The concept of standing – that a plaintiff must have suffered a concrete injury in order to bring a lawsuit – is a bedrock legal principle. But, like so many other fundamental legal concepts, the rise and importance of the internet and digital commerce has consistently complicated its application.
The issue of standing is of particular importance in data breach cases, where massive amounts of data may be stolen, but resulting actual harm may not occur for years (if at all). Two recent cases from the Seventh Circuit, Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), highlight the division among federal courts over the question of standing in the wake of data breaches. This division over the issue of standing in this context has arisen primarily because courts are divided over the proper interpretation of the recent United States Supreme Court decision, Clapper v. Amnesty Int’l USA, ___ U.S ___, 133 S. Ct. 1138, 1147 (2013).
“Standing under Article III of the Constitution requires that an injury be concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010). In Clapper, a case concerning the potential surveillance of communications between lawyers and clients living abroad, the US Supreme Court clarified the extent to which standing may be based on the threat of future harm. In Clapper, the US Supreme Court rejected the Second Circuit’s reasoning that standing could be based on “an objectively reasonable likelihood” that the plaintiffs’ communications with their foreign contacts would be intercepted in the future. Clapper, 133 S. Ct. at 1147. Instead, the US Supreme Court held that allegations of future injury could suffice to demonstrate standing if the threatened injury is “certainly impending,” or there is a “‘substantial risk’ that the harm will occur.” Clapper, 133 S. Ct., at 1147, 1150 n.5. Applying this standard, the US Supreme Court found that the Clapper plaintiffs lacked standing because their alleged harm was speculative and not “certainly impending.” Id. at 1148.
Until recently, a majority of courts applying Clapper in data breach cases had held that plaintiffs could not rely on the threat of future harm in order to satisfy the standing requirement. Instead, a majority of courts had required “allegations of actual identity theft or fraud.” In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (collecting cases). In the context of a data breach, a majority of courts simply did not view the potential fraudulent use of stolen data as “certainly impending” or posing the “substantial risk” required to satisfy standing under Clapper; nor did they consider the expenses incurred, such as credit monitoring services, to prevent future fraud to be sufficient. Id. Instead, the majority rule makes clear that, in order for the threat of future harm to confer standing, the threat must be immediate.
The Seventh Circuit has notably departed from this majority rule. Most recently, in Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. 2016), the Seventh Circuit applied its earlier but recent holding of Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), and clearly held that the mere threat of future harm flowing from a data breach is sufficient to confer standing and allow a plaintiff to sue.
In Lewert, the plaintiffs were a class of individuals who had dined at P.F. Changs, a national restaurant chain. The plaintiffs alleged that their credit and debit card information had been compromised after P.F. Chang’s suffered a data breach in 2014. The district court dismissed the action, finding that the class did not have standing because it had not suffered the requisite injury in fact. Lewert, 2016 WL 1459226, at *1. On appeal, the Seventh Circuit reversed, finding that the class had standing based upon the risk of future harm that could occur as a result of fraudulent charges and identity theft, and the time and effort expended to protect against that future harm.Id., at *2-3.
In reversing the district court, the Seventh Circuit relied heavily upon its 2015 decision in Remijas. In that case, arising out of a similar, recent data breach suffered by Neiman Marcus, the Circuit Court held that the “increased risk of fraudulent credit-or debit-card charges, and the increased risk of identity theft” were “sufficiently imminent” under Clapper in order to satisfy the standing requirement. Remijas,794 F.3d at 690-691. Crucial to the Seventh Circuit’s analysis in Lewert andRemijas was the fact that, unlike the putative interception of communications in Clapper, the plaintiffs’ data had already been stolen. Remijas,794 F.3d at 693; Lewert, 2016 WL 1459226, at *2. As the Court pointed out, “there is ‘no need to speculate as to whether [the Neiman Marcus customers’] information has been stolen and what information was taken.’” Remijas, 794 F.3d at 693 (alteration in original) (quoting In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014)).
While other courts outside the Seventh Circuit have recognized standing in data breach cases, they have done so on the basis of actual fraudulent charges surfacing following the breach. See In re Adobe Sys., Inc. Privacy Litig., No. 13-cv-05226-LHK, 2014 WL 4379916 (N.D. Cal. Sep. 4, 2014); In re Sony Gaming Networks & Consumer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014). In Adobe, stolen credit card information surfaced within a year of the breach, and hackers used the information to discover vulnerabilities in other Adobe products. In Sony, the plaintiffs alleged deprivation of certain services as a result of the breach, and some plaintiffs actually experienced unauthorized charges to their credit cards. In each of the recent Seventh Circuit cases, however, the Court noted that, while demonstrable harm (such as fraudulent charges) is sufficient to confer standing, it is not necessary. Rather, according to the Seventh Circuit, standing exists because such harm is imminent once the theft is complete. As the Circuit Court in Remijas noted, “[w]hy else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas, 794 F.3d at 693.
Lewert and Remijas also bucked the majority trend in holding that mitigation expenses incurred by plaintiffs to protect against future harm, such as credit monitoring services, also conferred standing. Lewert, 2016 WL 1459226, at *3 (citing Remijas, 794 F.3d at 694). Although mitigation expenses qualify as “actual injuries” for standing purposes only when harm is imminent, the Seventh Circuit noted that the breach had already occurred, rendering the “risk of identity theft and fraudulent charges sufficiently immediate to justify mitigation efforts.” Id.
Whether more courts will turn from the majority rule, as the Seventh Circuit has now done twice inRemijas and Lewert, is unclear, but companies should not wait to find out. Rather, if plaintiffs may satisfy the standing requirement by showing the mere risk of future harm, it is essential that companies limit their exposure to such risk before it happens. Having a written data security incident policy and written procedures for responding to an actual or suspected data security incident is a must. If a data security incident occurs, companies should act quickly to limit the risk of future harm to its customers to both limit exposure to itself and its customers. This may also later assist in challenging a customer’s lawsuit against the company with respect to the incident on grounds of standing, in that the customer has not, in fact, sustained actual, imminent harm as a result of the incident.