In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.
Background
Neiman Marcus learned in December 2013 that fraudulent charges had appeared on payment cards of some of its customers. An investigation revealed that malware on the Neiman Marcus systems had potentially exposed payment card information for about 350,000 payment cards, of which 9,200 cards were known to have been used fraudulently. Neiman Marcus notified customers who shopped at its stores between January 2013 and January 2014 and offered those affected one year of free credit monitoring and identity-theft protection.
The class action complaints filed against Neiman Marcus in connection with the breach were consolidated in the Northern District of Illinois in June 2014, under the caption Remijas v. The Neiman Marcus Group LLC. The named plaintiffs, seeking to represent a class of the approximately 350,000 customers whose payment card information was potentially compromised, alleged that the retailer cut corners on security measures that could have prevented or mitigated the breach, exposing the class to both fraudulent charges and increased risk of identity theft. Plaintiffs asserted numerous theories for relief: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.
Neiman Marcus moved to dismiss the class action for lack of standing and for failure to state a claim. On September 16, 2014, U.S. District Judge James B. Zagel of the Northern District of Illinois granted the motion on standing grounds only, ruling that unauthorized charges for which plaintiffs were or would be reimbursed were not sufficient injury-in-fact to give the plaintiffs standing to pursue the litigation. Plaintiffs appealed the dismissal to the Seventh Circuit.
Standing and the Data Breach Landscape
The “injury-in-fact” requirement of Article III standing has been a significant barrier to plaintiffs in data breach litigation, particularly following the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.
In Clapper, plaintiffs (including attorneys, human rights organizations, and media groups) challenged the constitutionality of an amendment to the Foreign Intelligence Surveillance Act (FISA) that made it easier for the government to obtain wiretaps on intelligence targets outside the United States. Plaintiffs based their standing claim on grounds that their work required them to engage in sensitive communications with foreign individuals who may be targets of FISA surveillance, such communications could be intercepted in the future, and the warrantless surveillance program under FISA would require them to incur expenses to protect the confidentiality of their communications.
To have standing, a litigant must “prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” The Supreme Court concluded the Clapper plaintiffs failed to establish standing, holding:
- the threatened harm must be “certainly impending” and “fairly traceable” to the FISA amendments to constitute injury-in-fact;
- the risk that the government would imminently target the plaintiffs’ communications was “highly attenuated” and “highly speculative”; and
- plaintiffs cannot “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm.”
Since Clapper, the majority of courts faced with a motion to dismiss in data breach litigation have rejected plaintiffs’ arguments that their increased risk of becoming victims of future fraud, identity theft, or phishing, and their costs incurred in attempting to mitigate such risk, satisfied the injury-in-fact standing requirement.
The Neiman Marcus Decision
On appeal, the Neiman Marcus plaintiffs claimed standing based on two allegedly imminent injuries: (1) an increased risk of future fraudulent charges and (2) greater susceptibility to identity theft. Plaintiffs also pointed to several injuries they allegedly already suffered: (1) lost time and money resolving fraudulent charges; (2) lost time and money protecting against future identity theft; (3) financial loss of buying items from Neiman Marcus that they would not have purchased had they known of the store’s inadequate cybersecurity, and (4) lost control over the value of their personal information. At oral argument, plaintiffs contended that the prevailing Clapper interpretation set an unreasonably high bar for retail data breach victims.
The Seventh Circuit concluded that the alleged “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” satisfied Clapper’s requirement that injury either must already have occurred or be “certainly impending.” Reversing the district court’s ruling, the Seventh Circuit opined that “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”
For the 9,200 Neiman Marcus customers who already incurred fraudulent charges, the Seventh Circuit held that, regardless of whether those charges were reimbursed, those customers had already incurred identifiable costs associated with “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.”
Further, the Seventh Circuit disagreed with most courts who have ruled on the question of whether risks of future fraudulent charges and identity theft were “too speculative” or attenuated in the case of a hacking that targeted payment information. The panel distinguished Clapper, noting that while the Clapper plaintiffs could not allege the government had actually accessed private information, “Neiman Marcus does not contest the fact that the initial breach took place.” The panel also made a novel ruling that Neiman Marcus essentially conceded that risk of harm was more than “ephemeral” by preemptively purchasing credit monitoring and identity theft protection for all potentially affected customers. Thus, the panel reasoned, “[a]t this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” and expenditures by Neiman Marcus consumers to mitigate this risk could confer standing.
Neiman Marcus argued that, given the number of other data breaches that had occurred contemporaneously, plaintiffs could not trace any fraudulent charges or potential future identity theft to the Neiman Marcus breach. The Seventh Circuit dismissed this argument: “Requiring the plaintiffs to wait for the threatened harm to materialize in order to sue would create a different problem: the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not ‘fairly traceable’ to the defendant’s data breach.” The court noted that even if harm is deemed “fairly traceable” to a breach at the pleading stage, plaintiffs will nonetheless have to prove adequate factual basis for such inference at trial.
The Seventh Circuit refrained from ruling if plaintiffs’ other claimed injuries – for overcharging and for loss of their personal information’s property value – could establish standing on their own, noting that “[t]hey are more problematic” and the panel was “dubious” as to their adequacy. The court also noted that delay in providing breach notifications in alleged violation of California or Illinois data breach statutes does not provide a basis for finding the injury required for Article III standing.
Implications
The Seventh Circuit’s ruling has garnered significant attention. However, the decision—even if its reasoning is adopted by other courts—leaves defendants with valuable options for defeating data breach class actions in their early phases, even before plaintiffs must prove that an institution should be held liable for failing to prevent intrusions by criminal attack groups or nation states.
Standing will likely still be a challenge. Because each data breach is unique, plaintiffs may not always be able to plead facts showing a credible, imminent harm. For example, in finding that plaintiffs had shown a substantial risk of harm from the Neiman Marcus breach, the Seventh Circuit gave significant attention to Neiman Marcus’s admission that 9,200 customers’ payment cards had been used fraudulently, and theorized that the breach was caused by hackers targeting consumers’ private information, “[p]resumably… to make fraudulent charges or assume those consumers’ identities.” Risk of future identity theft or fraudulent charges is much less likely to be “certainly impending” or “fairly traceable” to a breach with no proven fraud or to a data breach caused by a lost laptop or by a nation-state-affiliated actor seeking intelligence rather than monetary gain.
Cases that survive a standing challenge can still fall to a motion to dismiss for failure to state a claim.The Seventh Circuit addressed only the standing challenge; it did not address whether plaintiffs had properly alleged the remaining elements of a valid cause of action, including injury sufficient to state a claim. For example, a breach of contract claim must plead and prove (among other elements) the existence of a binding promise by the breached company. Several courts have declined to treat a company’s statements about its security practices, such as in a privacy policy, as an enforceable contract. Thus, even where claims survive a standing challenge, they may still be dismissed for failing to plead enough facts to support the elements of their specific claims.
Certifying a class will continue to be difficult. The few putative data breach class actions (pre- and post-Clapper) that survived initial motions to dismiss generally have been unable to overcome the class certification hurdle. For a class action to proceed, plaintiffs must prove that the class meets Rule 23’s requirements of numerosity, commonality, typicality, and adequacy of the class plaintiffs. Plaintiffs seeking monetary damages must also establish that questions of law or fact common to class members predominate over questions affecting only individual members and that a class action is superior to all other methods for fair and efficient adjudication of the controversy. Data breach claims are often based on individual issues of causation and damages, where actual impact of the data breach varies from plaintiff to plaintiff, and courts will continue to scrutinize whether proving those claims will necessarily involve individual questions of fact.