Earlier this week, in Remijas v. Neiman Marcus Group, the Seventh Circuit reinstated a class action against Neiman Marcus stemming from a 2013 data breach. In so doing, it was the first court of appeals to find that the data breach plaintiffs’ actual injuries, future injuries, and attendant mitigation costs were sufficient to adequately plead Article III standing. So why did the Seventh Circuit find standing here when the vast majority of data breach cases have been dismissed on standing grounds? Comparing the Neiman Marcus case to other recent decisions provides some guidance, but it also raises concerns that a company’s data breach response and remedial measures may be used against it as evidence of harm.
Sometime in 2013, a malware breach of Neiman Marcus’ computer system allowed hackers to steal the credit card and debit card numbers of its customers. While Neiman Marcus only learned of the hack in December 2013, it did not announce the cyberattack until January 2014. In response to the breach notification, several customers brought a class action suit. Plaintiffs alleged actual, concrete harm, stating 9,200 Neiman Marcus customers incurred fraudulent charges. Moreover, three out of four representatives in the Neiman Marcus class suffered fraudulent charges on their debit and credit cards as a result of the breach, and one was notified by her bank and Neiman Marcus that her debit card had been compromised. As for future harm, the plaintiffs alleged that the breach had increased the likelihood of fraudulent charges and identity theft.
To maintain a cause of action, plaintiffs must establish Article III standing which requires plaintiff to show: 1) actual injury or imminent harm to the plaintiff or class of plaintiffs, 2) such harm is fairly traceable to the defendant’s actions, and 3) judicial action will likely redress such harm. Here, Neiman Marcus argued that plaintiffs had failed to show that they had suffered a future harm that was imminent and that even if such future harm was imminent, that harm was not fairly traceable to Neiman Marcus’ data breach in 2013, given that other major retailers’ customer databases, such as Target, were compromised during that time.
The district court dismissed the case for lack of Article III standing. The Seventh Circuit reversed on Monday, holding that the plaintiffs’ alleged injuries were sufficiently imminent and causally connected to the Neiman Marcus data breach.
The Seventh Circuit first held the 9,200 victims, who incurred fraudulent charges, had demonstrated injury despite being reimbursed for expenses as they “suffered the aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.”
As for the future risk of harm for the rest of the class, the Seventh Circuit applied the Supreme Court’s standing precedent from Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013) – future harm could be established if that harm was “certainly impending” or if there was a substantial risk that harm would occurred. The court found that there was a substantial likelihood that those who had not yet been the victim of identity theft or false charges on their credit cards could suffer injury. In so holding, the court used both Neiman Marcus’ own mitigating notifications to its customers after the breach and the hacker’s presumed purpose in hacking the database to demonstrate that the future likelihood of harm was imminent.
The court concluded that plaintiffs had demonstrated a substantial risk of harm from the data breach by analyzing the type of information the hackers targeted and divining their supposed intent. The court reasoned that the given the type of information the hackers targeted, namely Neiman Marcus customers’ credit card information, there was “an objectively reasonable likelihood” that an injury would occur, and plaintiffs should not have to wait until the hackers committed the identity theft or credit card fraud in order to demonstrate standing. Ultimately, the court reasoned that requiring plaintiffs to wait for the threatened harm to materialize in order to sue would create a timing problem, allowing a defendant to argue that the harm was not fairly traceable to the defendant’s actions.
The court also found that the mitigation costs of protecting against future injury were “concrete injuries.” Cautioning against overreading Clapper, the Court reasoned that because the initial breach had already taken place, the customer “might think it necessary to subscribe to a service that offers monthly credit monitoring.” The court used Neiman Marcus’ notification to its customers and offer of data monitoring and identity restoration services as evidence that the risk of future injury i.e., these mitigation costs, was more than merely speculative. Indeed, as the court noted, “[i]t is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”
After satisfying itself that the risk of future harm was indeed imminent, the court held that despite the fact that there were many other data breaches at the time of the Neiman Marcus data breach, Neiman Marcus’ breach could plausibly be the cause of harm to the class. The court again used Neiman Marcus’ own actions as evidence of this causal link. Specifically, the court stated that “it is enough at this stage of the litigation that Neiman Marcus admitted that 350,000 cards might have been exposed, and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs’ right to relief above the speculative level.”
The Seventh Circuit found standing in Neiman Marcus when the vast majority of data breach cases have been dismissed on standing grounds. For example, In re Zappos.com, Inc., Customer Data Security Breach Litigation the court, having previously denied a motion to dismiss on standing grounds, revisited its opinion, and dismissed the case in favor of the defendant. No. 12-cv-00325 (D. Nev. June 2, 2015). A comparison of the two cases, given their similarities, highlights the facts in Neiman Marcus that were pivotal to the decision.
The Zappos’ breach occurred on January 15, 2012. Zappos became aware of the breach immediately and notified customers the next day. Neiman Marcus was hacked sometime in 2013 and was unaware of the security breach until December 2013. The complaint alleged that Neiman Marcus failed to notify its customers until after the lucrative holiday shopping season on January 10, 2014.
No Zappos class representative alleged any actual injury – in other words, their claims relied solely on the threat of possible future identity theft and fraudulent credit card charges as a result of Zappos’ data breach. The Zappos court was most concerned with failure of future harms to materialize, noting that in the three and half years since the filing of the complaint plaintiffs had not sought leave to amend the complaint to include instances of actual identity theft or fraud. In contrast, all four Neiman Marcus class representatives suffered some form of financial fraud in addition to the 9,200 others alleged in the complaint.
Like the court in Neiman Marcus, the Zappos court paid attention to the presumed purpose of the hacker’s attack. It noted that unlike other cases, where the hackers had targeted the entire credit card number of customers, the Zappos hackers procured only personally identifiable information, including names, passwords, email addresses, phone numbers and physical addresses and were only able to steal the “tails,” or the last four digits of the customer’s credit card information.
Thus our lessons from Neiman Marcus are as follows: it appears that courts may be more likely to find standing when a future harm is accompanied with an actual financial harm. The actual harm makes the likelihood that others will suffer some harm in the future more imminent and less speculative. This is not a vast departure from precedent as the courts in both In re Adobe Systems Inc. Privacy Litigation and In re Sony Gaming Networks & Customer Data Securities Breach Litigation found that plaintiffs had standing, in part, by analyzing the nature of the attack and types of information targeted by the hackers. Indeed, in Sony, the plaintiffs alleged both actual and future harm. More troubling, however, was the court’s willingness to use a company’s own remedial actions as evidence of the imminence of plaintiffs’ harm. Perhaps Neiman Marcus’ delay in recognizing the breach and notification played a role in the court’s decision; nonetheless, it creates perverse incentives for companies to forgo providing customers with monitoring services and notification of its breach for fear such actions will be used as evidence against it in future litigation.