This week, the Seventh Circuit held that plaintiffs bringing claims for stolen credit card information have standing to sue to recover fraudulent charges, as well as fraud prevention expenses, resulting from a data breach. The three-judge panel held that the defendant, luxury retailer Neiman Marcus, would have to face claims that a 2013 data breach caused harm to plaintiffs, overturning a district court’s ruling that the plaintiffs did not have standing to bring the suit.
The case arises from a class action filed by consumers for negligence, breach of contract, deceptive business practices and a number of other theories for relief. The plaintiffs allege that Neiman Marcus’ security system was hacked, which resulted in a massive data breach that compromised the credit card numbers of 350,000 of its consumers. The district court dismissed the case, finding that the plaintiffs lacked standing to sue under Article III. The Seventh Circuit disagreed with the district court, finding that plaintiffs did in fact have standing to sue, and reversed and remanded the case for further proceedings.
The Seventh Circuit’s decision hinged on the issue of whether plaintiffs’ stated future injuries were sufficient for standing under the Supreme Court’s decision in Clapper v. Amnesty International USA. InClapper, the Supreme Court held that standing can be established through allegations of future harm if the harm is “certainly impending” but individuals cannot show standing where there are only “allegations of possible future injury.”
The plaintiffs in Neiman Marcus based their standing argument in part on two future harms: an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit rejected the district court’s holding that these future harms were insufficient for standing, stating that the district court was incorrect in assuming that Clapper “foreclose[s] any use whatsoever of future injuries to support Article III standing.” The Seventh Circuit distinguished Clapper, a case in which plaintiffs brought suit based on potential government interception of plaintiffs’ communications, noting that inClapper the injuries were “speculative harm based on something that may not even have happened” and could not support standing. In contrast, the Seventh Circuit found that the consumers in this case were able to show a “substantial risk of harm” in part because there was no doubt that the breach occurred; defendant admitted that consumers’ credit card information was stolen and that there had been fraudulent charges as a result of the breach. (Of course, not all putative class members suffered such charges; what that portends for plaintiffs’ future prospects is uncertain.)
Defendants in several data breach suits have invoked Clapper as a successful basis on which to dismiss for lack of standing. The Seventh Circuit’s decision here could represent a shift in direction. The case appears to open the door for plaintiffs in data breach cases to show standing based upon a broader range of alleged future injuries, specifically those “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft.” Moreover, the Seventh Circuit decision may reflect an emerging sense among some courts that plaintiffs in data breach cases have been too readily dismissed, notwithstanding the frequent absence of tangible harm. How widespread that sentiment may be bears watching as the number of data breaches continues to proliferate.