Open a newspaper on any given day, and chances are that you will read about the impacts of a new cyber-attack: accessed consumer profiles, hacked credit card information, leaks of personal customer information, etc. The March 2014 Cost of Data Breach Study: Global Analysis (sponsored by IBM), reports that the average cost to a company suffering a cyber-attack is now approximately an astounding $3.5M (an increase of 15% over 2013). Not surprisingly, the number of cyber-attacks is rapidly increasing, and virtually every type of business is a potential target, including those in the food and beverage industry. As cyber-attacks increase, so do class-action lawsuits alleging businesses have inadequately maintained their security measures. Consequently, in addition to suffering the public relations nightmare associated, the victimized businesses must also incur the high costs of defending themselves against these lawsuits.
As evidenced by a recent decision, however, business owners can take comfort in knowing that some courts are viewing these kinds of lawsuits skeptically. In June 2014, a class action lawsuit was filed against P.F. Chang’s China Bistro Inc. after the restaurant chain experienced multiple cyber-attacks between September 2013 and June 2014 (John Lewert v. P.F. Chang’s China Bistro Inc.). Plaintiffs alleged that P.F. Chang’s inadequate security measures allowed hackers to access customer credit card data, thereby causing damages to the putative class members. Those alleged damages consisted of: (1) overpayment for the services that customers were purchasing from P.F. Chang’s (which purportedly included the restaurant chain’s “service” of safeguarding their personal identifying information – a service plaintiffs claimed to never have received as evidenced by the cyber-attacks); (2) unauthorized bank account withdrawals and related bank fees; and (3) costs associated with actual or risk of identity theft.
On December 10, 2014, the United States District Court in the Northern District of Illinois dismissed the class action lawsuit in its entirety. The court determined that the plaintiffs’ complaint did not allege any “injury in fact.” In other words, the court concluded that plaintiffs’ complaint failed to include any allegations of “actual damages” suffered. Rather, the court viewed the alleged damages merely as “possible future injury” and concluded that in the absence of asserting true “out-of-pocket” damages, plaintiffs lacked standing to file the lawsuit. Plaintiffs have appealed the decision.
This case illustrates the growing trend of courts’ willingness to scrutinize the viability of hastily filed class action lawsuits in the cyber-attack arena. Unfortunately, a byproduct of this is that class action attorneys are essentially being educated on how to more effectively draft their complaints to allege cognizable claims and damages. Still, with cyber-attacks on the rise, businesses should always confer with their security professionals and outside legal counsel to develop and implement standard operating procedures and best practices that will lessen the chance of cyber-attacks Taking such efforts may help to prove that a company, if sued, took objectively reasonable steps to protect against such attacks – evidence that could be critical in assessing negligence liability.