SEDGWICK ARTICLE APRIL 2016 Illinois Breach Decisions Show It’s Not Just About Standing In the wake of the recent decisions in the Seventh Circuit holding in favor of standing in consumer lawsuits arising from credit and debit card breaches, the focus of attention in early motions to dismiss will now likely be shifting to whether the consumer plaintiffs have asserted viable state causes of action, and in particular a breach of contract claim. Most data breach cases are filed in federal courts (or removed to federal court), usually with multicount complaints that often include a claim for breach of implied contract. The opening defense strategy has generally been to file motions to dismiss under Rule 12(b) (1) for lack of jurisdiction, which raise issues of existence of Article III standing, and under Rule (12) (b) (6) for failure to state a claim. Attention in the past has often been more on the standing issue and its requirement of a showing of actual or imminent injury to the plaintiffs. The Seventh Circuit’s recent rash of decisions upholding standing demonstrate that defendants cannot rely only on challenges to standing. See, Remijas v. Neiman Marcus Grp. LCC, 794 F.23d 688 (7th Cir. 2015); Lewert v. P.F. Chang’s China Bistro Inc. No. 143700, 2016 WL 1459226 (7th Cir., April 14, 2016); see also, Irwin v. Jimmy John’s Franchise LLC, et.al., No. 1:14-cv-2275, 2016 WL 1355570 (N.D. Ill. March 29, 2016). Going forward, increasing attention is likely to be placed on the prong of failure to state a claim in motions to dismiss, and on pursing the appropriate appeal on that ground as well as on standing. While the Seventh Circuit’s decisions finding standing have been a challenge to defendants’ efforts to obtain early dismissals, the court has not yet addressed the viability of breach of contact claims. Statements in those decisions indicate that this same court, as well as others, do not assume that plaintiffs will ultimately prevail on their claims of right to recovery; in fact, they may be skeptical of the likelihood of ultimate success. In its recent decision in Lewert v. P.F. Chang’s China Bistro Inc., No. 14-3700, 2016 WL 1459226 (7th Cir., April 14, 2016), for example, the Seventh Circuit reversed the district court’s dismissal of the case and concluded that plaintiffs had standing. The court also noted that because P.F. Chang’s did not file a cross-appeal, it could not consider whether the plaintiffs failed to state a claim. The court noted that a dismissal of a plaintiff’s claims for lack of subject matter jurisdiction is a dismissal without prejudice, while a dismissal for failure to state a claim would have been with prejudice. The lower court did not address the latter once it found no standing, and neither could the appellate court in light of the lack of a cross-appeal by defendant. The Seventh Circuit decision also noted that in ruling in support of standing, “we express no opinion on the merits or on the suitability of this case for class certification,” and remanded it for further proceedings. Thus, the decision leaves open the glimmer Originally published on Law360, April 21, 2016. Posted with permission. of hope that this court would have considered a dismissal on failure to state a claim grounds, and may ultimately dismiss on the merits (although, to date, breach cases often settle when faced with the cost of discovery following a denial of a motion to dismiss). While the focus on failure to state a claim, versus on standing, may seem new in light of the Seventh Circuit’s recent decisions, breach of contract claims are not new in the data breach context. There is conflicting authority on whether they can be successfully asserted in a case arising out of a data breach of credit/debit cards, with most decisions still at the lower court level. Even before this, some courts have side-stepped the standing issue and dismissed cases with prejudice for failure to state a viable state law claims. See, e.g., Willingham v. Global Payments, 1:12-cv-01157, 2013 WL 440702 (N.D. Ga. Feb. 5, 2013), dismissed with prejudice, March 5, 2013 (case voluntarily dismissed following magistrate report and recommendation for dismissal of the plaintiffs’ federal and state statutory claims and state common law claims, including one for negligence based on the application of the economic loss rule and one for breach of implied contract based on lack of reliance on privacy statements and lack of actual contract). SEDGWICK ARTICLE APRIL 2016 Moreover, when standing is or is likely to be found, the issue of whether there is a viable state law claim becomes critical. Particularly until the United States Supreme Court issues its decision in Spokeo Inc. v. Robins. 742 F.2d 409 (9th Cir. 2014), cert. granted, 135 S. Ct. 1892 (2015), addressing whether statutory claims alone may continue to be sufficient to confer standing, the viability of a breach of contact claim may determine the viability of a consumer breach action. The recent decision of the Northern District of Illinois in the Jimmy Johns data breach litigation shows how the battleground may be to moving to the viability of implied breach of contract claims, and indicates how courts evaluate the types of state law claims that plaintiffs can pursue when data breaches involve compromise of credit card information occur. Irwin v. Jimmy John’s Franchise LLC, et.al. , No. 1:14-cv-2275, 2016 WL 1355570, (N.D. Ill. March 29, 2016). Judge Harold A. Baker let proceed the plaintiff’s claims for breach of implied contract and breach of Arizona’s Consumer Fraud Act (the plaintiff, an Arizona citizen, apparently thought she would have a greater chance of success in Illinois, and filed there based on the corporate headquarters of the defendant). As have many other courts in this context, Judge Baker dismissed the plaintiff’s claims for negligence (as barred by the economic loss rule) and unjust enrichment; he also dismissed the claims brought under the Illinois Personal Information Protection Act and Illinois Consumer Fraud and Deceptive Practices Act (as a nonresident, the plaintiff did not have standing to assert a claim under the latter). The court also dismissed plaintiff’s claims under 2 | the Arizona data breach statute and for bailment after plaintiff failed to respond to the defense arguments for dismissal of those claims. While allowing the breach of implied contract and Arizona statutory claims to proceed, the court found that the plaintiff did not have Article III standing to pursue a claim for declaratory relief for remedies for future injury she claimed due to unspecified weaknesses in Jimmy John’s current security measures. That analysis indicates that even courts in the Seventh Circuit will make a distinction between claims based on past conduct and fraudulent charges which may support standing, versus ones based on the speculation of future risk from post breach conduct. In allowing the breach of implied contract claim to proceed, “under the circumstances, and under Illinois law,” the court noted there had been an offer, acceptance, consideration, and a meeting of the minds. The court noted that when a customer uses a credit card for a commercial transaction, the customer intends to provide the data to the merchant and not to an unauthorized third party, and that there is an implicit agreement to safeguard the customer’s information to effectuate the contract and to timely notify her of a security breach. In rendering his decision, Judge Baker relied on dicta in another lower court decision, Lovell v. P.F. Chang’s China Bistro Inc., 2015 WL 4940371 (W.D. Wash. Mar. 27, 2015). Jimmy John’s had cited to that case for the district court’s rejection of a claim for breach of implied contract under Washington law, where the claim Illinois Breach Decisions Show It’s Not Just About Standing was based on plaintiff’s “unilateral, specific expectations of a particular cyber security standard and daily auditing.” In reaching the opposite conclusion in Irwin v. Jimmy John’s, Judge Baker relied on dicta in Lovell that “offer and acceptance of a credit card as payment of a consumer debt necessarily involves certain implied promises.” Based on this, and under Illinois law, Judge Baker found that Irwin had stated a claim for breach of implied contract. He also cited to another lower court decision, In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2011) ( which alleged the existence of an implied contractual relationship that obligated Michaels to take reasonable measures to protect the plaintiffs’ financial information and notify the plaintiffs of a security breach within a reasonable amount of time) and the appellate decision in Anderson v. Hannaford Bros., 659 F.3d 161 (1st Cir. 2011) (affirming, under Maine law, a district court’s finding that jury could reasonably find an implied contract between the defendant and its customers that defendant would take reasonable measures to protect the customer’s financial information). While not discussing the specific claims asserted, in Allen v. Schnuck Markets Inc., No. 15-cv0061, 2015 WL 5076966 (S.D. Ill. 2015), another federal court sitting in Illinois denied a motion to dismiss a complaint based on a retail data breach that included, among others, a claim for breach of implied contract. As noted above, other courts have also addressed the issue, with varying results, e.g., In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. Dec. 18, 2014) (adopting the rationale of Anderson v. Hannaford Bros. and finding that SEDGWICK ARTICLE APRIL 2016 plaintiffs had plausibly alleged the existence of an implied contract) versus Global Payment, supra (dismissing breach of contract claims, noting no reliance could be demonstrated). resulting in dismissal of the action. Longenecker-Wells v. Benecard Services Inc., 1:15-cv-00422, 2015 WL 5576753 (M.D. Penn. 2015), appeal docketed, No. 15-3538 (3d Cir. Oct. 21, 2015). Courts have also addressed such breach of contract claims in the context of employment-related breaches. In Enslin v. The CocaCola Company, No. 2:14-cv-06476, 2015 WL 5729241 (E.D. Penn. 9/30/15), for example, an employee brought a putative class action against his employer alleging the employer failed to maintain security of his personally identifiable information in connection with the theft of company laptops by other employees. In addition to holding that the plaintiff had satisfied the standing requirement of injury-in-fact and causation, the court concluded that the plaintiff had stated claims for breach of express and implied contract. In this case, the alleged contract was based on the defendants’ privacy policies, code of conduct, company security practices and other conduct, and the assertion that the defendant employer had implicitly promised to safeguard the plaintiff employee’s PII in exchange for his employment. Decisions to allow a breach of an implied contract claim are likely to increase and support consumer litigation arising from data breaches involving credit card information or other situations where there are “implicit promises” to safeguard sensitive personal information. This is especially true in the consumer friendly jurisdiction of the Seventh Circuit. However, the Seventh Circuit has yet to expressly address its view of the viability of breach of implied contract claims in consumer data breach litigation, as the issue was not before it in its recent standing decisions. In Remijas v. Neiman Marcus Group LLC, supra, as well as in Lewart v. P.F. Chang’s China Bistro, supra, the appellate court noted that while it was finding standing, there had been no cross appeal by defendants that would allow it to consider in its decision whether the plaintiffs had failed to state a claim. Thus, among the lessons to be learned from these decisions is for defendants to pursue dismissal of, and for parties to appeal when warranted, issues of viability of state law claims as well as of standing. However, in this context as well, courts are not uniform in their views of the viability of breach of implied contracts claims. In a recent decision by a federal court in Pennsylvania, a claim by employees of implied contact with their employees based on allegations that they were required to provide private information to commence employment and reasonably expected protection from a breach was rejected. The court found standing, but dismissed the state law claims with prejudice for failure to state a claim, 3 | Also yet to be determined is the extent to which implied breach of contract claims would be subject to dismissal on the merits at a later stage in the proceeding, or the value of such claims especially if class certification is not granted. As learned in the Hannaford data breach litigation, a plaintiff’s success in defeating a motion to dismiss a breach of implied contract claim can be a pyrrhic Illinois Breach Decisions Show It’s Not Just About Standing victory if class certification is denied. Anderson v. Hannaford Bros. 659 F.3d 161 (1st Cir. 2011). Litigation strategy is likely to continue to shift, as the various federal courts take positions on standing, the viability of alleged state causes of action, and on class certification in consumer data breach claims. Strategies of plaintiffs and defendants are also likely be revisited once the U.S. Supreme Court issues its ruling in Spokeo Inc. v. Robins, supra. Meanwhile, plaintiffs in consumer breach litigation will likely continue to assert breach of contract claims while defendants still have the prospect of potentially viable challenges to such state law claims even in jurisdictions that favor findings of standing. Authors Carol Gerner Counsel Chicago 312.849.1959 [email protected] Laurie Kamaiko Partner New York 212.898.4015 [email protected] © 2016 Sedgwick LLP
© Copyright 2024 Paperzz