Lewert v. P.F. Chang's China Bistro, Inc., No. 1:2014cv04787 - Document 35 (N.D. Ill. 2014)

Court Description: MEMORANDUM Opinion and Order, Signed by the Honorable John W. Darrah on 12/10/2014. (ea, )

Download PDF
Lewert v. P.F. Chang's China Bistro, Inc. Doc. 35 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION JOHN LEWERT, Plaintiff, v. P.F. CHANG’S CHINA BISTRO, INC., Defendant. LUCAS KOSNER, Plaintiff, v. P.F. CHANG’S CHINA BISTRO, INC., Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Case No. 14-cv-4787 Cons.: No. 14-cv-4923 Judge John W. Darrah MEMORANDUM OPINION AND ORDER Plaintiff John Lewert (“Lewert”) filed a class-action Complaint against Defendant P.F. Chang’s (“Defendant”) arising from a data breach involving the theft of customers’ credit-card and debit-card data. Count I is a breach of implied contract claim on behalf of a national class. Count II is an Illinois Consumer Fraud and Deceptive Business Practices Act.1 Plaintiff Lucas Kosner (“Kosner”) filed a class-action Complaint against Defendant alleging the same. Kosner’s case was related to and consolidated with Lewert’s. Defendant moves to dismiss the Complaints pursuant to Federal Rule of Civil Procedure 12(b)(6). 1 Count II also includes substantially similar consumer fraud laws in other states on behalf of the corresponding classes. Dockets.Justia.com BACKGROUND The following facts are taken from the Complaints, which are taken as true for the purposes of a motion to dismiss. Defendant operates restaurants serving Chinese-inspired food. (Lewert at ¶ 12.)2 Defendant is a Delaware corporation with its principal place of business in Arizona. (Id. at ¶ 11.) Lewert is a citizen of Illinois who made purchases with his debit card at a P.F. Chang’s restaurant in Northbrook, Illinois, on or about April 3, 2014. (Id. at ¶ 6.) Kosner is an Illinois citizen who made purchases with his debit card at a P.F. Chang’s restaurant in Cook County, Illinois, on April 21, 2014. (Kosner at ¶ 11). Defendant failed to comply with reasonable security standards. (Lewert at ¶ 15.) On June 12, 2014, Defendant disclosed a data breach involving the theft of customers’ credit-card and debit-card data for an unknown number of accounts (the “Security Breach”). (Lewert at ¶ 2.) One report estimates that nearly 7 million cards were compromised as a result of the breach and that the breach dated back to at least September 18, 2013. (Id. at ¶ 14.) On June 17, 2014, Visa issued a Compromised Account Management System alert that included a list of compromised payment cards, containing what was represented to be card data obtained from the Security Breach. (Kosner at ¶ 15.) Identity thieves use personal identifying data to steal individual’s identities and open financial accounts, receive government benefits, and incur charges and credit in a person’s name. (Id. at ¶ 17.) Individuals may not see signs of identity theft for years. (Id. at ¶ 19.) Personal identifying information (“PII”) is often traded on the “cyber black-market” and is occasionally References to Lewert’s Complaint are cited as “(Lewert at __.)” and references to Kosner’s Complaint are cited as “(Kosner at __.)”. 2 2 posted to publicly available Internet websites. (Id. at ¶ 20.) Consumers also place value on PII and the privacy of that information. (Id. at ¶ 25.) Plaintiffs incurred several types of damages from the Security Breach. Plaintiffs claim that a portion of the services purchased from Defendant included compliance with industrystandard measures with respect to the collection and safeguarding of PII. (Id. at ¶ 32.) Thus, Plaintiffs overpaid for the products and services purchased from Defendant. (Id.) Plaintiffs claim that they have suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. (Id. at ¶ 33.) Plaintiffs also claim additional damages arising from costs associated with identity theft and the increased risk of identity theft. (Id. at ¶ 34.) Further, Plaintiffs claim opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards. (Id. at ¶ 36.) LEGAL STANDARD Rule 12(b)(6) permits a defendant to move to dismiss a complaint for “failure to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). A complaint must allege enough facts to support a claim that is “plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 547 (2007). Facial plausibility exists when the court can “draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). All well-pleaded allegations are presumed to be true, and all inferences are read in the light most favorable to the plaintiff. Lavalais v. Village of Melrose Park, 734 F.3d 629, 632 (7th Cir. 2013). This presumption is not extended to ‘legal conclusions, or threadbare recitals of the elements of a cause of action, supported by mere conclusory statements.’ Alam v. 3 Miller Brewing Co., 709 F.3d 662, 666 (7th Cir. 2013) (quoting Brooks v. Ross, 578 F.3d 574, 581 (7th Cir. 2009)). The complaint must provide a defendant “with ‘fair notice’ of the claim and its basis.” Tamayo v. Blagojevich, 526 F.3d 1074, 1081 (7th Cir. 2008) (quoting Fed. R. Civ. P. 8(a)(2) and Twombly, 550 U.S. at 555). ANALYSIS Defendant brings its motion pursuant to 12(b)(6), but one of its arguments is that there is no standing, which is properly brought pursuant to 12(b)(1). See Fed.R.Civ.P. 12(b)(1). To establish standing, a plaintiff must demonstrate: “(1) a concrete and particularized injury in fact that is (2) fairly traceable to the defendant's alleged unlawful conduct and (3) likely to be redressed by a favorable decision.” Hein v. Freedom From Religion Found., Inc., 551 U.S. 587, 619 (2007) (internal quotation marks omitted) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–561 (1992)). A district court may examine Article III standing and dismiss a case sua sponte if it finds that the plaintiff has not suffered injury-in-fact. Johnson v. Allsteel, 259 F.3d 885, 887-88 (7th Cir. 2001). The plaintiff bears the burden of alleging facts sufficient to establish standing; there is no burden on the defendant to show standing does not exist. Lujan, 504 U.S. at 561. An injury that is “certainly impending” can establish injury in fact for the purposes of standing, but “[a]llegations of possible future injury are not sufficient.” Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147 (2013) (citation and internal quotation marks omitted). Overpayment Plaintiffs claim they overpaid for the products and services purchased from Defendant. Plaintiffs argue that the cost of the food they purchased implicitly contained the cost of sufficient 4 protection of PII. As this Court has held before, this argument is unpersuasive. “Plaintiffs have not pled that [P.F. Chang’s] charged a higher price for goods whether a customer pays with credit, and therefore, that additional value is expected in the use of a credit card.” In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *5 (N.D. Ill. Sept. 3, 2013). Plaintiffs have not alleged an injury in fact with respect to overpayment. Fraudulent Charges Lewert does not allege that any fraudulent charges were made to the debit card he used at P.F. Chang’s. Kosner’s affidavit states that he received an e-mail from Chase bank, notifying him that fraudulent activity had been detected on his debit card. (Dkt. 25-1, at ¶ 3.) The fraudulent activity was listed as follows: 1) A transaction in the amount of $1.00 at facebk payment, an advertising service was attempted in . . ., [C]alifornia United States on or around 2014-06-08 at 4:26AM. 2) A transaction in the amount of $21.15 at godaddy dot com, a computer network or information service company was declined in . . ., [A]rizona United States on or around 2014-06-08 at 4:26AM. 3) A transaction in the amount of $34.95 at www dot vendosupport dot com, an inbound teleservices merchant was declined in . . ., Switzerland on or around 2014-06-08 at 4:26AM. 4) A transaction in the amount of $4.79 at www metin2 com, a video game arcade was attempted at KARLSRUHE, Germany on or around 2014-06-08 at 4:26AM. (Dkt. 25-1, pp. 6-7). The affidavit itself states that the charges were either declined or attempted. There are no claims that Kosner actually had any monetary damage from these charges. Kosner does not allege that the money was taken from his account or that he paid any fees resulting from the attempted transactions. Further, it is not directly alleged that the fraudulent charges were a result of the Security Breach. In order to have suffered an actual injury, Plaintiffs must have had 5 an unreimbursed charge on their credit or debit cards. See In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527 (N.D.Ill.2011) (“[Defendant] is correct that Plaintiffs suffered no actual injury . . . if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees and, thus, suffered no out-of-pocket losses.”) Plaintiffs do not allege any successful charges, let alone reimbursed charges. Plaintiffs have not alleged an injury in fact with respect to fraudulent charges. Opportunity Costs In their response to the Motion to Dismiss, Plaintiffs allege that Kosner was without his debit card for two to three days after cancelling the card with the potentially stolen information. He claims as damages the inability to accrue rewards points on the affected debit card for those two to three days. (Dkt. 25, p. 9.) While the inability to accrue rewards points is mentioned in Kosner’s affidavit, there are no allegations that he would have actually used the debit card to accrue points. Additionally, while opportunity costs are listed in the types of damages sought, no facts are alleged as to what the opportunity costs would be. Simply being without a debit card between “learning of the fraudulent charge[s] and receiving a new credit card” is not a cognizable injury. Barnes & Noble, 2013 WL 4759588, at *6. Plaintiffs have not alleged an injury in fact with respect to opportunity costs. Identity Theft “The Plaintiffs' claim of actual injury in the form of increased risk of identity theft is insufficient to establish standing.” Barnes & Noble, 2013 WL 4759588, at * 5. Speculation of future harm does not constitute actual injury. Clapper, 133 S.Ct. at 1148. Plaintiffs do not 6 allege that identity theft has occurred; rather, they allege that identity theft may happen in the coming years. Plaintiffs have not alleged an injury in fact with respect to identity theft. Mitigation Damages Mitigation expenses do not qualify as actual injuries under Clapper when the harm is not imminent. Clapper, 133 S.Ct. at 1152–53 (“costs that they have incurred to avoid [injury]” are insufficient, even if the fear is “subjective”). Plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1155. Plaintiffs do not allege that the harm of identity theft is imminent. Additionally, there is no reason to believe that identity theft protection was necessary after Kosner canceled the affected debit card. Again, while Plaintiffs allege that security breaches can lead to identity theft, they do not allege that it has occurred in this case. Rather, they allege that identity theft may not happen for years, which is not imminent harm. Plaintiffs have not alleged an injury in fact with respect to mitigation damages. CONCLUSION Standing is “an indispensable part of the plaintiff's case . . . .” Lujan, 504 U.S. at 561. Accordingly, because subject matter jurisdiction does not exist here, the case is dismissed; and it is unnecessary to consider Defendant’s remaining arguments under Fed.R.Civ.P. 12(b)(6). For the reasons discussed above, Defendant’s Motion to Dismiss [15] is granted without prejudice. Date: December 10, 2014 /s/______________________________ JOHN W. DARRAH United States District Court Judge 7

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.