In Remijas v. Neiman Marcus Group, LLC, a decision issued on July 20, 2015, a Seventh Circuit panel concluded that customers who have been the victims of data breaches have standing to sue even before fraudulent charges appear on their cards when they allege an increased risk of future harm or harm-mitigation expenses. In so holding, the panel disagreed with an overwhelming majority of courts that have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, and, therefore standing.
Remijas arose out of a 2013 hack of Neiman Marcus’s computer systems, which resulted in the unauthorized acquisition of credit card numbers. The three-judge panel, led by Chief Judge Diane Wood, held that both an increased risk of future harm resulting from a data breach and “mitigation expenses” satisfy the injury-in-fact requirement for standing. Such “mitigation expenses” include lost time and money incurred in resolving fraudulent charges and protecting against future identity theft, including money spent to purchase credit monitoring.
In reaching its decision, the Remijas court distinguished the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), on the basis that the risk at issue in that case—risk that communications between detainees and their lawyers were being monitored—was speculative, whereas the fact of the data breach in this case was real. The court concluded that at the pleading stage of the litigation, it was “plausible to infer that plaintiffs had made a showing of a substantial risk of harm,” thereby meeting the requisite threshold for injury-in-fact set forth in Clapper,because there was “an objectively reasonable likelihood that [identity theft or fraud] will occur.” The court explained, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The court further noted that while harm-mitigation measures do not always qualify as an injury for purposes of standing, the purchase of credit monitoring in the context of a data breach “easily qualifies as a concrete injury” because the threatened harm of a data breach is “imminent.” The court found it “telling in this connection” that in response to the breach, Neiman Marcus had offered one year of free credit monitoring.
Having found that the plaintiffs had alleged injury-in-fact in the form of increased risk of future harm and mitigation expenses, the court declined to decide whether the over-payment for Neiman Marcus products or the right to one’s personally identifiable information—a right that plaintiffs argued was granted to them by state data breach notice statutes—are “injuries” sufficient to establish Article III standing. The court, however, indicated that it was “dubious” whether those allegations, standing alone, would be sufficient.
Since the Supreme Court issued its 2013 decision in Clapper, defendants of data breach class action lawsuits have been successful in citing the case to support their arguments that victims lack Article III standing because their injuries are too speculative. Remijas marks the first time that a circuit court has addressed the issue following the Supreme Court’s Clapper decision and is contrary to decisions of other circuits on the issue. See, e.g., Reilly v. Ceridian Corp., 664 F. 3d 38 (3d Cir. 2011) (holding that data breach victims whose data has not been misused lack standing under Article III). While it remains to be seen whether other circuits will follow the lead of the Seventh Circuit on this issue, it is clear that for now, the Seventh Circuit is the most favorable venue for plaintiffs’ lawyers to file data breach class actions, and that the data breach docket of district courts in the Seventh Circuit is likely to grow.