In January 2014, luxury retailer Neiman Marcus disclosed that it had suffered a cyberattack in which hackers may have gained access to 350,000 credit and debit cards used at its stores in late 2013. Plaintiffs, all of whom made credit or debit card purchases from the retailer during the relevant time period, filed a putative class action lawsuit on behalf of themselves and all other customers whose card information may have been compromised. Neiman Marcus moved to dismiss for lack of standing; the district court granted that motion, holding that the plaintiffs lacked standing under Article III of the United States Constitution.
On appeal to the Seventh Circuit, a three judge panel opinion authored by Chief Judge Woods reversed the lower court. The panel opinion first addressed whether the plaintiffs’ two purportedly “imminent” future injuries – “an increased risk of future fraudulent charges” and “a greater susceptibility to identity theft” – satisfied Article III’s injury in fact, causation, and redressability requirements. (Because these alleged future harms satisfied Article III’s standing requirements, the panel declined to rule on whether the alleged “overpayment for Neiman Marcus products” due to its alleged failure to invest in adequate cybersecurity and the alleged “right to one’s personal information” might also suffice to confer standing; however, the panel characterized these allegations as “problematic” and “dubious.”) The Seventh Circuit panel also found that the plaintiffs’ alleged future injuries satisfied Article III’s causation and redressability requirements. In so holding, the panel rejected Neiman Marcus’s causation argument that plaintiffs’ injury was not fairly traceable to its conduct because fraudulent charges to plaintiffs’ credit and debit cards could be attributable to data breaches at several other large retailers that occurred at approximately the same time. Further, the panel rejected the retailer’s argument that the plaintiffs’ injury would not be redressed by a judicial opinion because they had already been reimbursed for fraudulent charges and because the retailer had already offered to provide all customers potentially impacted by the breach with a year of free credit monitoring services.
Neiman Marcus filed a petition for rehearing en banc, which is pending. The petition argues that the Seventh Circuit panel opinion contravenes the Supreme Court’s 2013 precedent in Clapper v. Amnesty International USA, which held that any alleged “future harm” be “certainly impending” in order to satisfy Article III’s standing requirement and expressly cautioned that “allegations of possible future injury are not sufficient.” If allowed to stand, the Seventh Circuit panel opinion confirms that the circuit split on the issue of standing in data breach class actions survives Clapper. Although the Supreme Court in 2012 denied a petition for writ of certiorari to address this question, Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012), we anticipate that it may again be asked to resolve the circuit split in the near future.