In Remijas v. Neiman Marcus Group, LLC, a decision issued on July 20, 2015, a Seventh Circuit panel concluded that customers who have been the victims of data breaches have standing to sue even before fraudulent charges appear on their cards when they allege an increased risk of future harm or harm-mitigation expenses. In so holding, the panel disagreed with an overwhelming majority of courts that have dismissed data breach consumer class actions at the outset due to a lack of cognizable injury-in-fact, and, therefore standing.
Remijas arose out of a 2013 hack of Neiman Marcus’s computer systems, which resulted in the unauthorized acquisition of credit card numbers. The three-judge panel, led by Chief Judge Diane Wood, held that both an increased risk of future harm resulting from a data breach and “mitigation expenses” satisfy the injury-in-fact requirement for standing. Such “mitigation expenses” include lost time and money incurred in resolving fraudulent charges and protecting against future identity theft, including money spent to purchase credit monitoring.