On July 20, 2015, a federal appeals court in Chicago issued what could be a watershed ruling in favor of consumers pursuing class action lawsuits against retailers and other companies following data breaches that involve the theft of payment card information.
In Remijas v. Neiman Marcus Group, LLC, a three-judge panel for the United States Court of Appeals for the Seventh Circuit (“7th Circuit”) breathed new life into a class action filed by Neiman Marcus customers after their debit and credit card information was stolen from the company in a 2013 data breach. In reversing the trial court’s earlier dismissal of the lawsuit, the appellate court ruled that the lost time and money spent by customers resolving fraudulent charges, and protecting themselves against future identity theft are sufficient to establish the injury-in-fact requirement for standing to file suit.
The 7th Circuit is the first federal appellate court to rule in a consumer data breach case that precautionary preventative costs – such as credit monitoring expenses and identity theft protection fees that customers might incur after being notified about a breach, or replacement card fees – “easily” qualify as concrete injuries to establish standing to sue. The question of whether such costs would satisfy the injury-in-fact requirement for standing to file data breach cases has been a point of contention for quite some time.
Background: Neiman Marcus Data Breach in 2013
Hackers attacked Neiman Marcus sometime in 2013. In the breach, which Neiman Marcus discovered in late December 2013 or early 2014, payment cards for 350,000 customers were accessed and exposed to malware by the hackers. (Notably, the store maintained that only payment card information was taken, and that other sensitive information such as customer social security numbers and birth dates were not compromised.) Neiman Marcus notified its customers of the breach and card theft in January 2014 and offered one year of free credit monitoring and identity-theft protection.
The Inevitable Follow-On Litigation
Multiple customer class actions were filed against Neiman Marcus for damages allegedly due to the breach and payment card theft. These were consolidated into one class action seeking to represent 350,000 Neiman Marcus customers whose payment card data was hacked. The lawsuit alleged that 9,200 of the payment cards had been used for fraudulent charges so far.
The plaintiffs alleged that they had standing to file suit based on two imminent injuries: an increased risk of future fraudulent charges and greater susceptibility to identity theft. They also alleged several additional types of injury: 1) lost time and money resolving the fraudulent charges, 2) time and money protecting themselves against future identity theft, 3) the financial loss of buying item at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.
Why the Trial Court Dismissed the Lawsuit
The trial court dismissed the lawsuit because it found that the alleged increased risk of future harm (in the form of fraudulent charges and identity theft) was too speculative of an injury to allow the lawsuit to move forward. In so ruling, the trial court invoked a recent U.S. Supreme Court decision, Clapper v. Amnesty Int’l USA, which involved a lawsuit by a human rights organization against the Director of National Intelligence to stop the government’s possible interception of communications between the plaintiffs and other entities. The plaintiffs suspected, but had no proof, that such interceptions had occurred in the past and would continue in the future. The Supreme Court found that such concerns were too speculative to support standing, noting that while allegations of future harm can establish standing if that harm is “certainly impending”, but mere “allegations of possible future injury are not sufficient.”
The 7th Circuit’s Reasons for Reversing the Trial Court’s Dismissal
The 7th Circuit made its own standing evaluation of the Neiman Marcus case, and applied the Supreme Court’s requirement in Clapper that the injury either has already occurred or is “certainly impending”. It found that the trial court had erred in its analysis, reversed the decision to dismiss the lawsuit, and sent the case back down to the trial court for further proceedings.
The court noted that, unlike in Clapper, where there was no proof that the government had, in fact, intercepted the plaintiffs’ communications, in this case it was undisputed that the data breach involving 350,000 payment cards had occurred. Further, the Neiman Marcus plaintiffs also alleged that the 9,200 customers whose cards had been used for fraudulent charges had already experienced harm: “those victims have suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges. The complaint also alleges a concrete risk of harm for the rest.”
The court looked to another data breach case that involved similar issues, In re Adobe Sys. , Inc. Privacy Litigation, in which the federal district court for the Northern District of California concluded that for consumers whose protected information was stolen in that case, “…the risk that their personal data will be misused by hackers who breached Adobe’s network is immediate and very real.”
Building on that analysis, the 7th Circuit concluded that “the Neiman Marcus customers should not be required to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such an injury will occur.” To bolster its point, the Court noted that “it is telling … that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers … who shopped at their stores between January 2013 and January 2014. It is unlikely it did so because the risk is so ephemeral that it can be safely disregarded.” (In other words, no good deed goes unpunished!)
The Court also noted that requiring the plaintiffs to wait to sue until after the threat materialized would create a different set of problems – the passage of time increases the difficulty for plaintiffs to prove that the identity theft or credit card fraud was due to this data breach, rather than some other breach that may occur in the future.
The 7th Circuit concluded that, “at this stage of the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would the hackers break into a store’s database and steal consumers’ private information?” It then ruled that “the injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” suffice to establish the injury-in-fact requirement necessary for standing to file suit.
The Neiman Marcus decision is significant because it is the first federal appellate court to find that:
1) there is “an objectively reasonable likelihood” that the consumer plaintiffs will suffer identity theft or credit card fraud at the hands of the hackers, which, in turn makes it plausible to infer that the plaintiffs have shown a “substantial risk of harm” from the data breach, and
2) common post-breach protective measures like fraud protection and identity theft protection taken by consumers satisfy the injury-in-fact requirement for establishing standing to sue.
The court’s analysis and conclusions may have eased the way for consumer data breach plaintiffs to get past the “standing to sue” hurdle that every plaintiff faces in every federal case. If it has, then more consumer data breach lawsuits probably will survive the motion to dismiss stage, and reach the class certification and/or discovery phases of the case. Other federal appellate courts have yet to weigh in on the issue in the context of consumer data breach cases, and when they do, they could reach a different conclusion. Or the same one. Time will tell.