The Seventh Circuit Court of Appeals decided on July 20, 2015, that individuals whose credit card information was exposed to hackers in the 2013 Neiman Marcus data breach have standing to sue the luxury department store in a class action lawsuit.  The Seventh Circuit’s opinion suggests, contrary to the holdings of most other federal courts, that data breach victims suffer injury for the purpose of Article III standing even if they have not suffered actual fraudulent credit card charges or identity theft.  

In 2013, hackers gained access to Neiman Marcus’ servers and planted malware to collect credit card data.  In December 2013, Neiman Marcus began learning about fraudulent charges appearing on its customers’ credit cards.  Public and individual announcements were disseminated in January 2014 confirming the data breach. Neiman Marcus determined that 350,000 cards were potentially exposed, out of which 9,200 cards had been fraudulently used.  Several shoppers who received fraudulent charges on their payment cards as a result of the breach filed suit against Neiman Marcus, alleging (i) actual injuries suffered by the 9,200 cardholders for lost time and money spent on handling fraudulent charges and preventing future ones, and (ii) future harm that the entire class of 350,000 cardholders would suffer for possible further fraudulent charges and identity theft.

In September 2014, a federal district court in Illinois dismissed the action, ruling that the plaintiffs lacked Article III standing based on their allegations.  The court relied on Clapper v. Amnesty International USA, 113 S. Ct. 1138, 1147 (2013), which requires plaintiffs alleging future harm to establish that such harm is “certainly impending”; “allegations of possible future injury are not sufficient.”  In Clapper, the Supreme Court decided that human rights organizations did not have standing to challenge the Foreign Intelligence Surveillance Act because they could not show that their communications with suspected terrorists had been intercepted by the government—plaintiffs only suspected that such interceptions might have occurred.  Analogizing to Clapper, the district court concluded that the Neiman Marcus plaintiffs’ allegations of future harm were speculative and not “certainly impending”.  In addition, because fraudulent charges had been reimbursed and there existed no imminent harm of future fraudulent charges or identity theft, the district court determined that there was no “actual injury” sufficient to satisfy the standing requirement. 

On appeal, however, the Seventh Circuit held that Clapper does not foreclose use of future injuries to support Article III standing.  In Clapper, the Court stated that “our cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about.  In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”  The Seventh Circuit relied on that statement to hold that the plaintiffs in the Neiman Marcus litigation had alleged a substantial risk of harm, given that a hacker collecting credit card information was almost certain to make fraudulent charges and commit identity theft. In addition, the Seventh Circuit was satisfied with the plaintiffs’ allegation that, apart from the fraudulent charges—which were later reimbursed—they had incurred “mitigation costs” in time and money spent on, among other things, credit monitoring services and card replacement, and other activities to prevent identity theft.

Finally, on the issue of causality, the Seventh Circuit rejected Neiman Marcus’ argument that the plaintiffs could not establish that their injuries were traceable to the breach at the company, rather than to one of several other large-scale breaches that took place around the same time.  The Seventh Circuit ruled that if there were multiple companies that could have exposed the plaintiffs’ private information to the hackers, then the burden shifted to Neiman Marcus to prove that its negligent actions were not the “but-for” cause of the plaintiffs’ injuries.

The Neiman Marcus decision is important because it is the first federal circuit court of appeals opinion to interpret Clapper in the context of a data breach class action in the two years since the Supreme Court issued the Clapper opinion.  Privacy and class action practitioners should closely monitor how lower courts and other courts of appeals interpret (if not apply) the Neiman Marcus decision when faced with standing arguments in privacy-based class actions.

Reporter, Longbo Wang, Silicon Valley, +1 650 422 6729,