7th Cir. Erodes Harm Barrier in Neiman Breach Case

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

July 23 — Taking a position that appears to erode the likelihood of harm barrier that has held back most data breach class litigation, the U.S. Court of Appeals for the Seventh Circuit July 20 held that a likely threat of identity theft is enough for a group of customers to have standing to sue Neiman Marcus Group LLC over approximately 350,000 payment cards exposed in a hack.

In reversing and remanding the case, Chief Judge Diane P. Wood said the named plaintiffs satisfied Article III's standing requirements based on their alleged future injuries and loss of time and money protecting themselves against future identity theft and fraudulent charges. Some of the potential class members actually faced card fraud, the court said.

The Seventh Circuit, however, rejected the plaintiffs' allegations of overpayment for the company's products and the loss of their private information as bases for an injury in fact.

The “customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood' that such an injury will occur,” the court said, quoting the standard set forth in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013).

Michael Beder, an attorney at Covington & Burling LLP in Washington, told Bloomberg BNA July 23 that the Seventh Circuit's decision “is interesting in part because there aren’t many appellate-level decisions on this question.”

“Most courts, including the Third Circuit, have been reluctant to find standing for data breach plaintiffs who failed to allege that their own data had been misused,” he said. “The Remijas decision seems to suggest that, if it is clear that some individual data involved in a breach has been misused, the court might give more weight in the standing analysis to the risks faced by other individuals allegedly affected by the same breach.”

“That said,” Beder added, “there is likely to be a lot more debate in the courts about whether that logic really is consistent with the Supreme Court’s instruction in Clapper that a future injury has to be ‘certainly impending' in order to give a party standing.”

Far Beyond Spokeo 

In the wake of Clapper, many federal trial courts considering data breach cases have rejected allegations of a possible future injury as a basis for standing under Article III. Applying Clapper, these courts have concluded that a risk of future harm isn't enough to confer standing. But the Seventh Circuit reached the opposite conclusion.

The court also distinguished the case from another that is currently before the U.S. Supreme Court, Spokeo, Inc. v. Robins, No. 13-1339, cert. granted 135 S. Ct. 1892 (2015). 

The Seventh Circuit said the complaint's allegations “go far beyond” the complaint in the Spokeo case, which deals with a website's publication of inaccurate information in violation of the Fair Credit Reporting Act.

Beder said that the Seventh Circuit's ruling “takes as a given that the plaintiffs have to show some actual or impending harm, which is what distinguishes the Seventh Circuit’s ruling from Spokeo.”

“The Spokeo plaintiff is arguing that he has standing to sue a website that allegedly violated his rights under the Fair Credit Reporting Act whether or not that violation caused any actual damages,” he said.

Fraudulent Use of Cards 

In January 2014, Neiman Marcus announced approximately 350,000 customer payment cards had been exposed to hackers' malware between July 2013 and October 2013.

According to the court, 9,200 of those cards were fraudulently used.

Consumer class actions against the luxury department store chain soon followed. But a federal district court dismissed the consolidated putative class claims in September 2014, finding that the plaintiffs failed to demonstrate concrete injury to establish standing.

District Court Erred 

Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing,” the Seventh Circuit said. A “substantial risk” sometimes suffices for standing, the court said.

Unlike in Clapper, there isn't any need to speculate about whether customer information was stolen from Neiman Marcus, the court said.

“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” the court said.

In addition, it said the purchase of credit monitoring services comes “at a price that is more than de minimis” and thus “easily qualifies as a concrete injury.”

Besides establishing an injury in fact, the plaintiffs also established the two other elements of Article III standing, causation and redressability, the court concluded. The company's admissions about the breach and notification of customers “adequately raise the plaintiffs' right to relief above the speculative level,” the court said. A decision in the plaintiffs' favor could also redress any injuries resulting from unauthorized charges that weren't fully reimbursed, it said.

Judges Michael S. Kanne and John Daniel Tinder also served on the panel.

Ahdoot & Wolfson PC and Siprut PC represented the named plaintiffs. Sidley Austin LLP represented Neiman Marcus.

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Hilary_Remijas_et_al_v_Neiman_Marcus_Group_LLC_Docket_No_1403122_/1.