To date, an overwhelming majority of courts have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, an essential element for standing under Article III of the US Constitution. In Remijas v. Neiman Marcus Group, a decision issued Monday, a Seventh Circuit panel disagreed with the analysis of those courts, concluding that customers who have been the victims of data breaches have standing to sue not only after fraudulent charges appear on their cards, but also for an increased risk of future harm and harm-mitigation expenses. Such expenses include lost time and money incurred in resolving fraudulent charges and in protecting against future identity theft, including money spent to purchase credit monitoring.
The consumer class action before the court arose out of a 2013 hack of Neiman Marcus’s computer systems, which resulted in the unauthorized acquisition of credit card numbers. The three-judge panel, led by Chief Judge Diane Wood, held that an increased risk of future harm resulting from a data breach satisfies the injury-in-fact requirement.
In reaching its decision, the court distinguished the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013) on the basis that the risk at issue in that case - risk that communications between detainees and their lawyers were being monitored - was speculative, whereas the fact of the data breach in this case was real. The court concluded that at the pleading stage of the litigation, it was “plausible to infer that plaintiffs had made a showing of a substantial risk of harm,” thereby meeting the requisite threshold for injury-in-fact set forth in Clapper, because there was “an objectively reasonable likelihood that [identity theft or fraud] will occur.” The court explained, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The court further noted that while harm-mitigation measures do not always qualify as an injury for purposes of standing, the purchase of credit monitoring in the context of a data breach “easily qualifies as a concrete injury” because the threatened harm of a data breach is “imminent.” Interestingly, the court concluded that the harm was imminent based on the fact that Neiman Marcus had offered one year of free credit monitoring in response to the breach. The court did not seem to consider the fact that credit monitoring does nothing to prevent fraudulent charges appearing on one’s credit card - the only type of fraud that could have occurred with the type of information that was stolen in this case. Thus, there remains a serious question whether this mitigation activity would in fact be “reasonable” in a consumer payment card breach case.
Although the court declined to decide whether the over-payment for Neiman Marcus products or the right to one’s personally identifiable information - a right that plaintiffs argued was granted to them by state data breach notice statutes - are “injuries” sufficient to establish Article III standing, the Court indicated that it was “dubious” whether those allegations, standing alone, would be sufficient.
Since the Supreme Court issued its 2013 decision in Clapper, defendants of data breach class action lawsuits have often cited it for the proposition that data breach victims lack Article III standing because their injuries are too speculative. This decision marks the first time that a circuit court has addressed the issue following the Supreme Court’s Clapper decision. The decision’s precedential impact, however, is limited to courts within the Seventh Circuit, and it is unclear whether other circuits will follow suit. Indeed, in Reilly v. Ceridian Corp., a decision that pre-dated the Clapper decision, the Third Circuit held that data breach victims whose data has not been misused lack standing under Article III.
It is by no means certain that the Third Circuit or other circuits will follow the Seventh Circuit’s approach, particularly when it appears that the Seventh Circuit’s decision was more policy driven than rule based. While the future remains uncertain, it is clear that the Seventh Circuit poses the most favorable venue for plaintiffs’ lawyers to file data breach class actions in the future, and that the data breach docket of district courts in the Seventh Circuit is likely to grow.