On appeal to the Seventh Circuit, a three-judge panel opinion written by Chief Judge Woods reversed the lower court. Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814, at *3 (7th Cir. July 20, 2015). The panel opinion first addressed whether the plaintiffs’ two purportedly “imminent” future injuries—“an increased risk of future fraudulent charges” and “a greater susceptibility to identity theft”—satisfied Article III’s injury in fact, causation, and redressability requirements. Because these alleged future harms were found to satisfy Article III’s standing requirements, the panel declined to rule on whether the alleged “overpayment for Neiman Marcus products” due to its alleged failure to invest in adequate cybersecurity and the alleged “right to one’s personal information” might also suffice to confer standing. The panel did, however, characterize these allegations as “problematic” and “dubious.” Id. at *6–7.
Clapper standing challenges to data breach class actions. Id.at *4–5 (citing In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. Sept. 4, 2014)).
The panel distinguished the facts of the data breach class action from those in Clapper, finding that the plaintiffs here had shown a substantial risk of harm from the data breach because there was no dispute that various customers’ card information had been stolen and because “the purpose of [a] hack is, sooner or later, to make fraudulent charges or assume those customers’ identities.” Id. at *5. Indeed, 9,200 of the cards had already incurred fraudulent charges; further, the panel noted that the retailer’s offer of free credit monitoring services tacitly acknowledged the likelihood of future unauthorized charges. Id.
The Seventh Circuit panel also found that the plaintiffs satisfied Article III’s causation and redressability requirements, rejecting Neiman Marcus’s causation argument that the plaintiffs’ injury was not fairly traceable to its conduct because fraudulent charges could be attributable to data breaches at several other large retailers that occurred at approximately the same time. The panel stated that such an argument had “no bearing on standing to sue” and was, “at most, a legal theory that Neiman Marcus might later raise as a defense.” Id. at *7. Furthermore, the court rejected the retailer’s argument that the plaintiffs’ injury would not be redressed by a judicial opinion because they already were reimbursed for fraudulent charges and the retailer offered to provide all potentially affected customers with a year of free credit monitoring services. The panel reasoned that “reimbursement policies vary,” debit cards typically receiving less protection than credit cards; hence, “a favorable judicial decision could redress any [future] injuries caused by less than full reimbursement of [future] unauthorized charges.” Id. at *8.
Neiman Marcus filed a petition for rehearing en banc, which is pending. If allowed to stand, the Seventh Circuit panel opinion confirms that the circuit split on the issue of standing in data breach class actions survives Clapper. Although the Supreme Court in 2012 denied a petition for writ of certiorari to address this question, Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012), it is anticipated that the Court may again be asked to resolve the circuit split in the near future. The panel opinion is troubling for businesses, which are also the victims in cyber attacks and had hoped, in the wake ofClapper, to receive some judicial relief from putative data breach class actions based on fear of future injury—as opposed to any concrete financial harm.
Also disturbing for both businesses and consumers is the implication that offers of credit monitoring, coupled with reimbursement of fraudulent charges, do little to foreclose a company’s class litigation exposure in the event of a data breach. There may yet be a silver lining for corporate defendants, as the panel remanded the case to the lower court to consider the retailer’s pending motion to dismiss for failure to state a claim. See, e.g., Moyer v. Michaels Stores, Inc., No. 14c561, 2014 WL 3511500, at *5 (N.D. Ill. July 14, 2014) (finding Article III’s standing requirement was met in a putative data breach class action notwithstanding Clapper, but granting motion to dismiss because the plaintiffs failed to allege actual monetary damages—a required element of their claims—as neither an increased risk of identity theft nor the purchase of credit monitoring services constitute cognizable monetary damages). Unless vacated on rehearing en banc, the panel opinion’s lenient view of Article III’s standing requirement, coupled with a recent circuit opinion rejecting a “heightened” ascertainability requirement, Mullins v. Direct Digital, LLC, No. 15-1776, 2015 WL 4546159 (7th Cir. July 28, 2015), may mark the Seventh Circuit as an emerging venue of choice for the plaintiffs’ class action bar.
Republished with permission by the American Bar Association
Class Actions & Derivative Suits Newsletter, ABA Section of Litigation, September 2015. © 2015 by the American Bar Association.
