Last week the Seventh Circuit reinstated the Neiman Marcus data breach class action, holding that plaintiffs had satisfied Article III’s standing requirements based on at least some of the injuries they alleged. In doing so, the Seventh Circuit became the first federal court of appeals to rule on a challenge to the standing of purported data breach victims in light of the Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), and diverged from the growing majority of federal district courts that have held similar allegations are insufficient to confer standing.
In Remijas v. Neiman Marcus Group, LLC, a putative class of Neiman Marcus customers brought claims against the company for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws as a result of a 2013 malware attack that exposed approximately 350,000 debit and credit card numbers. The plaintiffs alleged several types of injury as a result of the data breach, including in relevant part: (1) an increased risk of future fraudulent charges, (2) greater susceptibility to identity theft; (3) lost time and money resolving fraudulent charges; and (4) lost time and money protecting themselves against the risk of future identity theft. Notably, the plaintiffs also alleged that at least 9,200 of the impacted cards had already experienced fraudulent charges.
Neiman Marcus moved to dismiss the complaint for lack of standing, and on September 16, 2014, the district court granted the motion and dismissed the class action complaint. Remijas v. Neiman Marcus Group, LLC, No. 14-cv-1735, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sept. 16, 2014). The district court, citing Clapper, reasoned that the plaintiffs’ allegations of injury were not sufficiently imminent and “certainly impending” for purposes of standing, and that any fraudulent charges incurred were reimbursed and the incidental related costs to those customers were de minimus. This is consistent with the majority of districts courts that have considered and rejected similar allegations of increased risks of identity theft and fraudulent charges and time and money spent monitoring credit. See, e.g., Green v. eBay Inc., No. 14-1688, 2015 U.S. Dist. LEXIS 58047, *10-12 (E.D. La. May 4, 2015) (collecting cases and noting that “[f]ollowing Clapper, the majority of courts faced with data breach class actions . . . [have] found that the mere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury unless the harm alleged is certainly impending,” and dismissed the complaints for lack of Article III standing).
On appeal, however, the Seventh Circuit came to a different conclusion. The court distinguished Clapper as a case in which plaintiffs “could not show that their communications with suspected terrorists were intercepted by the government,” since they merely “suspected that such interceptions might have occurred.” Remijas, 2015 U.S. App. LEXIS 12487 at *10 (emphasis in original). In contrast to Clapper, the Seventh Circuit held the plaintiffs in Remijas faced an “objectively reasonable likelihood” of imminent fraudulent charges and identity theft – asking “Why else would hackers break into a store’s database and steal customers’ private information?” – analogizing the case to the Adobe data breach addressed in In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014), and noting that “so far” fraudulent charges had already appeared on 9,200 of the cards. Id. at **11-13 (emphasis in original). The court also held that plaintiffs’ allegations of mitigation expenses incurred dealing with and protecting themselves against future identity theft and fraudulent charges qualified as a concrete injury.
While potential data breach plaintiffs and their attorneys are understandably encouraged and emboldened by the Seventh Circuit’s decision, the opinion won’t be the last word on the standing of consumer data breach class action plaintiffs. As data breach litigation continues to increase, other federal courts of appeal are likely to address the standing issue. In fact, another data breach class action dismissal on the basis of standing is currently on appeal in the Seventh Circuit. See Lewert v. P.F. Chang's China Bistro, Inc., Nos. 14-cv-4787, 14-cv-4923, 2014 U.S. Dist. LEXIS 171142 (N.D. Ill. Dec. 10, 2014), appeal docketed, No. 14-3700 (7th Cir. Dec. 12, 2014). The Seventh Circuit has asked the parties to file statements of positions in light of the ruling in Remijas, and could use a decision in P.F. Chang’s to further explain its position on standing and the extent of its holding in Remijas. For example, in Reminjas the allegation was that at least 9,200 cards had already incurred fraudulent charges, making the risk of imminent harm to the putative class members much less speculative than if there had yet to be any fraudulent charges or identity theft, as is often the case with data breach class action complaints. The Seventh Circuit also made a point to distinguish Remijas as “going far beyond” the allegations in Robins v. Spokeo, Inc., which is the case currently pending before the Supreme Court that will likely have significant implications on the ability of plaintiffs to bring data breach class actions premised solely on statutory violations.
- Partner
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes. He serves as co-leader of the firm's Litigation Group.
Jacob primarily ...
Topics/Tags
Select- Litigation
- Class Action Litigation
- Appellate Law
- Cybersecurity and Privacy Law
- Data Breach
- E-Discovery
- Securities Law
- Coronavirus
- Sixth Circuit
- Supreme Court
- Intellectual Property
- Social Media
- Trademark
- Trademark Litigation
- Bet-the-Company Litigation
- E-Discovery Case Law
- Electronic Data Discovery
- Initial Coin Offering
- Antitrust
- Federal Rules of Civil Procedure
- Employment Law
- Workplace Accommodations
- ESI
- Employer Policies
- Labor & Employment Law
- Labor Law
- Technology
- ERISA
- Stock Drop
- Cryptocurrency
- GDPR
- General Data Protection Regulation
- SEC
- Securities Litigation
- Ascertainability
- Craft Brewing
- Cybersecurity Regulation
- Drug Enforcement Agency
- Medical Marijuana
- Ohio Foreclosure Reform
- Copyright Law
- Electronically Stored Information
- Environmental Law
- Fair Housing Act
- Health Care Act
- Healthcare Reform
- Pregnancy Discrimination
- Proportionality
- Religion Discrimination
- Seventh Circuit
- Accommodation
- Americans with Disabilities Act
- Business Process Improvement
- Cyber Insurance
- EEOC
- Employment Litigation
- FLSA
- Lenders
- Receivership Statute
- Telecommuting
- Employer Handbook
- Employer Rules
- National Labor Relations Act
- National Labor Relations Board
- NLRB
- Unions
- E-Discovery Project Plan
- Evidence
- Predictive Coding
- TAR ( Technology Assisted Review)
- Quality Representation
- Subpoena
- Arbitration
- CAFA
- Land Use & Zoning
- Construction Litigation
- Privacy
- Statute of Limitations
- Taxation
- Federal Rule
Recent Posts
- Agency Deference Loses its Luster Under Ohio Law—Is Interpretation of Administrative Statutes Ohio's Next Legal Hot Topic?
- United States Supreme Court Clarifies Boundaries of Federal Civil Rule 60(b)
- Motion for Reconsideration in an Appeal: Sometimes the Court will Reconsider if you Argue its Initial Decision was Just Wrong
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- Questioning the Questionnaires: New PPP-Related Litigation Raises Issues for Borrowers
- "You Don't Have to Go Home But You Can't Stay Here": Updates to Ohio and Kentucky’s COVID-19 Orders Impacting Bars & Restaurants
- Kentucky Restaurants Begin Opening with Limited Capacity Amid COVID-19 Epidemic
- Ohio Restaurants and Bars Begin Soft Openings for Diners Amid COVID-19 Epidemic
- Supreme Court Sidesteps “Cy Pres” Challenge
- Golfers, New and Old - Be Careful!