The Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group, LLC may have removed a substantial hurdle for data-breach class actions (as we previously discussed) by holding that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” were sufficient to confer Article III standing. Does that ruling remove all of the major obstacles to data-breach class actions? Maybe not.
In Remijas, Neiman Marcus argued that the plaintiffs could not show that the Neiman Marcus breach caused their injuries. Specifically, Neiman Marcus argued that the plaintiffs could not show that their injuries were fairly traceable to the Neiman Marcus breach rather than the data breach at Target (which occurred around the same time) or some other store. In response, the court cited Summers v. Tice, a 1948 California Supreme Court case involving a plaintiff shot while quail hunting who did not know which of the defendants had shot him (insert Dick Cheney joke here). In Summers, the court held that under those circumstances, the defendants had the burden of showing who was responsible. The Seventh Circuit seemed to adopt this reasoning in Remijas, stating: “If there are multiple companies that could have exposed the plaintiffs’ private information to hackers, then the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the ‘but for’ cause of the plaintiff’s injury.”
The discussion of causation raises another substantial hurdle to data-breach class actions, namely establishing Civil Rule 23(b)(3) predominance for class certification (i.e., that questions of law or fact predominate over any questions affecting individual class members). In Remijas, the Seventh Circuit cited the First Circuit’s decision in Anderson v. Hannaford Bros. Co., which similarly held that card-replacement fees and identity-protection services were sufficient to confer standing. On remand in Anderson, however, the district court held that the plaintiff’s had not shown predominance because a trial would require determining causation of damages, which would involve “individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”
TAKE AWAY: Summers v. Tice does not remove issues of causation; it just shifts the burden. As a result, even if courts start applying Summers v. Tice to data-breach claims, courts would still need to resolve the question of what happened to the class members’ respective accounts, which under Anderson, raises whether predominance can be satisfied. This determination of causation may be particularly problematic when multiple breaches occur around the same time, like the Neiman Marcus and Target breaches, and it remains to be seen whether that causation determination can be resolved on a class-wide basis.