A new decision from the Seventh Circuit Court of Appeals holds that consumers of a hacked retailer had standing to sue on the basis of the costs they incurred in responding to the breach, even if their accounts had not suffered any fraudulent charges. The Court held that even consumers that had not experienced actual identity theft had standing to sue, given the costs allegedly associated with “sorting things out” in the wake of a data breach.
The Seventh Circuit’s ruling bucks a longtime trend of post-data breach consumer class actions failing at the pleading stage in the wake of the Supreme Court’s 2013 decision in Clapper v. Amnesty International. Clapper held, in the context of allegations of unlawful electronic surveillance, that an imminent risk of concrete injury is required for a plaintiff to have standing to sue in federal court. Many district courts have relied on Clapper to grant motions to dismiss data breach class actions, holding that the mere theft of information does not establish an imminent risk of concrete injury.
The new decision in Remijas v. Neiman Marcus Group, LLC departs from that trend, reversing the decision of the district court to toss out the suit based on Clapper. Neiman Marcus suffered a data breach in 2013 that potentially exposed up to 350,000 credit cards, but according to the company, only 9,200 consumers actually suffered fraudulent transactions. Neiman Marcus paid for a year of identity theft monitoring for all 350,000 accounts. Plaintiffs in Neiman Marcus sued on a number of theories, arguing that they had standing because of the lost time and money spent protecting against future identity theft.
The district court held that the plaintiffs lacked standing under Clapper because the harm was inchoate. The Seventh Circuit held that this interpretation of Clapper was too broad and did not appreciate the likelihood of future harm – “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing.”
IMPACT AND ANALYSIS
The Neiman Marcus analysis, if adopted by other courts, could give consumers standing in data breach cases because of the costs associated with protecting against identity theft and fraud. As the Seventh Circuit noted: “the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” In light of that reasoning, the Court held Clapper’s requirement of imminent future injury satisfied.
Another significant aspect of the Neiman Marcus decision relates to the oftasserted defense, in the wake of data breaches, that affected consumers’ information could have been obtained from any number of hacked companies. Neiman Marcus noted the breadth of the Target hack, and asserted that Plaintiffs could not show that the breach at Neiman Marcus was the source of their problems. The Seventh Circuit held that this showing was not required: the fact that other companies might have exposed Plaintiffs’ information was for defendants to prove, not for plaintiffs to allege.
Although the Neiman Marcus decision generally provides a boost to consumer suits, it is worth remembering that it deals only with whether plaintiffs can survive a motion to dismiss. The Court’s opinion repeatedly referenced the standard that requires courts to credit plaintiffs’ allegations at this stage of the litigation, and noted all that is required to establish standing is a non-speculative assertion of injury.
Whether Neiman Marcus portends a paradigm shift remains to be seen. The new decision is particularly significant in light of the relatively recent decisions in the class action litigation stemming from Target’s data breach. Two class actions against Target – one by consumers and one by financial institutions – survived motions to dismiss in December 2014. There, as in Neiman Marcus, the court found plaintiffs had standing given allegations of injury based on fraudulent charges and the time and costs involved in dealing with breach-related issues. Target ultimately settled the consumers’ claims for $10 million. The financial institution class action remains pending after a proposed $19 million settlement fell apart when not enough banks signed on. Given that a circuit court has now adopted reasoning similar to the Target class action cases in refusing to dismiss class action claims stemming from a data breach, there is little doubt that the plaintiffs’ class action bar will continue to bring post-breach damage cases.