As 2015 draws to a close, questions over standing in data breach class actions remain. Earlier this year, the Seventh Circuit denied retailer Neiman Marcus’s petition for rehearing en banc of a panel opinion holding that plaintiffs whose credit card information was stolen in a data breach had standing to sue under Article III of the United States Constitution based on alleged fear of future identity theft; in so doing, the Seventh Circuit confirmed that the circuit split on standing in data breach class actions survives Clapper. The retailer’s petition for writ of certiorari is due January 15, 2016.
The Supreme Court has already heard oral argument on the scope of Article III standing in two cases that may be of interest to those monitoring data breach class actions. In Spokeo, the Court has been asked to address: “Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.” In Tyson Foods, the Court was petitioned to resolve the question of “whether a class action may be certified or maintained under Rule 23(b)(3) … when the class contains hundreds of members who were not injured and have no legal right to any damages.” A ruling narrowly construing the Article III standing requirement in these cases would bode well for the defense bar, as well as be a blow to class counsel – who have sought to distinguish the Court’s precedent in Clapper as factually inapposite to class actions.
Given the current circuit split on standing in data breach class actions, many cases have settled. In early December 2015, Target received preliminary approval of a class settlement of the remaining financial institution class claims for approximately $39 million – of which $20.25 million will go to directly to the settlement class ($19.75 million to the settlement class escrow account, and $500,000 to cover settlement notice and administration) and of which $19.1 million will cover MasterCard’s final account data card recovery assessment. This payment followed the court’s order certifying claims of the financial services class and is in addition to a reported $67 million that the retailer had already agreed to pay to settle claims by banks that issued Visa cards compromised in the breach.
In late November, the court granted final approval of Target’s settlement of the consumer class claims; an objector has filed a notice of appeal to the Eighth Circuit. Home Depot has also reportedly reached a tentative settlement with MasterCard and issuers comprising over 80 percent of the MasterCard branded payment cards potentially impacted by the breach; the settlement is said to: “provide for payment of an amount equal to the full amount these banks could recover as a result of [MasterCard’s] assessment [of payments attributable to the breach] plus a 10% premium, provided that banks accounting for at least 65% of the potentially affected M[aster]C[ard] issued accounts opt into the settlement and release their claims against Home Depot.”
What will happen in 2016? Will we see more cases filed? More settlements? Will anticipated Supreme Court rulings be a boon for the plaintiffs’ bar or for the defense?