Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
July 23 — Taking a position that appears to erode the likelihood of harm barrier that has held back most data breach class litigation, the U.S. Court of Appeals for the Seventh Circuit July 20 held that a likely threat of identity theft is enough for a group of customers to have standing to sue Neiman Marcus Group LLC over approximately 350,000 payment cards exposed in a hack.
In reversing and remanding the case, Chief Judge Diane P. Wood said the named plaintiffs satisfied Article III's standing requirements based on their alleged future injuries and loss of time and money protecting themselves against future identity theft and fraudulent charges. Some of the potential class members actually faced card fraud, the court said.
The Seventh Circuit, however, rejected the plaintiffs' allegations of overpayment for the company's products and the loss of their private information as bases for an injury in fact.
The “customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood' that such an injury will occur,” the court said, quoting the standard set forth in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013).
Michael Beder, an attorney at Covington & Burling LLP in Washington, told Bloomberg BNA July 23 that the Seventh Circuit's decision “is interesting in part because there aren’t many appellate-level decisions on this question.”
“Most courts, including the Third Circuit, have been reluctant to find standing for data breach plaintiffs who failed to allege that their own data had been misused,” he said. “The Remijas decision seems to suggest that, if it is clear that some individual data involved in a breach has been misused, the court might give more weight in the standing analysis to the risks faced by other individuals allegedly affected by the same breach.”
“That said,” Beder added, “there is likely to be a lot more debate in the courts about whether that logic really is consistent with the Supreme Court’s instruction in Clapper that a future injury has to be ‘certainly impending' in order to give a party standing.”
In the wake of Clapper, many federal trial courts considering data breach cases have rejected allegations of a possible future injury as a basis for standing under Article III. Applying Clapper, these courts have concluded that a risk of future harm isn't enough to confer standing. But the Seventh Circuit reached the opposite conclusion.
The Seventh Circuit said the complaint's allegations “go far beyond” the complaint in the Spokeo case, which deals with a website's publication of inaccurate information in violation of the Fair Credit Reporting Act.
Beder said that the Seventh Circuit's ruling “takes as a given that the plaintiffs have to show some actual or impending harm, which is what distinguishes the Seventh Circuit’s ruling from Spokeo.”
“The Spokeo plaintiff is arguing that he has standing to sue a website that allegedly violated his rights under the Fair Credit Reporting Act whether or not that violation caused any actual damages,” he said.
In January 2014, Neiman Marcus announced approximately 350,000 customer payment cards had been exposed to hackers' malware between July 2013 and October 2013.
According to the court, 9,200 of those cards were fraudulently used.
Consumer class actions against the luxury department store chain soon followed. But a federal district court dismissed the consolidated putative class claims in September 2014, finding that the plaintiffs failed to demonstrate concrete injury to establish standing.
“Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing,” the Seventh Circuit said. A “substantial risk” sometimes suffices for standing, the court said.
Unlike in Clapper, there isn't any need to speculate about whether customer information was stolen from Neiman Marcus, the court said.
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” the court said.
In addition, it said the purchase of credit monitoring services comes “at a price that is more than de minimis” and thus “easily qualifies as a concrete injury.”
Besides establishing an injury in fact, the plaintiffs also established the two other elements of Article III standing, causation and redressability, the court concluded. The company's admissions about the breach and notification of customers “adequately raise the plaintiffs' right to relief above the speculative level,” the court said. A decision in the plaintiffs' favor could also redress any injuries resulting from unauthorized charges that weren't fully reimbursed, it said.
Judges Michael S. Kanne and John Daniel Tinder also served on the panel.
Ahdoot & Wolfson PC and Siprut PC represented the named plaintiffs. Sidley Austin LLP represented Neiman Marcus.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Hilary_Remijas_et_al_v_Neiman_Marcus_Group_LLC_Docket_No_1403122_/1.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)