On April 13, a federal court ruled that theft of credit card information, even prior to misuse of that data, could permit a plaintiff to pursue claims based on a 2016 data breach at certain Kimpton hotel properties. In Walters v. Kimpton Hotel & Restaurant Group, the court denied in part Kimpton’s motion to dismiss and rejected Kimpton’s position that actual injury, for standing purposes, requires unauthorized charges or other misuse of payment data. Based on the allegations, the court found it plausible that, given the dates the plaintiff stayed at an affected hotel, the plaintiff’s payment card information “was taken in a manner that suggests it will be misused.” It was not necessary, the court concluded, that the plaintiff wait until actual misuse occurred before seeking relief for both the theft and the time and effort spent monitoring his credit and mitigating potential misuse. The court further ruled that the plaintiff alleged out-of-pocket expenses and other actual damages sufficient to support his claims for implied breach of contract, negligence, and violation of California’s Unfair Competition Law.
The court also found that Kimpton’s privacy policy provided a plausible basis for the existence of an implied contract between Kimpton and its patrons. Specifically, the court noted that Kimpton’s privacy policy stated that “Kimpton is ‘committed’ to safeguarding customer privacy and personal information,” and that this commitment may create an enforceable promise.