The Seventh Circuit may have gone a long way to opening a flood of data-breach class actions when it held that “injuries associated with resolving fraudulent [credit-card] charges and protecting oneself against future identity theft” suffice as injuries to confer Article III standing on the plaintiffs in Remijas v. Neiman Marcus Group, LLC.
Standing (whether a plaintiff has suffered an injury the courts will recognize) has generally proven to be a substantial hurdle to plaintiffs seeking to bring class actions related to stolen credit-card and other personally identifying information, with courts in Ohio, New York, and elsewhere dismissing claims for lack of standing. The Neiman Marcus case arises out of an attack by hackers that exposed the credit-card information of approximately 350,000 of the store’s customers, about 9,200 of whom had actually incurred fraudulent charges. The district court dismissed the plaintiffs’ claims for lack of standing because the past fraudulent charges had been reimbursed and the plaintiffs could not satisfy the Supreme Court’s standard from Clapper v. Amnesty International, that a possible future injury must be “certainly impending” in order to confer standing.
The Seventh Circuit, however, reversed the district court and, in doing so, distinguished Clapper in three ways:The court found that even though they had been reimbursed for all fraudulent charges, the 9,200 customers who incurred fraudulent charges had still suffered injury in the form of aggravation and valuable time spent sorting things out with their account. With respect to the putative class members who had not already incurred fraudulent charges, the court found that they too had standing “because there is an objectively reasonable likelihood that [they will suffer identify theft or credit card fraud in the future].” In reaching this conclusion, the court noted that unlike the plaintiffs in Clapper who had no evidence that their communications had been monitored, the Neiman Marcus plaintiffs had actually had their credit-card information stolen. The court found that plaintiffs had additional grounds for standing if they had lost time and money attempting to mitigate against future identity theft and fraudulent charges. In Clapper, the Supreme Court said that plaintiffs “cannot manufacture standing by incurring costs in anticipation of future harm.” Because Neiman Marcus admitted that a data breach occurred, the court determined that—unlike Clapper—the risk of future harm was not so ephemeral that mitigation was improper, pointing to the fact that Neiman Marcus offered credit-monitoring services to all of its customers whose information may have been exposed.
TAKE AWAY: The Neiman Marcus ruling, along with the district court rulings in In re Adobe Systems, Inc. Privacy Litigation and the Target cases, indicate that some courts are not going to be as willing to dismiss a data-breach class action on standing grounds as others. To be sure, this area of the law is still developing; Clapper, itself, is just two years old. Retailers and other businesses who handle credit-card numbers or other personally identifying information, however, should reassess their potential exposure to a data-breach class action in light of these rulings.