Data breaches are messy stuff, no doubt about that. They consume a huge amount of corporate resources, damage a company’s goodwill and can cost a lot of money. No real news there. And while the technological challenges in preventing, and responding to, data breaches are ever-changing – fueling the booming cybersecurity industry – the corporate response to a data breach is fairly standardized. Basic steps include (not necessarily in this order):
- Convene response team, including IT, HR, legal and crisis management, among others (you do have a response team, right? If not, let’s talk)
- Figure out what happened, including whether personal information was obtained, and contain the breach as quickly as possible
- Contact law enforcement, if appropriate
- Analyze the breach to determine appropriate remediation and legal response and to assist law enforcement
- Identify applicable legal requirements and provide necessary notifications
- Contact insurance carrier
- Implement crisis management/communications response plan
- Provide remediation
Of course, once all of that is done and in the past, you brace yourself for the (potential) onslaught of suits by those affected by the breach – i.e., those who had their information stolen. To date, these cases have met with mixed success in court and company executives have become somewhat sanguine about their company’s’ potential exposure. Well, that may have changed recently with the Seventh Circuit Court of Appeal’s opinion in Remijas v. Neiman Marcus Group, LLC, No. 14 C 1735 (7th Cir. July 20, 2015).
Remember back in early 2014 when Neiman Marcus announced that it had suffered cyberattacks in 2013 exposing customers’ credit and debit cards to the cyberattackers? If not, this might refresh your memory. In any event, as you might have imagined, in the wake of that announcement, class action lawsuits were filed alleging negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy and violation of multiple state data breach laws. The complaint notes that 350,000 cards were exposed to the malware and 9,200 of those cards were used fraudulently subsequent to the attack.
The plaintiffs claimed they were harmed in six distinct ways. First, they claimed imminent injuries as they were at an increased risk of future fraudulent charges, and were more susceptible to identity theft. They further claimed that they suffered actual injuries because they: (a) already lost time and money resolving fraudulent charges; (b) already lost time and money protecting themselves against future identity theft and fraudulent charges; (c) overpaid for the products at Neiman Marcus as the store failed to invest in an adequate security system; and (d) lost the privacy of their information, which they characterized as an intangible commodity.
The legal holding
The District Court dismissed the case without prejudice, holding that the plaintiffs lacked “standing.” Standing is what enables a plaintiff to seek redress in court. Apart from whether the statute or common law rule provides a cause of action for the claimed injury, each plaintiff must prove that she has standing to bring the claim. At a minimum, standing requires that the plaintiff (a) personally have suffered some actual or threatened injury (b) that was caused by the challenged action and (c) the injury is likely to be redressed by a favorable decision. In 2013, the Supreme Court, in a case challenging the constitutionality of the Foreign Intelligence Surveillance Act of 1978, stated that to fulfill the first requirement for standing, a “threatened injury must be certainly impending to constitute injury in fact,” and that “allegations of possible future injury” are not sufficient. Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1147 (2013). Applying Clapper, the District Court held that plaintiffs lacked “standing.”
The Seventh Circuit disagreed. The Court held that Clapper does not foreclose any use of future injuries to support standing. Indeed, the information was already stolen. Citing Clapper itself, the Court held that “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Because the parties were only at the motion to dismiss stage, where all of the allegations of the complaint are assumed to be true, the Court held that “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.” In one of the best lines in the opinion, Judge Wood exclaimed: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” As for the fact that the 9,200 cardholders who were reimbursed for the fraudulent charges, the Court held that “as we already have noted, there are identifiable costs associated with the process of sorting things out.”
The plaintiffs only fared so-so in the Court’s analysis of the claimed actual injuries. With respect to the damages resulting from the lost time and money spent guarding against possible identity theft and fraudulent charges, the Court stated that the defendants were correct that Clapper held that “[m]itigation expenses do not qualify as actual injuries where the harm is not imminent.” But, once again, the Court noted that an actual data breach occurred here, whereas Clapper involved a mere potential that communications had been intercepted. The Court further noted that Neiman Marcus offered customers’ credit monitoring services after the breach, something it most likely would not have done if “the risk is so ephemeral that it can safely be disregarded.” Thus, standing could be conferred. Conversely, though not ruling on plaintiffs’ last two claims – overpaying for Neiman Marcus products because of the defective data security and the loss of private information – the Court expressed skepticism whether those claims would truly support standing.
Impact of the decision
Although the case was decided just two weeks ago, litigants in other high-profile cases have already weighed in on the implications of the decision. In one, Barnes & Noble sought to distinguish themselves from the facts of the Neiman Marcus case. Barnes & Noble is defending itself against a would-be class action arising out of a security breach that compromised PIN pad devises at B&N stores. In distinguishing the Neiman Marcus decision, Barnes & Noble stressed the fact that none of the putative class representatives in its case could say for certain whether they had been injured, and even the one plaintiff that had been alerted by her bank about potential fraudulent charges did not allege that the charge was connected to the B&N breach. On the other hand, in its much ballyhooed case against Wyndham Worldwide Corp. for the latter’s alleged failure to prevent data breaches at several of its hotels, the FTC cited the decision approvingly, claiming that the decision demonstrated that the FTC adequately alleged consumer harm.
So why do you care?
If you are a company that holds consumers or patients’ personal information, and are hacked, you will care greatly. Class actions are big business these days and they depend on large recoveries or settlements, which means your company (or insurance carrier, or both) are paying out a lot of money. How consumer protection class actions are litigated and administered can affect your legal budget, and bottom line, in a big way. The fact that plaintiffs in situations like this can satisfy the standing requirements means that these cases get to live on, costing you and your company some real money. Apart from standing, many issues surrounding data breaches are one of first impression and are just now winding their way upwards. How will damages be calculated? What sort of equitable relief will be ordered? Are the injuries ultimately too speculative? Is causation certain? These are but a few of the issues with which courts and juries will be wrestling.