Reversing summary judgment, the Seventh Circuit Court of Appeals reinstated a data breach lawsuit against Neiman Marcus, and accepted the plaintiff’s contention that fear of future harm stemming from the breach was sufficient to establish standing in the case.
After the retailer revealed that a hacker gained access to the credit card information of roughly 350,000 cards in December 2013, several customers filed suit. Using the typical—and typically successful—defense in data breach lawsuits, Neiman Marcus moved to dismiss the consolidated class actions for lack of standing because the plaintiffs failed to state any actual injuries. A federal court judge agreed.
But the Seventh Circuit, explicitly distinguished Robins v. Spokeo, currently pending before the U.S. Supreme Court, and reversed, finding that the plaintiff pointed to multiple types of injury sufficient to establish standing.
The plaintiffs alleged four injuries: lost time and money resolving the fraudulent charges, lost time and money protecting themselves against future identity theft, the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s lax approach to cybersecurity, and lost control over the value of their personal information. Two imminent injuries were also on the list: an increased risk of future fraudulent charges and greater susceptibility to identity theft.
Both of the imminent injuries alleged were “certainly impending” enough for the federal appellate panel to find standing. Approximately 9,200 consumers had already incurred fraudulent charges on cards implicated in the breach, the court noted, and while Neiman Marcus provided reimbursement, “there are identifiable costs associated with the process of sorting things out.” “What about the class members who contend that unreimbursed fraudulent charges and identity theft may happen in the future, and that these injuries are likely enough that immediate preventive measures are necessary?”
Although the defendant contended that such injury was too speculative, the court said a material factual dispute existed because the plaintiffs argued they would still have to spend time and money replacing cards and monitoring their credit score. The seminal case on Article III standing, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), does not “foreclose any use whatsoever of future injuries to support Article III standing,” the panel noted.
“[T]he Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the court said. “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information?”
Considering the other alleged injuries, the court said the purported lost time and money protecting the plaintiffs against future identity theft and fraudulent charges also sufficed to establish standing. Neiman Marcus offered affected customers one year of credit monitoring and identity theft protection and it “is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded,” the three-judge panel noted. The cost of credit monitoring “easily qualifies” as a concrete injury.
The other asserted injuries were more problematic, the court found. Extending the idea of product liability from a particular product to the operation of the entire store by accepting the argument that plaintiffs would have shunned Neiman Marcus had they known about its poor data security “is a step that we need not, and do not, take in this case.” And federal law does not recognize a property right in the loss of private information, the panel added.
After finding injury-in-fact, the court said the plaintiffs established the other two prerequisites for standing: causation and redressability. Given the other data breaches that occurred during the 2013 holiday season, Neiman Marcus countered that the plaintiffs could not trace their injuries to the breach of its servers, but the court said the argument should be raised later as a defense. And because mitigation expenses and future injuries remained, the panel also rejected the defendant’s position that the plaintiffs’ injuries could not be redressed by a judicial decision because they had already been reimbursed for the fraudulent charges.
To read the decision in Remijas v. Neiman Marcus, click here.
Why it Matters: The Remijas decision should be required reading for retailers. Although the Seventh Circuit did reject some of the alleged injuries as a basis for standing, the panel reinstated the lawsuit based on the class’s allegations of an increased risk of future fraudulent charges and greater susceptibility to identity theft. The holding will likely spur similar lawsuits in the wake of data breaches going forward.