Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

Data Breach Class Claims Survive Clapper
September 09, 2015

On appeal to the Seventh Circuit, a three-judge panel opinion written by Chief Judge Woods reversed the lower court. Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814, at *3 (7th Cir. July 20, 2015). The panel opinion first addressed whether the plaintiffs’ two purportedly “imminent” future injuries—“an increased risk of future fraudulent charges” and “a greater susceptibility to identity theft”—satisfied Article III’s injury in fact, causation, and redressability requirements. Because these alleged future harms were found to satisfy Article III’s standing requirements, the panel declined to rule on whether the alleged “overpayment for Neiman Marcus products” due to its alleged failure to invest in adequate cybersecurity and the alleged “right to one’s personal information” might also suffice to confer standing. The panel did, however, characterize these allegations as “problematic” and “dubious.” Id. at *6–7.

Clapper standing challenges to data breach class actions. Id.at *4–5 (citing In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. Sept. 4, 2014)).

The panel distinguished the facts of the data breach class action from those in Clapper, finding that the plaintiffs here had shown a substantial risk of harm from the data breach because there was no dispute that various customers’ card information had been stolen and because “the purpose of [a] hack is, sooner or later, to make fraudulent charges or assume those customers’ identities.” Id. at *5. Indeed, 9,200 of the cards had already incurred fraudulent charges; further, the panel noted that the retailer’s offer of free credit monitoring services tacitly acknowledged the likelihood of future unauthorized charges. Id.

The Seventh Circuit panel also found that the plaintiffs satisfied Article III’s causation and redressability requirements, rejecting Neiman Marcus’s causation argument that the plaintiffs’ injury was not fairly traceable to its conduct because fraudulent charges could be attributable to data breaches at several other large retailers that occurred at approximately the same time. The panel stated that such an argument had “no bearing on standing to sue” and was, “at most, a legal theory that Neiman Marcus might later raise as a defense.” Id. at *7. Furthermore, the court rejected the retailer’s argument that the plaintiffs’ injury would not be redressed by a judicial opinion because they already were reimbursed for fraudulent charges and the retailer offered to provide all potentially affected customers with a year of free credit monitoring services. The panel reasoned that “reimbursement policies vary,” debit cards typically receiving less protection than credit cards; hence, “a favorable judicial decision could redress any [future] injuries caused by less than full reimbursement of [future] unauthorized charges.” Id. at *8.

Neiman Marcus filed a petition for rehearing en banc, which is pending. If allowed to stand, the Seventh Circuit panel opinion confirms that the circuit split on the issue of standing in data breach class actions survives Clapper. Although the Supreme Court in 2012 denied a petition for writ of certiorari to address this question, Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012), it is anticipated that the Court may again be asked to resolve the circuit split in the near future. The panel opinion is troubling for businesses, which are also the victims in cyber attacks and had hoped, in the wake ofClapper, to receive some judicial relief from putative data breach class actions based on fear of future injury—as opposed to any concrete financial harm.

Also disturbing for both businesses and consumers is the implication that offers of credit monitoring, coupled with reimbursement of fraudulent charges, do little to foreclose a company’s class litigation exposure in the event of a data breach. There may yet be a silver lining for corporate defendants, as the panel remanded the case to the lower court to consider the retailer’s pending motion to dismiss for failure to state a claim. See, e.g.Moyer v. Michaels Stores, Inc., No. 14c561, 2014 WL 3511500, at *5 (N.D. Ill. July 14, 2014) (finding Article III’s standing requirement was met in a putative data breach class action notwithstanding Clapper, but granting motion to dismiss because the plaintiffs failed to allege actual monetary damages—a required element of their claims—as neither an increased risk of identity theft nor the purchase of credit monitoring services constitute cognizable monetary damages). Unless vacated on rehearing en banc, the panel opinion’s lenient view of Article III’s standing requirement, coupled with a recent circuit opinion rejecting a “heightened” ascertainability requirement, Mullins v. Direct Digital, LLC, No. 15-1776, 2015 WL 4546159 (7th Cir. July 28, 2015), may mark the Seventh Circuit as an emerging venue of choice for the plaintiffs’ class action bar.

Republished with permission by the American Bar Association
Class Actions & Derivative Suits Newsletter, ABA Section of Litigation, September 2015. © 2015 by the American Bar Association.

This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. 
Related Practices
Technology Cybersecurity and Privacy
Related Industries
Technology
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.