As 2016 begins, questions over standing in data breach class actions remain. In 2015, the Seventh Circuit denied retailer Neiman Marcus’s petition for rehearing en banc of a panel opinion holding that plaintiffs whose credit card information was stolen in a data breach had standing to sue under Article III of the United States Constitution on the basis of alleged fear of future identity theft. See Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. July 20, 2015), reh’g denied, (Sept. 17, 2015). In denying the petition for rehearing, the Seventh Circuit confirmed that the circuit split on standing in data breach class actions survives Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), in which the Supreme Court held that, in order to satisfy Article III, any alleged “future harm” must be “certainly impending” and that “allegations of possible future injury are not sufficient.” The due date for the retailer’s petition for writ of certiorari has been extended to Feburary 14, 2016.
In 2015, the Supreme Court heard oral argument on the scope of Article III standing in two cases that may be of interest to those monitoring data breach class actions. In Spokeo, Inc. v. Robins, No, 13-1339,the Court has been asked to address this: “Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.” In Tyson Foods, Inc. v. Bouaphekeo, No. 14-1146, the Court was petitioned to resolve the question of “whether a class action may be certified or maintained under Rule 23(b)(3) … when the class contains hundreds of members who were not injured and have no legal right to any damages.” A ruling narrowly construing the Article III standing requirement in these cases would bode well for the defense bar, as well as be a blow to class counsel—who have sought to distinguish the Court’s precedent in Clapper as factually inapposite to class actions.
Given the current circuit split on standing in data breach class actions, many cases have settled. In early December 2015, retail giant Target received preliminary approval of a class settlement of the remaining financial institution class claims for approximately $39 million—of which $20.25 million will go to directly to the settlement class ($19.75 million to the settlement class escrow account, and $500,000 to cover settlement notice and administration) and of which $19.1 million will cover MasterCard’s final account data card recovery assessment. See In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (PAM/JJK) (D. Minn. Dec. 2, 2015). This payment followed the court’s order certifying claims of the financial services class and is in addition to a reported $67 million that the retailer had already agreed to pay to settle claims by banks that issued Visa cards compromised in the breach.
In late November, the court granted final approval of Target’s settlement of the consumer class claims; an objector has filed a notice of appeal to the Eighth Circuit. Home Depot, the hardware store chain, has also reportedly reached a tentative settlement with MasterCard and issuers comprising over 80 percent of the MasterCard branded payment cards potentially impacted by the breach; the settlement is said to “provide[] for payment of an amount equal to the full amount these banks could recover as a result of [MasterCard’s] assessment [of payments attributable to the breach] plus a 10% premium, provided that banks accounting for at least 65% of the potentially affected M[aster]C[ard] issued accounts opt into the settlement and release their claims against Home Depot.”
What will happen in 2016? Will we see more cases filed? More settlements? Will anticipated Supreme Court rulings be a boon for the plaintiffs’ bar or for the defense? Stay tuned for more developments.