On July 20, 2015, the United States Court of Appeals for the Seventh Circuit held that customers of Neiman Marcus whose payment card information was exposed in a 2013 hack of Neiman Marcus’s computer system, had standing under Article III of the United States Constitution to pursue a data breach class action against the retailer, even when there was no proof of fraudulent charges on their credit cards. Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015). This case counters the majority of circuit courts, which have held that there is no Article III standing in similar cases.
In December of 2013, Neiman Marcus learned that 350,000 payment card numbers were potentially exposed during a malware attack on their computer system. After conducting an investigation, Neiman Marcus notified all customers who had shopped at their stores between January 2013 and January 2014 for whom they had physical or e-mail addresses that there had been a breach. Several customers filed class action lawsuits, including both customers whose cards had actually been used fraudulently and customers whose information was exposed, but had not been used. The district judge dismissed the class action on standing grounds.
The Court of Appeals noted that for plaintiffs to have standing they “must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress to them.” Id. The Court of Appeals acknowledged the Supreme Court’s holding in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) that “allegations of possible future injury are not sufficient.” Id. at 1147. However, the Court held that there was standing in this case because, unlike in Clapper, the plaintiffs in this case showed that their personal information was targeted and that “the purpose of the hack is, sooner or later, to make fraudulent charges or assume those customers’ identities.” Remijas at 9. The Court of Appeals held that the standard is whether there is a substantial risk of harm to the plaintiffs, and based on the facts of this case, the plaintiffs had made an adequate showing of such a risk.
The Court of Appeals also noted that standing cannot be conferred based on costs incurred by plaintiffs to avoid harm, as held by the Supreme Court in Clapper; however, the Court of Appeals went on to state that “it is important not to overread Clapper.” The Court distinguished Clapper by noting that, in that case, the costs incurred by the plaintiffs were intended to mitigate a harm that may not have even happened to some of the plaintiffs (in Clapper, plaintiffs were organizations who believed that some of their communications to alleged terrorists may have been intercepted); whereas, in this case, all of the plaintiffs in the class had actually had their payment card information stolen. These customers then had to incur expenses to mitigate the potential harm, by replacing the stolen card and by procuring credit monitoring services greater than what Neiman Marcus offered.
The Court also noted that Plaintiffs had asserted other theories of potential harm, including that the price for cyber security was built in the price of the goods at Neiman Marcus and plaintiffs did not receive that value, or that Neiman Marcus was therefore unjustly enriched. The Court determined that, having already concluded there was standing on other grounds, it did not need to decide whether these additional alleged harms provided standing. However, the Court noted that these alternative theories were “dubious.” The Court also rejected arguments by Neiman Marcus that there is no standing because customers’ information was also lost in other data breaches occurring at the same time or that courts cannot redress the data breach.
This case, and the additional circuit split that it creates, will increase the pressure on the United States Supreme Court to provide guidance on the parameters for Article III standing in the specific context of data breaches. Article III standing, or the lack thereof, has been the main tool that has kept the floodgates of data breach litigation fairly closed, and, at least in the Seventh Circuit, those gates have now been opened. Given that many data breaches involve customers nationwide, the Seventh Circuit will now provide a plaintiff-friendly forum for consumer data breach class actions.