On July 20, 2015, the Seventh Circuit Court of Appeals reversed and remanded the district court’s dismissal of a data breach class action on standing grounds in Remijas v. Neiman Marcus Group, LLC , No. 14-3122, slip op. (7th Cir. July 20, 2015). In so doing, it added its voice to one of the most contentious frays in class action law today — do plaintiffs have standing to sue in the aftermath of a data breach when neither their financial information has been compromised nor their identities stolen?
The case arose from a cyber attack on Neiman Marcus in 2013, exposing some 350,000 credit or debit cards to hackers. A number of class actions were filed and consolidated in the United States District Court for the Northern District of Illinois. Plaintiffs alleged negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy and violations of state data breach laws. Neiman Marcus moved to dismiss the action for lack of standing and failure to state a claim. The district court dismissed the action, reasoning that the plaintiffs lacked standing to bring it because they had no suffered an injury-in-fact.
Plaintiffs contended that they had sufficient standing, among other reasons, because they were at an increased risk of future fraudulent charges and identity theft. Numerous courts have dismissed these sorts of bases for standing in the data breach context, as allegations of “possible future injury” are insufficient to confer standing, as the Supreme Court recently recognized in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). But, here, the Court reasoned that part of the putative class — 9,200 members — already had incurred fraudulent charges as a result of the breach, and that these putative class members had already suffered harm, and “have suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.”
As for the remaining class members — those who had no demonstrable injury — the Court distinguished Clapper, reasoning that even under Clapper, a “substantial risk” of future injury can support Article III standing. Analogizing the case to one decided in the Northern District of California, In re Adobe Sys., Inc. Privacy Litig, No. 13-CV-05226-LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2013), the Seventh Circuit held that “[l]ike the Adobe plaintiffs, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Indeed, the Court stated, stealing financial data was the very purpose of the hack. Moreover, the Court reasoned that under Clapper, mitigation expenses qualify as actual injuries where the harm is imminent. And here, according to the Court, the fact that Neiman Marcus offered a year of free credit monitoring to affected customers demonstrates that the risk was not merely “ephemeral.”
In addition to the injury-in-fact criterion for Article III standing, the Court also held that plaintiffs had adequately alleged causation and redressability, the other two requirements for standing. As for causation, the Court held that “[i]t is enough at this stage of the litigation that Neiman Marcus admitted that 350,000 cards might have been exposed . . .” With respect to whether there was a harm to redress in light of reimbursement policies, the Court reasoned that mitigation expenses remained and that reimbursement policies could vary. Thus, “a favorable judicial decision could redress any injuries caused by less than full reimbursement of unauthorized charges.”
There is no question that the Seventh Circuit’ decision, as it parses Clapper to find standing, will prove a challenge to defendant companies in suits around the country. The “standing” of standing is not as clear as it was a week ago, and the debate among the circuits as they define the meaning of standing in the realm of privacy law is likely to continue for some time.