On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.
This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.
On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.
This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.