Data Breach Plaintiffs Alleging Future Harm Clear Standing Hurdle
By Robert T. Denny, Litigation News Associate Editor – January 11, 2016
Data breach victims may find it easier to get their day in court following a precedential ruling by a federal appellate court. In Remijas v. Neiman Marcus Group, LLC, the federal appellate court bucked the prevailing trend toward dismissing such lawsuits for lack of standing under Article III of the U.S. Constitution, which generally requires a “concrete and particularized injury.” Instead, the court held that allegations of future fraudulent charges and identity theft were sufficient to establish Article III standing in a putative data breach class action because there was a “substantial risk” that harm would occur. Leaders of the ABA Section of Litigation suggest that Remijas may provide a blueprint for plaintiffs seeking to overcome the standing hurdle.
The Neiman Marcus Data Breach
In January 2014, Neiman Marcus disclosed that it had suffered a data breach that compromised credit card information for approximately 350,000 of its customers. Of those customers, 9,200 were estimated to have incurred fraudulent charges. Neiman Marcus offered one year of credit monitoring and identity theft protection to those affected.
Several plaintiffs filed putative class action lawsuits, which were consolidated in the U.S. District Court for the Northern District of Illinois. The plaintiffs alleged actual injuries for lost time and money to resolve the fraudulent charges and protect against future fraud, lost money in purchasing Neiman Marcus items they would not have purchased had they known of the store’s cybersecurity practices, and loss of control over their personal information. They also alleged imminent injuries of “increased risk of future fraudulent charges and greater susceptibility to identity theft.”
Neiman Marcus moved to dismiss the complaint under Rules 12(b)(1) and 12(b)(6) for lack of standing and failure to state a claim, arguing that consumers could not establish standing based on potential future injuries or the costs incurred to prevent future injuries. The district court granted the motion on standing grounds only and dismissed the complaint without prejudice.
Article III and “Substantial Risk” of Harm
The U.S. Court of Appeals for the Seventh Circuit reversed and remanded. Though the appellate court declined to decide whether overpayment for the Neiman Marcus items or invasion of the right to control personal information were actionable injuries, it held that “[t]he injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” satisfied Article III. The Remijas court reasoned that it could plausibly be inferred that there was a substantial risk of harm to the plaintiffs since the purpose of the data theft was to make fraudulent charges or commit identity theft. The appellate court also found it “telling” that Neiman Marcus provided one year of credit monitoring and identity theft protection in response. Under those circumstances, the appellate court concluded that the plaintiffs’ future injuries were not merely speculative, but “certainly impending,” which is the standard for establishing Article III standing for future injuries under Clapper v. Amnesty International, USA.
In Clapper, human rights organizations attempted to challenge the constitutionality of the Foreign Intelligence Surveillance Act (FISA), but could not show that any of their communications had been intercepted. The U.S. Supreme Court held that mere suspicion that interception might have occurred was too speculative to support standing.
Significantly, the majority of courts that have addressed standing in the data breach context have relied upon Clapper to dismiss other such lawsuits. In diverging from this trend, the Remijas court sought to distinguish Clapper, noting that there was no dispute that the data breach had occurred.
A Blueprint for Future Data Breach Cases?
Though it remains to be seen whether courts outside the Seventh Circuit will follow its lead, Section of Litigation leaders agree that Clapper and Remijas are distinguishable. “The facts related to the harm in Clapper were more attenuated and required the court to speculate what the damage would be if another set of events happened and resulted in a substantial risk of harm,” explains Amy M. Stewart, Dallas, TX, cochair of the Section’s Business Torts & Unfair Competition Committee. “However, in this case, there is no dispute that the data breach which led to the substantial risk of future harm to the customers did occur. In fact, the hackers already misused the confidential information of several customers,” she observes.
Nonetheless, the Seventh Circuit “assumes people only steal things in order to exploit them. There may be multiple reasons why the hackers did what they did and some of them might be for espionage purposes and they may not be exploited for material purposes,” explains Harvey Rishikof, Washington, D.C., cochair of the ABA’s Cybersecurity Legal Task Force. “In analyzing this case in the future, part of the inquiry will likely be, ‘Is the court’s assumption correct?’” he adds.
The case also sheds light on how plaintiffs’ and defense counsel should proceed with data breach litigation. “Defense counsel should advise clients to act proactively to handle data breaches, even though these acts, as shown in Remijas, serve as evidence of the reasonable likelihood of injury,” suggests Stewart. “They should advise customers of the breach in a timely fashion so all parties can protect themselves from future misuse of the hacked information,” she emphasizes.
For plaintiffs’ attorneys, this “is the blueprint to surviving a motion to dismiss on Article III grounds, and they should craft their arguments to fall in line with the Seventh Circuit’s decision,” Stewart concludes.
Keywords: data breach, cybersecurity, data security, standing, Article III
- » Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015), rehearing en banc denied, Sept. 17, 2015.
- » Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1142, 185 L. Ed. 2d 264 (2013).
- » Anderson v. Hanaford Bros. Co., 659 F.3d 151, 162 (1st Cir. 2011).
- » Spokeo, Inc. v. Robbins, No. 13-1339, cert. granted, __ U.S. __, 135 S.Ct. 1892 (2015).
- » Remijas v. Neiman Marcus Grp., LLC, No. 14 C 1735, ____ LEXIS ____ (N.D. Ill. Sept. 16, 2014), rev’d and remanded, 794 F.3d 688 (7th Cir. 2015).
- » In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014).
- » Henry R. Chalmers, “Class Certification Denied in Data Breach Case,” Litigation News (June 18, 2013).
- » Theresa A. Vitello, “Target Hit with Putative Class Action in Massive Data Breach,” Litigation News (Vol. 40 No. 3, Spring 2015).