In what is sure to be a widely cited data breach standing decision, the U.S. Court of Appeals for the Seventh Circuit found that increased risk of future harms from a data breach are sufficient to confer standing to sue upon affected individuals and reversed a district court’s dismissal of a putative data breach class action for lack of standing. In Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. Jul. 20, 2015), the appellate court addressed customer claims arising from the 2013 cyberattack on Neiman Marcus stores, which exposed credit card information of about 350,000 customers. The district court had dismissed the claims for lack of standing, holding that none of the damages alleged by the plaintiffs alleged an injury in fact sufficient to confer Article III standing under Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013).
The Seventh Circuit reversed, noting that in light of the uncontested fact that the breach exposed the plaintiffs’ personal data, the risk that the data will be misused by the hackers “is immediate and very real” (citing In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014)). Therefore, the court reasoned, the Neiman Marcus victims “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” While basing its holding on the increased risk of future injury from identity theft, it is noteworthy that the Seventh Circuit found the other categories of alleged injury to be “more problematic.” For example, the court expressly declined to hold that alleged “overpayment” – i.e., a premium price that plaintiffs allegedly paid for store goods with expectation of increased security – was an injury in fact sufficient to allege standing.
The Neiman Marcus decision is the first federal appellate decision on the issue of standing to assert data breach claims since Clapper, and is therefore likely to be widely cited and parsed by both plaintiffs and defendants in such cases. In the short term, the decision may have implications for the dismissal of data breach claims in other cases, such as Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-cv-4787 (N.D. Ill. Dec. 10, 2014), which is currently on appeal to the Seventh Circuit following a district court finding that “an increased risk of identity theft [was] insufficient to confer standing” on plaintiffs. And, in the longer term, the Neiman Marcus decision will join the line of prior cases in creating the legal framework for data breach class actions. Although data breach plaintiffs will certainly champion this decision, other cases have found there to be no standing and each new case will need to be considered under its particular facts, allegations, and applicable law.