For years, data-breach plaintiffs have faced a huge barrier to obtaining relief in court: many courts have dismissed their complaints because they have been unable to demonstrate actual harm (or “concrete and particularized injury,” in lawyer-speak)—and actual harm is generally a requirement to have standing in federal court. Many of these plaintiffs were able to show only a threat of future harm.
But a recent decision by the Seventh Circuit Court of Appeals (Remijas v. Neiman Marcus Group, LLC) may change all this. In this case, which arose out of a 2013 breach of Neiman Marcus customer payment-card data, the plaintiffs alleged two imminent injuries: “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” To support their “imminence” arguments, the plaintiffs pointed out that the theft of payment-card data was undisputed, and that 9,200 victims had already incurred fraudulent charges or other harm. The plaintiffs also pointed out that significant costs are involved in responding to payment-card data theft, such as lost time pursuing relief for unauthorized charges, resetting auto-payment settings, and monitoring credit scores.
Despite these arguments, the federal district court rejected the plaintiffs’ standing arguments and dismissed their lawsuit.
On appeal, however, the Seventh Circuit held that the plaintiffs’ alleged imminent injuries could satisfy their burden to demonstrate standing if they showed “a substantial risk of harm from the Neiman Marcus data breach.” In other words, “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”
The Seventh Circuit’s holding is a departure from many other cases that dismissed data-breach complaints because the plaintiffs’ risk of harm was too remote or indefinite, even if the plaintiffs had incurred costs in the form of lost time and credit-monitoring services.
The Seventh Circuit’s reasoning is as follows: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The court also pointed out that the plaintiffs “have already lost time and money protecting themselves against future identity theft and fraudulent charges…An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service that offers monthly credit monitoring. It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”
Given this decision, we can expect the already busy area of data-breach litigation to continue expanding. If you have any questions or concerns, please let us know!
A copy of the Neiman Marcus decision may be found here.