Last week, a three-judge panel of the 7th U.S. Circuit Court of Appeals held in Remijas v. Neiman Marcus Group LLC that individuals whose debit and credit card numbers were stolen by cyberthieves who had hacked into Neiman Marcus's computer networks have standing to sue the retailer, even though the plaintiffs had not yet experienced any fraudulent charges on their cards. In doing so, the 7th Circuit became the first federal appellate court to address the impact of the U.S. Supreme Court's 2013 Clapper v. Amnesty International opinion on standing to sue following a data breach. Although Remijas appears to neutralize a common attack on the pleadings in cases arising out of data breaches - at least in the 7th Circuit–it is unlikely to be the last word on an issue that may ultimately be resolved by the Supreme Court.
The facts underlying Remijas follow a pattern that will be familiar to those who practice in privacy and data security or who have been on the receiving end of a data breach notice. The luxury retailer discovered malware on its computer systems that had potentially compromised 350,000 payment cards, 9,200 of which had experienced fraudulent charges. The company subsequently notified customers of the breach and offered to pay for one year of credit monitoring and identity-theft protection services for customers who had shopped at its stores during the relevant time period. In addition, all 9,200 persons who experienced fraudulent charges on their payment cards were reimbursed by their respective card issuers.
Numerous affected Neiman Marcus customers filed putative class actions in the wake of the notices, alleging causes of action for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices and invasion of privacy. Those cases were consolidated into the Remijas action, which included named plaintiffs who had experienced fraudulent charges on their credit and debit cards, as well as customers who had not. The plaintiffs alleged four theories of injury that are typical to data breach cases: (1) lost time and money resolving fraudulent charges on their payment cards; (2) lost time and money protecting themselves from future fraud and identity theft; (3) that they had been deprived of the benefit of their bargain in making purchases at Neiman Marcus they would not have made had they known of the company's poor cybersecurity; and (4) loss of control over their sensitive personal information.
As most companies facing similar lawsuits do, Neiman Marcus moved to dismiss under Federal Rule of Civil Procedure 12(b)(1), since the card issuers would reimburse plaintiffs for any fraudulent charges and the time loss and expense individuals would incur in resolving or taking preventative steps against future identity theft and fraud were too speculative to satisfy Article III. The district court agreed, joining the chorus of several other trial courts in finding that Clapper significantly limited the ability of a plaintiff to establish standing based on the threat of future injury.
Reversing, the 7th Circuit found that the district court had interpreted Clapper too narrowly, noting that the Supreme Court had expressly recognized the ability of plaintiffs to establish standing where they faced a "substantial risk" of "imminent harm." In Clapper, plaintiffs consisting of lawyers, human rights and media groups challenged the FISA Amendments Act of 2008, which authorized the government, in certain circumstances, to conduct warrantless surveillance on persons reasonably believed to be outside the United States. They alleged that the law caused them to incur expenses in taking measures to protect sensitive communications with their clients and sources from government snooping. The Supreme Court found these expenses were insufficient to establish standing, because the risk that the plaintiffs' future sensitive communications with overseas individuals would be intercepted was too speculative and remote.
The critical difference between the claims in Clapper and Remijas, the 7th Circuit panel reasoned, was that the Clapper plaintiffs did not know whether the government would use the FISA Amendments Act to intercept their sensitive communication, while the plaintiffs in Remijas had been notified that hackers had stolen their payment card data. Therefore, court held, while plaintiff's mitigation expenses in Clapper could not be tied to a non-speculative future injury, data breach victims face a real threat of future fraud and identity theft. Putting the matter bluntly, the 7th Circuit panel asked and answered its own rhetorical question: "Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Following this reasoning, it is difficult to imagine a scenario in which a standing challenge to a lawsuit brought by recipients of a data breach notice would ever succeed in the 7th Circuit.
Although Remijas only represents the law of the land in the 7th Circuit it is nevertheless an opinion that has consequences nationwide. First, like the 9th Circuit, which recognized the standing of persons affected by data breaches to sue the breached company in Krottner v. Starbucks Corp., 628 F.3d. 1139 (9th Cir. 2010), the 7th Circuit may become a preferred venue for plaintiffs to bring class actions arising out of data breaches. As home to several large metropolitan areas, representative plaintiffs are readily available. Indeed, Neiman Marcus' ultimate parent company is headquartered in the 5th Circuit, but Remijas resided in and shopped at Neiman Marcus stores in the 7th Circuit.
Second, although Remijas was the first appellate court to address the impact of Clapper on standing in data breach cases, it is unlikely to be the last. District courts in several other circuits, including the 3rd, 5th, 6th and D.C. Circuits, have reached contrary conclusions, holding that unless a plaintiff has experienced identity theft of fraud following a data breach, the plaintiff's risk of injury is too speculative to satisfy Article III.
Given the growth of both data breaches and consequent data breach litigation, the likelihood of a circuit split developing appears more likely than not.
Originally published in the Daily Journal on July 29, 2015.