The United States Court of Appeals for the Seventh Circuit reversed the district court and found that plaintiffs, customers of Neiman Marcus, have standing to pursue claims resulting from a 2013 data breach of Neiman Marcus’ computer system. Remijas v. Neiman Marcus Group, No. 14-3122 (7th Cir. 2015). As discussed previously in this blog, Article III standing is a key issue in every data breach litigation case. The Seventh Circuit’s decision is a victory for future data breach victims as more courts apply the Supreme Court’s decision in Clapper v. Amnesty International, USA to data breach cases.
In 2013, hackers stole credit card numbers from the computer system of luxury department store Neiman Marcus. Neiman Marcus confirmed that between July 2013 and October 2013, approximately 350,000 credit cards had been exposed to hackers’ malware. Numerous class-action complaints were filed, which were consolidated into one action in the Northern District of Illinois. Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. The district court granted the motion exclusively on standing grounds.
The Seventh Circuit reversed that decision finding that the plaintiffs satisfied the requirements for Article III standing, which include alleging a particularized injury, that defendant caused the injury, and that a judicial decision can provide redress for that injury. First, the Court found that the plaintiffs suffered sufficient present and future injuries. Approximately, 9,200 customers already experienced fraudulent charges, and although they were reimbursed for these charges, the Court determined that the cost associated with sorting out the charges represented a sufficient injury. Additionally, the Court determined that there is a concrete risk of future injury for the members of the class that had not yet experienced fraudulent charges or identity theft. The Court noted that, contrary to the district court’s thinking, Clapper does not foreclose any use of future injuries to support Article III standing. In data breach cases, a substantial risk of future harm may be sufficient to support Article III standing. The Court found that following a data breach there is an objectively reasonable likelihood that credit card fraud and identity theft will occur, especially in cases where fraudulent charges have already been documented. Also, the Court noted that Neiman Marcus’ offer of credit monitoring and identity protection would not have been necessary if the risk of harm was so minimal that it can be disregarded.
Second, the Court found that, for the purposes of determining standing, the plaintiffs’ injuries were caused by the Neiman Marcus data breach. The Court stated that while it may be possible that plaintiffs’ private information may have been exposed through a different source, it is plausible for pleading purposes that plaintiffs’ injuries are fairly traceable to the data breach at Neiman Marcus. The fact that Neiman Marcus admitted that 350,000 cards were exposed, and contacted members of the class to tell them they were at risk, was further support for plaintiffs’ position. Finally, the Court rejected Neiman Marcus’ argument that plaintiffs’ injuries could not be redressed by a judicial decision. The Court found that a favorable judicial decision could redress any injuries caused by less than full reimbursement of unauthorized charges.
This decision represents a victory for data breach victims in their ongoing struggle to satisfy Article III standing requirements in data breach litigation, especially in cases alleging risk of future harm. The Seventh Circuit’s determination that the purpose of any hack into a store’s database is to eventually make fraudulent charges or assume the consumers’ identities would result in a finding of sufficient injury in almost every data breach case involving the theft of consumer information. Additionally, the Seventh Circuit’s use of Neiman Marcus’ own remedial actions against it may have a chilling effect on the actions of corporations dealing with future data breaches. Neiman Marcus’ offer of credit monitoring and identity protection to its customers was interpreted by the Court as evidence of the seriousness of the risk of future harm. Offering these types of services has become standard practice following a data breach, but is now a practice that companies may want to reevaluate going forward.