web statistics
Court Dismisses Cyber-Attack Lawsuit Against P.F. Chang's for Lack of Actual Harm

Court Dismisses Cyber-Attack Lawsuit Against P.F. Chang's for Lack of Actual Harm

Open a newspaper on any given day, and chances are that you will read about the impacts of a new cyber-attack: accessed consumer profiles, hacked credit card information, leaks of personal customer information, etc. The March 2014 Cost of Data Breach Study: Global Analysis (sponsored by IBM), reports that the average cost to a company suffering a cyber-attack is now approximately an astounding $3.5M (an increase of 15% over 2013). Not surprisingly, the number of cyber-attacks is rapidly increasing, and virtually every type of business is a potential target, including those in the food and beverage industry. As cyber-attacks increase, so do class-action lawsuits alleging businesses have inadequately maintained their security measures. Consequently, in addition to suffering the public relations nightmare associated, the victimized businesses must also incur the high costs of defending themselves against these lawsuits. 

As evidenced by a recent decision, however, business owners can take comfort in knowing that some courts are viewing these kinds of lawsuits skeptically.  In June 2014, a class action lawsuit was filed against P.F. Chang’s China Bistro Inc. after the restaurant chain experienced multiple cyber-attacks between September 2013 and June 2014 (John Lewert v. P.F. Chang’s China Bistro Inc.). Plaintiffs alleged that P.F. Chang’s inadequate security measures allowed hackers to access customer credit card data, thereby causing damages to the putative class members. Those alleged damages consisted of: (1) overpayment for the services that customers were purchasing from P.F. Chang’s (which purportedly included the restaurant chain’s “service” of safeguarding their personal identifying information – a service plaintiffs claimed to never have received as evidenced by the cyber-attacks); (2) unauthorized bank account withdrawals and related bank fees; and (3) costs associated with actual or risk of identity theft. 

On December 10, 2014, the United States District Court in the Northern District of Illinois dismissed the class action lawsuit in its entirety. The court determined that the plaintiffs’ complaint did not allege any “injury in fact.”  In other words, the court concluded that plaintiffs’ complaint failed to include any allegations of “actual damages” suffered. Rather, the court viewed the alleged damages merely as “possible future injury” and concluded that in the absence of asserting true “out-of-pocket” damages, plaintiffs lacked standing to file the lawsuit. Plaintiffs have appealed the decision.

This case illustrates the growing trend of courts’ willingness to scrutinize the viability of hastily filed class action lawsuits in the cyber-attack arena. Unfortunately, a byproduct of this is that class action attorneys are essentially being educated on how to more effectively draft their complaints to allege cognizable claims and damages. Still, with cyber-attacks on the rise, businesses should always confer with their security professionals and outside legal counsel to develop and implement standard operating procedures and best practices that will lessen the chance of cyber-attacks Taking such efforts may help to prove that a company, if sued, took objectively reasonable steps to protect against such attacks – evidence that could be critical in assessing negligence liability.

Last modified on Wednesday, 21 January 2015 16:24

David C. Lee

With over 15 years of litigation experience, David C. Lee focuses his practice on intellectual property matters relating to the automotive; Internet, software and technology; and hospitality industries.  

Mr. Lee, a Partner at Michelman and Robinson LLP, handles copyright and trademark claims, trade secrets and Internet domain name disputes. He also provides a variety of business litigation services relating to contractual rights, corporate management and real estate. His clients consist of technology companies, business owners and public entities.

Mr. Lee routinely navigates clients through complex business and corporate litigation matters. He represents companies throughout all stages of growth—from early stage entrepreneurs to mature Fortune 500 companies—and provides risk management and general counsel to startups and growing companies involved in intellectual property disputes, breach of royalty agreements and contract negotiations.

Having served as lead counsel on numerous legal matters, Mr. Lee has successfully obtained verdicts in both jury and bench trials, and has prevailed in mediation and arbitration. He has a proven track record of representing clients in appellate court proceedings and has successfully obtained early dismissals of class action lawsuits and other causes of action. Additionally, Mr. Lee has considerable experience representing public entity clients in a variety of areas, including inverse condemnation matters and contract disputes.

Latest from David C. Lee

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Go to top