One obstacle for named plaintiffs in proposed data breach class actions is the extent to which plaintiffs must allege an injury-in-fact to have standing. Disputes often arise about whether proactive efforts to mitigate against the potential misuse of stolen data, such as utilizing credit monitoring services, are sufficient to confer Article III standing. Since the U.S. Supreme Court issued its decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), which held that standing could not be established if the speculative danger of possible future acts was not “certainly impending,” federal courts have dismissed many putative class actions arising out of data breaches for a lack of standing. These courts have applied Clapper to conclude that a data breach alone does not constitute an injury, and evidence regarding the potential future misuse of data is often too attenuated to confer standing.
The Seventh Circuit, however, recently bucked that trend in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), which held that plaintiffs may have standing without alleging actual misuse of their stolen data. Our sister blog, the Data Privacy Monitor, recently discussed Remijas here. In Remijas, hackers allegedly gained access to payment card data for 350,000 Neiman Marcus customers, 9,200 of whom experienced fraudulent charges on their payment cards (all were reimbursed). The Seventh Circuit reversed the district court’s order dismissing the case for lack of standing, determining that the theft of data necessarily implied harm because the misuse of data was the only plausible explanation for the data breach. Moreover, the court used the fact that Neiman Marcus purchased credit monitoring or identity theft protection services for affected customers to support this conclusion, noting that Neiman Marcus would not have done so if the risk could be disregarded. And so, Remijas concluded, the purchase of mitigation services for those who had not yet alleged unauthorized charges was not “speculative” but was sufficiently concrete to confer standing.
The Seventh Circuit is now revisiting Remijas in Lewert v. P.F. Chang’s China Bistro, Inc., Case No. 14-3700. In Lewert, two plaintiffs alleged that nearly 7 million payment cards used to make purchases at 30 P.F. Chang’s restaurants were compromised due to a breach dating back to 2013. Although both plaintiffs made purchases at the defendant’s restaurants, neither plaintiff alleged that they dined at the 30 restaurants involved in the breach. One of the plaintiffs alleged that there were four attempts to make fraudulent charges on his account, although all charges were declined by his bank, and he was promptly issued new payment cards. The other plaintiff did not allege any attempt to make unauthorized charges on his account. Prior to Remijas, the district court granted P.F. Chang’s motion to dismiss for lack of standing. Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *1 (N.D. Ill. Dec. 10, 2014). The Lewert plaintiffs appealed, and the Seventh Circuit ordered the parties to specifically address the application of Remijas to their case.
The parties have briefed their positions, and oral argument was held on January 13, 2016. The plaintiffs maintain that the alleged infiltration of the defendant’s payment system may not be limited to the 30 restaurants identified by P.F. Chang, and could include the restaurants where the plaintiffs dined. The plaintiffs also pointed to indications that some information, purportedly stolen from other P.F. Chang customers, had been sold on the black market. Thus, relying on Remijas, the plaintiffs concluded that the data breach itself created an impending and substantial risk of future harm sufficient to confer standing.
The Seventh Circuit has an opportunity in Lewert to refine Article III standing requirements in data breach cases. Whatever the outcome, the decision promises to be an important one for the data breach class action defense bar.