An increase in data breach class actions could be the result of a recent decision of the Seventh Circuit holding that allegations of future harm stemming from a data breach can establish Article III standing. The majority of federal courts that have addressed the issue have found that allegations of potential future harm resulting from identity theft are insufficient to confer standing in federal court, even where plaintiffs have spent money protecting against such possible harm. The Seventh Circuit joins the Ninth Circuit in holding plaintiffs alleging such harm have standing to pursue their claims in federal court.
Plaintiffs in Remijas v. Neiman Marcus Group, LLC, were customers of Neiman Marcus, whose credit card numbers were stolen by hackers in a 2013 data breach. Plaintiffs filed a class-action complaint asserting various theories of liability including negligence, invasion of privacy and violation of state data breach laws. The district court dismissed the complaint after finding plaintiffs lacked standing.
The Seventh Circuit reversed, holding that “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.” The court likened the case to a recent data breach involving Adobe, wherein the U.S. District Court for the Northern District of California declared that “the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real.” The fact that the data breach was the result of a malicious attack by hackers—as opposed to the accidental loss of data through inadvertence or negligence—heightened the danger of future harm, according to the Seventh Circuit. “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such injury will occur,” the Court wrote.
The Court also ruled that the plaintiffs’ allegations of lost time and damages flowing from the expenditure of money to protect themselves from future identity theft and fraudulent charges, including monitoring their credit, qualified as actual injuries because the harm is substantially likely. The Court found it significant that Neiman Marcus offered credit monitoring and identity-theft protection to customers affected by the breach, noting it “is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”
In finding that the plaintiffs’ claims were sufficient to establish Article III standing, the Court rejected Neiman Marcus’ argument that plaintiffs cannot show their injuries are fairly traceable to the data breach—as opposed to one of the other large-scale breaches that occurred around the same time. The Court noted that, while this may be a valid defense, the mere fact that another store might have caused the data breach does not negate plaintiffs’ standing to sue. The Court also rejected Neiman Marcus’ claim that plaintiffs had not suffered any compensable injuries because they had been reimbursed for fraudulent charges, noting that such reimbursement did not cover injuries for mitigation expenses or future harm.
The Seventh Circuit’s opinion in Remijas furthers a growing Circuit Court split over the viability of data breach class actions premised on the fear of future harm from identity theft, and is likely to lead to an increase in data breach class actions in cases involving hacking. Armed with this case, plaintiffs’ lawyers are likely to argue that the act of hacking itself makes it substantially likely that victims will suffer fraud and/or identity theft.
