its computer system had been breached, with certain consumer debit and credit card information stolen. P.F. Chang’s did not immediately know how many consumers were impacted, whether the breach was widespread or confined to particular locations, or for how long the breach had occurred. As a safeguard, P.F. Chang’s switched to a manual card-processing system at all locations throughout the continental United States and encouraged customers to monitor their card statements. Within three months, on August 4, 2014, P.F. Chang’s announced that data had been stolen from “just 33 restaurants”, and reported that the only affected restaurant in Illinois was at the Woodfield Mall in the Chicago suburb of Schaumburg.
In the April that directly preceded the June 2014 data breach announcement, plaintiffs John Lewert and Lucas Kosner each, on separate occasions, dined at the P.F. Chang’s restaurant located in the different Chicago suburb of Northbrook. Although the Northbrook location was not listed in P.F. Chang’s’ 33 self-reported data breach locations, Kosner, on June 8, 2014, allegedly noticed four fraudulent transactions on the same card he had used when he had dined there. Kosner cancelled his card immediately. He then learned of the P.F. Chang’s data breach later that same month and “drew the conclusion that his debit-card data were among those compromised by the breach.” Based on this concern, Kosner allegedly purchased a credit card monitoring service for $106.89 “to protect against identity theft, including against criminals using the stolen card’s data to open new credit or debit cards in his name.” Lewert, for his part, experienced consequences that the Court called “less troubling.” Unlike Kosner, Lewert spotted no fraudulent charges on his card, did not cancel his card, and thus did not suffer the “associated inconvenience or costs.” Instead, Lewert alleged that he spent “time and effort monitoring his card statements and his credit report” in the wake of the P.F. Chang’s data breach announcement.
Kosner and Lewert sued P.F. Chang’s in the U.S. District Court for the Northern District of Illinois (in Chicago) with claims relating to the data breach. In so doing, they sought to represent a class of all “similarly situated customers whose payment data may have been compromised.” The two actions were consolidated on June 24, 2014 and — once combined with the claims of the other putative class members — exceeded $5 million in aggregate value. The consolidated action conferred jurisdiction in federal court under the Class Action Fairness Act (“CAFA”). The district court, upon considering the plaintiffs’ allegations, then dismissed the case on the basis that plaintiffs lacked the requisite injuries to confer standing.
On appeal, the Seventh Circuit reviewed the district court’s order de novo and reversed. The Court acknowledged the black law principle, under Article III of the Constitution, that plaintiffs must have “suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Applying that standard to the instant case, the Seventh Circuit cited its 2015 decision in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) to note that this “is not our first time to examine standing in a case involving data breach.” In Remijas, the Seventh Circuit held that the data breach which plaintiffs alleged was more than mere “possible future injury” to satisfy Article III. Namely, the Remijas plaintiffs, like the P.F. Chang’s plaintiffs, established that their future injuries were “sufficiently imminent” by alleging the increased risk of “fraudulent credit or debit card charges” and of “identity theft.” As the Seventh Circuit opined, plaintiffs “should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing[.]” Finding that Kosner and Lewert “describe the same kind of future injuries as the Remijas plaintiffs did,” the Court held that such injuries, as alleged, “are concrete enough to support a lawsuit.”
Moreover, the Seventh Circuit noted that “injuries sufficient for standing” include the “time and money the class members predictably spent resolving fraudulent charges” despite the bank repaying those charges. The Court further noted that standing-sufficient injuries include “the identity theft that had already occurred and in the time and money customers spent protecting against future identity theft or fraudulent charges.” As in Remijas, the Court determined that Kosner and Lewert alleged sufficient injuries. Notably, the Court reached this determination even if the fraudulent charges “did not result in injury” to either plaintiff’s “wallet”, because “he has spent time and effort resolving” the fraudulent charges and, particularly in the case of Kosner, “took measures to mitigate” the risk by purchasing “credit card monitoring for $106.89.” The Court also held, albeit without detailed analysis, that the alleged “time and effort” Lewert spent “monitoring both his card statements and his other financial information” was sufficient to support standing. In so holding, the Court rejected P.F. Chang’s’ contention that plaintiffs’ mitigation was unreasonable since the only risk facing these plaintiffs related to “fraudulent charges to affected cards, not identity theft.” In the Seventh Circuit’s view, “this factual assumption has yet to be tested,” as “information stolen from payment cards can be used to open new cards in the consumer’s name.” Thus, as a “matter of pleading, nothing suggests that the plaintiffs’ mitigation efforts were unreasonable.”
The Seventh Circuit also refused to adopt P.F. Chang’s’ assertion that plaintiffs failed to plausibly allege data theft by virtue of not having dined at the Woodfield restaurant that was the singular Illinois location listed on P.F. Chang’s’ data breach list. According to the Seventh Circuit, P.F. Chang’s “addressed all customers who had dined at all of its stores in the United States and admitted that it did not know how many stores were affected.” (Emphasis in original.) Though acknowledging that there is a “factual dispute about the scope of the breach,” the Court concluded that “it does not destroy standing.” As the Court explained: “When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.”
To be sure, the Seventh Circuit also noted that it was “skeptical” of plaintiffs’ other asserted injuries, though did not chronicle what those alleged injuries were. Instead, the Seventh Circuit turned to the final two elements of standing: causation and redressibility, concluding that plaintiffs satisfied each. Plaintiffs alleged “enough facts to push” the allegation that “the Northbrook restaurant was among those hit by the hackers” even though it was not included in P.F. Chang’s’ list of 33. In turn, the Court ruled that “a favorable judgment would redress the plaintiffs’ injuries” because at least some of those injuries are “easily quantifiable,” including: credit monitoring services, credit card points, un-reimbursed fraud charges and even fraud response time and effort.
The Seventh Circuit thus parted ways with the district court to conclude that “plaintiffs have alleged enough to support Article III standing,” though cautioned that the ruling expresses “no opinion on the merits or on the suitability of this case for class certification.”
The P.F. Chang’s decision suggests that the threshold of what constitutes an “injury” in the event of a data security incident may not be as high as once thought. Therefore, companies should implement or revisit their data privacy and IT security programs to reduce the risk of, and be prepared to appropriately respond to, a data security incident.
As a first step, companies should get a sense of what personal information they maintain about individuals (e.g., employees, consumers, business contacts) and whether the IT security measures in place are appropriate for the sensitivity of the personal information. Employees, vendors and others with access to company systems that maintain personal information should receive appropriate training on handling such information and their access to company systems limited to what is necessary for their role. Companies should also assess whether they have appropriate privacy terms in place with vendors in the event the vendor experiences a data security incident on their systems involving the company’s personal information.
In order to be prepared to respond to a data security incident, companies should also consider implementing a formal, written Data Security Incident Response Plan that details the steps that the company will take in response to a data security incident — including the designation of company and external personnel to assist with the response. To test the effectiveness of this plan, companies could conduct a “tabletop” exercise with key stakeholders to get a sense of how the Data Security Incident Response Plan works in practice.
In light of widespread access to the internet and the sophistication of criminals seeking to access company systems, there is no surefire way to prevent a data security incident; and the P.F. Chang’s ruling demonstrates that companies, victims themselves to criminal acts, may face litigation that cannot be easily dismissed at the pleadings phase. But companies can take steps to protect against the risk of breach and be prepared to respond appropriately. Indeed, if anything, P.F. Chang’s — in potentially inviting further data breach lawsuits that will bring data breach protective practices under public scrutiny — provides yet another cautionary reminder of why companies should take those steps.
UNITED STATES – On July 10, 2015, the Eleventh Circuit Court of Appeals issued a ruling that could cause state legislatures to think twice before seeking to limit the class action rights of consumer plaintiffs. In Lisk v. Lumber One Wood Preserving LLC, No. 14-11714, 2015 U.S. App. LEXIS 11891 (11th Cir. July 10, 2015), the Eleventh Circuit held that Federal Rule of Civil Procedure 23 (“Rule 23”) can permit product liability plaintiffs to bring their state law claims through a federal class action, even where those same claims could only be heard individually in state court. Where a state statute may restrict the right of plaintiffs to bring their claims through a class, the Eleventh Circuit made clear that Rule 23 imposes no such restriction. And in a putative class action brought in federal court under substantive state law – where the class-averse state statute runs headlong into Rule 23 – the Lisk court held that Rule 23 controls.
In Lisk, the plaintiff purchased “treated” wood that allegedly went rotten three years after he installed it on his fence posts. The treated wood manufacturer, however, had warranted through its product label, advertising, and website, that its treated wood remained rot-free for 15 years. When the plaintiff learned from his wood retailer that other customers had complained of the same defect, the plaintiff filed a complaint in federal court on behalf of a nationwide putative class of customers who had purchased the manufacturer’s defectively treated wood.
Plaintiff, a citizen of Alabama, sued the manufacturer, a citizen of Tennessee, as the lone defendant, alleging statutory violations of Alabama Deceptive Trade Practices Act (“ADTPA”) and breach of express warranty under Alabama common law. Although the plaintiff’s individual claim did not exceed the federal courts’ $75,000 threshold for jurisdiction, plaintiff invoked federal jurisdiction under the Class Action Fairness Act (“CAFA”). The defendant, for its part, opposed federal jurisdiction on the basis that the ADTPA provides only that the attorney general of Alabama, or a district attorney, could bring a class action. The district court agreed, and dismissed both claims. Plaintiff then appealed the case to the Eleventh Circuit.
On appeal, it was undisputed that plaintiff’s ADTPA claims – brought as private actions rather than through a public attorney – could not be brought as a state court class action. But the Eleventh Circuit, in taking a diverging view from the lower court, emphasized that this was federal court, where Rule 23 “allows class actions and makes no exception for cases of this kind.” Lisk, at *6-7. Citing the United States’ Supreme Court’s ruling in Shady Grove Orthopedic Associates, P.A. v. Allstate Insurance Co., the Eleventh Circuit held that Rule 23 trumps a “state law prohibition on class actions for claims of this kind.” Id. at *7-15 (citing 559 U.S. 393 (2010)).
In Shady Grove, a New York statute required insurers to pay out claims within 30 days and imposed interest at a set monthly rate for late payments. A separate New York statute followed Rule 23 requirements, but barred class actions for claims seeking statutory penalties – which included the monthly interest within the meaning of the class action statute. After an individual whose claim was paid late filed a putative class action in federal court seeking to recover the statutory interest, the Supreme Court held that Rule 23 governed such that the individual could pursue his class action in federal court notwithstanding the state statute.
The Lisk court, in turn, held that there was “no relevant, meaningful distinction between a statutorily created penalty of the kind at issue in Shady Grove, on the one hand, and a statutorily created claim for deceptive trade practices of the kind at issue here, on the other hand.” 2015 U.S. App. LEXIS 11891, at *6-9. To be sure, the Eleventh Circuit acknowledged the 4-1-4 plurality in certain parts of the Shady Grove decision, but underscored that “all five justices agreed that applying Rule 23 to allow a class action for a statutory penalty created by New York law did not abridge, enlarge, or modify a substantive right; Rule 23 controlled.” Id. at *8-9. The court also acknowledged that “some district courts” have noted that the Alabama class action bar “is part of the ADTPA itself.” Id. at *10 (citing Lisk v. Lumber One Wood Preserving, LLC, 993 F. Supp. 2d 1376, 1383-84 (N.D. Ala. 2014)). But “how a state chooses to organize its statutes affects the analysis not at all.” Id. In language that lauded substance over form, the Eleventh Circuit explained:
Surely the New York legislature could not change the Shady Grove holding simply by reenacting the same provisions as part of the statutory-interest statute … The goal of national uniformity that underlies the federal rules ought not to be sacrificed on so insubstantial a ground. And more importantly, the question of whether a federal rule abridges, enlarges, or modifies a substantive right turns on matters of substance – not on the placement of a statute within a state code.”
Id. at *10-11.
Finally, the Eleventh Circuit took a close look at the Lisk facts to lay plain that a federal class action, if permitted to proceed, would not materially affect either party’s substantive rights. The court noted the manufacturer’s “substantive obligation to make only accurate representations about its product” and the substantive right of plaintiff “and other buyers to obtain wood that complied with [defendant’s] representations, concluding that “Rule 23 alters” the parties’ “substantive rights and obligations not a whit[.]” Id. at *14. After so holding, the court turned to the substantive pleadings under Alabama law and held that the complaint adequately stated a claim under the ADTPA as well as for breach of warranty. Id. at *15-18. Accordingly, the district court’s ruling was reversed by the Eleventh Circuit, allowing the plaintiff, with his Alabama state law claims, to pursue a class action in federal court.
What does Lisk mean for companies looking to avoid U.S. class action litigation? It may portend broader extension of Rule 23 despite state statutes which – as the Eleventh Circuit observed – are passed by state legislatures concerned that class recoveries otherwise “may go too far.” Id. at *9. If other federal circuits follow the Eleventh’s lead, companies worldwide doing business in the U.S. should be careful not to take too much heed in state legislation that purports to provide safe harbor from unwieldy, consumer-driven class action suits. Companies should beware that federal judges, and not state legislators, have the last word on whether those suits belong in their courtrooms; and those judges, following the lead of the Eleventh Circuit, may find that Rule 23 allows them to keep them there in spite of business-friendly state laws.