We all understand the unfortunate reality: With data breaches occurring daily, it’s only a matter of time before some hacker steals our personal or financial information. But until recently, when faced with class action lawsuits making claims about data breaches, most federal courts dismissed the suits. These courts ruled that plaintiffs lacked “standing” to bring these claims if they couldn’t show any actual injury, and merely pointed to the risk of future injury. In the typical data breach case, even though some of the plaintiffs may have suffered actual injuries—such as fraudulent credit card charges, erroneous credit reports, and credit monitoring fees—most plaintiffs can only claim the threat of such injuries in the future. But last month the U.S. Court of Appeals for the Seventh Circuit took a different approach, and allowed a case to proceed where plaintiffs demonstrated a “substantial risk” of future injury.
The Supreme Court Explains Standing: Clapper v. Amnesty International
Standing—a concept embedded in Article III, Section 2 of the Constitution—limits the jurisdiction of federal courts to lawsuits that present an actual “case or controversy.” In Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the most recent decision from the U.S. Supreme Court to explain the standing requirement, the Court stated that a plaintiff must claim an injury that is “actual or imminent.” Allegations of future harm can establish standing if the harm is “certainly impending,” but allegations of “possible” future injury are not enough. But the Court in Clapper also noted (in a footnote) that standing could be based on a “substantial risk” that harm will occur, “which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”
So what is the applicable standard? Must plaintiffs show that future harm is “certainly impending” to establish standing? Or can they merely show that they face a “substantial risk” of future harm? The Seventh Circuit took on that question in Remijas v. Neiman Marcus Group, No. 14-3122 (July 20, 2015).
“Substantial Risk” of Future Harm: Remijas v. Neiman Marcus Group
The department store Neiman Marcus suffered a data breach in 2013. Using malware infecting the company’s computer systems, hackers compromised as many as 350,000 credit cards—and at least 9,200 of those cards experienced fraudulent activity. The company publicly disclosed the breach, and notified the customers possibly impacted.
Following the disclosure, various groups of plaintiffs filed class action lawsuits in federal courts; the suits ultimately were consolidated into one case in the Northern District of Illinois. All of the plaintiffs claimed that they had used a credit or debit card at a Neiman Marcus, but only some of them pointed to actual injuries from fraudulent charges or other harms stemming from the breach. The majority of the plaintiffs alleged “only that their data may have been stolen.” Citing Clapper, the district court found plaintiffs’ allegations of potential future harms too speculative and remote to confer standing, and dismissed the lawsuit.
The Seventh Circuit reversed that decision. Contrary to what the district court thought, Clapper “does not foreclose any use whatsoever of future injuries to support Article III standing.” In?Clapper,?the Supreme Court decided that human rights organizations did not have standing to challenge the Foreign Intelligence Surveillance Act because they could not show that their communications actually were intercepted by the government; they only suspected that such interceptions might have occurred. This suspicion was too speculative to support standing.
But according to the Seventh Circuit, where plaintiffs in a data breach case can show that credit card information actually was stolen, the risk of future harm becomes far less speculative. The threat of hackers misusing the stolen information is “immediate and very real.” As the court explained,
Why else would hackers break into a store’s database and steal customers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those customers’ identities.
The Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an “objectively reasonable likelihood” that such an injury will occur.
Under these circumstances, there is a “substantial risk” of future harm. Because the Supreme Court’s footnote in Clapper left open the option to show standing using that standard, the Seventh Circuit allowed plaintiffs to move forward.
What Does Neiman Marcus Mean for Companies Battling Data Breaches?
Let’s consider the impact of the Neiman Marcus decision both legally and practically.
Legally, Neiman Marcus will have limited repercussions—for now. The Seventh Circuit, which covers federal courts in Illinois, Indiana, and Wisconsin, is the only circuit so far to adopt the “substantial risk” standard for data breach cases.
But the Ninth Circuit—which includes California and its far-reaching technology industry—might go the same direction as the Seventh. In Neiman Marcus, the court found persuasive a decision from the Northern District of California: In re Adobe Systems, Inc. Privacy Litigation, No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014). In that case, Judge Lucy Koh reasoned that the Ninth Circuit’s opinion in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), a case involving stolen employee data, remains unchanged by Clapper. Krottner sets out the applicable standard in the Ninth Circuit: If plaintiffs can show a “credible threat of real and immediate harm,” they can establish standing. The “credible threat” standard seems to fall very close to the “substantial risk” standard, so if other judges adopt the same reasoning as Judge Koh, we may see courts in the Ninth Circuit refuse to dismiss data breach cases for lack of standing.
Practically, Neiman Marcus may signal a shift in the judicial approach to data breach cases, with courts in many jurisdictions becoming more likely to entertain those cases. Companies face escalating pressure to prevent data breaches, communicate adequately about them, and repair the damage caused by them. This pressure comes from many directions—legislators, regulators, insurers, and consumers. Inevitably it will also come from our court systems.
In the meantime, we should at the very least expect a wave of new data breach cases in the Seventh Circuit. So if your organization stores personal or financial data—which includes almost every organization out there—get ready for that wave to hit.
At DiscoverReady, we help our clients navigate the complex electronic discovery demands in high-stakes litigation like data breach cases. We also help them proactively avoid those claims, by enabling them to understand where sensitive information exists, and protect it from hackers.
Have questions about the implications of the Neiman Marcus case, or other aspects of litigation over data breaches? Contact me and let’s chat.