In the recent decision on Remijas v. Neiman Marcus Group, LLC, No. 14-3122, the 7th U.S. Circuit Court of Appeals held that the likely threat of identity theft is enough for a class of customers who had their personal information exposed in a data breach to have standing to sue the company that got hacked. In this case, the company that got hacked was Neiman Marcus, and the hack exposed 350,000 customer payment cards between July 2013 and October 2013. Of the cards exposed, 9,200 were fraudulently used, and class action litigation followed.
The district court finds no standing
When the class action was initially filed, the trial court dismissed it and found the alleged increased risk of future harm, i.e., fraudulent charges and identity theft, was not enough to confer Article III standing under the authority of Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), a U.S. Supreme Court decision concerning potential National Security Agency interceptions of communications. In Clapper, the plaintiffs suspected, but had no actual evidence, that such interceptions had occurred or that they would continue. The Supreme Court found these concerns too speculative to support standing, and noted that while allegations of future harm can establish standing if that harm is “certainly impending,” mere “allegations of possible future injury are not sufficient.”
The 7th Circuit reverses and finds sufficient Article III standing
The 7th Circuit reversed the district court, and in doing so held that lost time and money resolving the fraudulent charges, and lost time and money protecting against future identity theft, were enough to confer standing for consumers to bring suit. The court said “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The court, however, did make clear some of the injuries the plaintiffs were claiming were not enough to confer standing, including plaintiffs’ allegations that they overpaid for Neiman Marcus’ products and lost their private information were not enough for an injury in fact to confer standing.
The 7th Circuit distinguished its holding from Clapper and found that Clapper only stops a suit for speculative future harm. The key difference between Clapper and Remijas was the speculative nature of plaintiffs’ harm. In Clapper, the plaintiff merely suspected they would be harmed and had no evidence that they actually had been harmed or would be harmed. The Neiman Marcus consumers, however, actually had their payment card data taken, which made the potential for misuse of their information not unduly speculative. As such, the court found that the costs to avoid potential injury to consumers’ credit were cognizable harm for purposes of standing.
As the court also noted: “[a]t this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.” In addition, the purchase of credit monitoring services comes “at a price that is more than de minimis” and thus “easily qualifies as a concrete injury.”
Article III standing post-Clapper
Since the Clapper decision, many federal district courts have rejected arguments that possible future injury is sufficient to confer standing and concluded that risk of future harm is not enough.
- See Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013);
- In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013); and
- Yunker v. Pandora Media, Inc., No. 11-3113, 2012 WL 1282980 (N.D. Cal. Mar. 26, 2013).
But now, the 7th Circuit joins the 1st Circuit and a few district courts in recognizing that consumer standing can be based on costs to mitigate potential credit impairment or injury flowing from a data breach.
- See Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011);
- In re Adobe Sys. Inc. Privacy Litig., No. 13?CV?05226?LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); and
- In re Target Corp. Data Sec. Breach Litig., MDL 14?2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014).
Where does Spokeo come into play?
Notably, the 7th Circuit was careful to distinguish the standing issue before it in Remijas from the standing issue certified by the U.S. Supreme Court in Spokeo Inc. v. Robins, No. 13-1339, cert. granted (2015) (16 CLASS 520, May 8, 2015). While Spokeo concerns Article III standing in a case about a website’s publication of false information in violation of the Fair Credit Reporting Act, it is still a one-to-watch case for data privacy professionals because the question to be decided is whether “Congress may confer Article III standing upon a plaintiff who suffers no concrete harm…by authorizing a private right of action based on a bare violation of the statute.” So, while Spokeo concerns the FCRA, if the Supreme Court finds that a concrete injury is necessary for Article III standing, it may have a significant impact on questions concerning data privacy.
What you should know
Data breaches are not going away. Courts are beginning to recognize that data privacy and data theft are increasingly serious problems that require judicial action—even in theft cases where the victims have not yet suffered any actual out-of-pocket losses from the breach. The 7th Circuit finding that likely future harm is sufficient standing to sue is significant because it is the first of its kind. And, in factually-similar cases, it has at least arguably reduced the standing barrier that has plagued class-action plaintiffs in data breach cases until now. This means that more consumer data breach lawsuits will likely survive initial motions to dismiss and go on to class certification. It remains to be seen what other courts will do, and how Remijas will be used by other courts to either bolster or confer standing.
For more information, please contact one of the attorneys listed below.