Does a data breach of a retailer’s payment-card information automatically confer Article III standing on affected customers? Is the mere possibility that some criminal element may use pilfered information to commit future fraud or identity theft sufficient to confer customers standing to assert a class action? Are a retailer’s customer service efforts following a data breach – arguably subsequent remedial measures – proper evidence of the customers’ injury?
These are some of the bedrock questions luxury retailer Neiman Marcus has asked the Seventh Circuit Court of Appeals to consider en banc following a three judge panel’s bombshell opinion in Remijas v. Neiman Marcus Group. Before Remijas, the answer to each of these questions – based on opinions from the Third Circuit and numerous federal district courts finding a lack of standing in data breach cases – was unequivocally “No.” Remijas, however, is a potential game changer on several key fronts because it is the first Circuit Court opinion to find:
- Customers need not wait until hackers commit identity theft or credit-card fraud to acquire standing because there is an “objectively reasonable likelihood” injury will occur;
- Plaintiffs who have not suffered actual fraud or identity theft are nonetheless injured because they must spend time and money replacing cards, monitoring their credit score and otherwise “sorting things out”;
- A retailer’s offer of credit monitoring and identity-theft protection to customers following data breach was “telling” evidence that risk of harm was not “ephemeral.”
For any company regularly compiling or retaining customer data, the potential ramifications of Remijas are harrowing. As Neiman Marcus pointed out in its petition for en banc review, in Clapper v. Amnesty Int’l USA, the U.S. Supreme Court held Article III standing for possible future injuries only exists where the threatened injury was “certainly impending.” Remijas use of an “objectively reasonable likelihood” standard potentially lowers the crucial standing bar announced in Clapper. Moreover, Neiman Marcus argues, Remijas creates a circuit split with the Third Circuit which failed to find standing in Reilly v. Ceridian Corp. – a similar data breach class action.
Neiman Marcus also took issue with the Court’s finding that the cost of “sorting things out” following a data breach – including protection of credit monitoring services – could constitute a compensable injury where there was no allegation that any class representative or member had actually suffered identity theft or unreimbursed fraud. On this last point, Neiman Marcus was particularly troubled by the Court’s use of the retailer’s offer of credit-monitoring services and identity-theft insurance – offers made as a “customer service measure” – as evidence that its customers suffered injury. As Neiman Marcus points out, it made those offers to a much larger subset of customers than were actually impacted by the breach. Moreover, allowing the store’s post-data breach purchase of credit monitoring and identity-theft insurance for potentially affected customers to serve as evidence of its customers’ compensable injuries perversely disincentives companies from taking similar steps in the future.
Although petitions for en banc rehearing are not routinely granted, the panel’s apparent deviation from recent Supreme Court standing jurisprudence, and the potential conflict with the Third Circuit, may prove compelling reasons for the Seventh Circuit to grant the petition. Pursuant to federal appellate court rules, Plaintiffs are not permitted to respond to a petition for en banc review unless requested by the Court. However, the Court typically allows a response before granting such a petition. Thus, if the Court sees potential merit in the petition, the most likely next step would be to invite a response from Plaintiffs. On the other hand, if the Court is wholly unswayed, it could deny the petition outright.
While allowing Remijas to stand would not be a death blow to Neiman Marcus’s case – it still has strong defenses to class certification only hinted at in the briefing thus far – it would significantly increase the likelihood of future data breach plaintiffs surviving a motion to dismiss and, consequently, spike the frequency and expense of data breach class-action litigation for defendants.