Several plaintiffs filed putative class action lawsuits, which were consolidated in the U.S. District Court for the Northern District of Illinois. The plaintiffs alleged actual injuries for lost time and money to resolve the fraudulent charges and protect against future fraud, lost money in purchasing Neiman Marcus items they would not have purchased had they known of the store’s cybersecurity practices, and loss of control over their personal information. They also alleged imminent injuries of “increased risk of future fraudulent charges and greater susceptibility to identity theft.”
Neiman Marcus moved to dismiss the complaint under Rules 12(b)(1) and 12(b)(6) for lack of standing and failure to state a claim, arguing that consumers could not establish standing based on potential future injuries or the costs incurred to prevent future injuries. The district court granted the motion on standing grounds only and dismissed the complaint without prejudice.
Article III and “Substantial Risk” of Harm
The U.S. Court of Appeals for the Seventh Circuit reversed and remanded. Though the appellate court declined to decide whether overpayment for the Neiman Marcus items or invasion of the right to control personal information were actionable injuries, it held that “[t]he injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” satisfied Article III. The Remijas court reasoned that it could plausibly be inferred that there was a substantial risk of harm to the plaintiffs since the purpose of the data theft was to make fraudulent charges or commit identity theft. The appellate court also found it “telling” that Neiman Marcus provided one year of credit monitoring and identity theft protection in response. Under those circumstances, the appellate court concluded that the plaintiffs’ future injuries were not merely speculative, but “certainly impending,” which is the standard for establishing Article III standing for future injuries under Clapper v. Amnesty International, USA.
In Clapper, human rights organizations attempted to challenge the constitutionality of the Foreign Intelligence Surveillance Act (FISA), but could not show that any of their communications had been intercepted. The U.S. Supreme Court held that mere suspicion that interception might have occurred was too speculative to support standing.
Significantly, the majority of courts that have addressed standing in the data breach context have relied upon Clapper to dismiss other such lawsuits. In diverging from this trend, the Remijas court sought to distinguish Clapper, noting that there was no dispute that the data breach had occurred.
A Blueprint for Future Data Breach Cases?
Though it remains to be seen whether courts outside the Seventh Circuit will follow its lead, Section of Litigation leaders agree that Clapper and Remijas are distinguishable. “The facts related to the harm in Clapper were more attenuated and required the court to speculate what the damage would be if another set of events happened and resulted in a substantial risk of harm,” explains Amy M. Stewart, Dallas, TX, cochair of the Section’s Business Torts & Unfair Competition Committee. “However, in this case, there is no dispute that the data breach which led to the substantial risk of future harm to the customers did occur. In fact, the hackers already misused the confidential information of several customers,” she observes.
Nonetheless, the Seventh Circuit “assumes people only steal things in order to exploit them. There may be multiple reasons why the hackers did what they did and some of them might be for espionage purposes and they may not be exploited for material purposes,” explains Harvey Rishikof, Washington, D.C., cochair of the ABA’s Cybersecurity Legal Task Force. “In analyzing this case in the future, part of the inquiry will likely be, ‘Is the court’s assumption correct?’” he adds.
The case also sheds light on how plaintiffs’ and defense counsel should proceed with data breach litigation. “Defense counsel should advise clients to act proactively to handle data breaches, even though these acts, as shown in Remijas, serve as evidence of the reasonable likelihood of injury,” suggests Stewart. “They should advise customers of the breach in a timely fashion so all parties can protect themselves from future misuse of the hacked information,” she emphasizes.
For plaintiffs’ attorneys, this “is the blueprint to surviving a motion to dismiss on Article III grounds, and they should craft their arguments to fall in line with the Seventh Circuit’s decision,” Stewart concludes.
Robert T. Denny is an associate editor for Litigation News.