Breach Suit Filed Against P.F. Chang'sExperts Say Consumer Legal Action Unlikely to Succeed
A consumer class action lawsuit against breached restaurant chain P.F. Chang's China Bistro is unlikely to succeed, some security experts say, because proving consumer losses linked to specific merchant data breaches is difficult.
See Also: The Global State of Online Digital Trust
While some have speculated that the restaurant chain's point-of-sale network was likely compromised by a retail malware strain similar to what compromised Target Corp. and Sally Beauty, P.F. Chang's has not revealed any details about the breach or the number of cards that may have been exposed.
Yet the lawsuit makes numerous allegations about specific aspects of the breach, including the cause and number of customers affected.
"The P.F. Chang's complaint won't stand," says one data breach attorney not involved in the case, who asked not to be named. "It's the same old tired allegations. ... I think these consumer cases are dead in the water."
Tying consumer fraud losses to a specific breach, especially in today's age of numerous retail breaches, is next to impossible, the attorney says.
"To have a case, you have to have two things: Liability and damages," the attorney adds. "That's hard to prove on the consumer side."
It's easier for banking institutions filing lawsuits in the wake of breaches to prove liability and damages, the attorney contends.
"For banks, they can make a stronger argument about how the cards were breached," the attorney says. "Visa and Mastercard have so many tools and they have the card numbers. They can track compromised cards back to the bank that issued them. It's much more straight-forward."
P.F. Chang's did not respond to Information Security Media Group's request for comment about the lawsuit.
In the class action suit filed June 25, a number of allegations about breach details are made by the lead plaintiff, Illinois resident John Lewert and his attorney, Joseph Siprut. Among them is that the breach exposed some 7 million credit and debit cards and resulted from of a malware attack that penetrated P.F. Chang's system because the restaurant chain was not in compliance with the Payment Card Industry Data Security Standard at the time of the alleged attack.
The complaint also asserts that customers' names and other personally identifiable information associated with the card data was likely exposed, and that P.F. Chang's knowingly violated its obligations to protect cardholder data in an effort to save money.
"P.F. Chang's failed to comply with security standards and allowed their customers' financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the security breach that occurred," the claim states. "P.F. Chang's has also failed to disclose the extent of the security breach and notify its affected customers in a timely manner. By failing to provide adequate notice, P.F. Chang's prevented (and continues to prevent) class members from protecting themselves."
The suit asks that damages be paid by P.F. Chang's to the plaintiff and other members of the class for fraud losses linked to cards that were associated with the breach. The suit also asks that plaintiffs in the suit be paid punitive damages, statutory damages, and that P.F. Chang's issue individualized breach notices to all impacted consumers. Additionally, the plaintiffs have requested that P.F. Chang's provide at least three years of credit monitoring services to those impacted by the breach, pay the plaintiffs' attorney and litigation fees and pay pre- and post-judgment interest in any amounts that are awarded to the plaintiffs.
Breach Details in Question
Anton Chuvakin, a vice president of the security and risk management research team at Gartner, questions many of the lawsuit's allegations.
"We absolutely do not know that P.F. Chang's security failures enabled hackers to steal financial data," he says. "Not every breach is a failure to secure, since the attackers could have been better than their otherwise excellent controls. ... We do not know that their security was inadequate, but only that the attacker was better."