With the proliferation of storage of personal data and the increase in hacking efforts and phishing scams, Wisconsin courts are likely to see more data breach class actions on the horizon. Wisconsin businesses handling personal data should be aware of the reasoning of the recent Seventh Circuit decision Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. Apr. 14, 2016), as well as applicable Wisconsin cybersecurity statutes.
The facts of the Lewert case are remarkably simple. Plaintiffs John Lewert and Lucas Kosner dined separately at P.F. Chang’s China Bistro in Northbrook, Illinois. Lewert and Kosner later received notifications that the restaurant’s computer system had been hacked, and customer debit card and credit card data had been stolen. The notice did not provide that Lewert’s or Kosner’s specific data had been compromised.
Lewert and Kosner filed a purported class action against P.F. Chang’s, asserting breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices law. Their purported class encompassed “all similarly situated customers whose payment data may have been compromised,” with the aggregate total in claims exceeding $5,000,000. The district court dismissed their case for lack of standing, holding that plaintiffs failed to allege that they had sustained actual injury in fact.
The Seventh Circuit reversed, holding that Lewert and Kosner had Article III standing even though neither of them lost even a penny to fraudulent card charges. Kosner claimed injury because he spent $106.89 for a credit-monitoring service to protect against identity theft after his bank stopped fraudulent card charges. Lewert spent only “time and effort monitoring his card statements and his credit report to ensure that no fraudulent charges had been made on [his] card and that no fraudulent accounts had been opened in his name.” Id. The Seventh Circuit held that Article III standing was supported by these injuries, as well as the future injuries, i.e., the risk of fraudulent charges and identity theft.
The court held that the plaintiffs plausibly alleged that their individual data was stolen, in light of P.F. Chang’s announcement of, and reaction to, the data breach:
In its June statement, P.F. Chang's addressed customers who had dined at all of its stores in the United States and admitted that it did not know how many stores were affected. It is easy to infer that it considered the risk to all stores significant enough to implement a universal, though temporary, switch to manual card-processing.
Id. at *4.
The court reasoned that P.F. Chang’s might later prove the limited scope of the breach through tracing the specific data files stolen, or the chain might learn that it was “being too optimistic and the breach was greater.” Id. The court concluded that P.F. Chang’s reaction to the breach was relevant to the breadth of the breach:
At this stage, no one knows. When the data system for an entire corporation with locations across the country experiences a data breach and the corporation reacts as if that breach could affect all of its locations, it is certainly plausible that all of its locations were in fact affected.
Id. Despite this liberal standing approach, the Seventh Circuit expressed skepticism towards plaintiffs’ claims that the cost of their meals constituted an injury, that they had a property right to their personally identifiable data, and that the Illinois Consumer Fraud and Deceptive Business Practices Act protected their personally identifiable information in the absence of actual damages.
Had Lewert and Kosner been potential victims of a data breach in Wisconsin, the Seventh Circuit’s Lewert standing standard would apply, but the plaintiffs would need to prove liability under Wisconsin law. In Wisconsin, consumers fearing injury from a data breach have limited statutory remedies. See In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1163 (D. Minn. 2014) (dismissing Wis. Stat. § 100.20 claim made by putative class because Wisconsin’s Deceptive Trade Practices Act “provides a private right of action only for violations of orders issued by the Wisconsin Department of Agriculture.”). Thus, absent a violation—which would require actual pecuniary loss, issuance of an administrative order, and a subsequent violation of that order—Wis. Stat. § 100.20 is unlikely to provide a recovery for individual consumers.
Wisconsin’s data breach notice statute, Wis. Stat. § 134.98, requires businesses serving Wisconsin consumers to “make reasonable efforts to notify each subject of [ ] personal information” obtained by an unauthorized person within 45 days of the data breach. Wis. Stat. § 134.98(2)(a)-(b), (3)(a). A violation of Wis. Stat. § 134.98 is unlikely to provide direct relief for a private plaintiff, but the statute provides, in what appears slightly inconsistent direction, that failure to comply with Wis. Stat. § 134.98 does not constitute “negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.” Wis. Stat. § 134.98(4) (emphasis added). It is not clear what more evidence beyond a statutory violation is needed to “constitute” negligence or a breach of a legal duty. Any business facing a data breach situation should take care to comply fully with Wis. Stat. § 134.98, as an alleged violation may be sufficient “evidence” of negligence or breach to withstand a motion to dismiss, or possibly even a motion for summary judgment.