The Seventh Circuit Allows Data Breach Class Action Plaintiffs to Breach the Barriers to the Court

Until now, the majority of courts around the Country have dismissed data breach plaintiff class actions based on lack of standing because such plaintiff’s injuries were too speculative. On July 20, 2015, the Seventh Circuit, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814 (7^th Cir. July 20, 2015), reversed the Federal District Court for the Northern District of Illinois, Eastern Division, which held that cardholders of retail department store who fell victim to a data breach (and either suffered no injury or were reimbursed by their credit card companies for any fraudulent activities that occurred) did not have the standing to bring a putative class action against Neiman Marcus.

In issuing its opinion, the Seventh Circuit found that the cardholders did, in fact, have standing. How did they make this determination, you ask? The allegation of impending future harm and the concrete injury they had suffered in taking steps to mitigate or prevent that harm, the Seventh Circuit found, is sufficient to satisfy the requirements of Article III. In doing so, the court rejected the district court’s “overreading” of Clapper v. Amnesty Int’l USA, 133 S.Ct. 1139 (2013), an oft-cited case in data breach class actions. In Clapper, the U.S. Supreme Court found that a group of human rights organizations did not have standing based on their suspicions that the government was intercepting their communications with terrorists. The Seventh Circuit pointed out the distinction between a “suspicion of injury” and a “substantial risk” of injury. The latter, the court held, was not “jettison[ed]” by the Supreme Court, since a substantial risk “may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm”.

The court further noted, however, that while harm-mitigation measures do not always qualify as an injury for standing purposes, the purchase of credit monitoring where a data breach has occurred, “easily qualifies as a concrete injury” because the threatened harm is “imminent”.

Neiman Marcus is not the first retailer to be the subject of a data breach, nor will they likely be the last. Comparatively speaking, the 350,000 credit card numbers that were exposed was a relatively minor breach. Of those 350,000, approximately 9,200 of those credit cards were used fraudulently in the months following the breach. Once they learned of the breach, four card holders of the retailer brought the putative class action alleging negligence, violation of data protection laws, and invasion of privacy.

Potentially, the Seventh Circuit’s decision could change the landscape of data breach cases should other circuits follow its lead. It is important to note, however, that although this decision allows such plaintiffs a foot in the door, they will still need to get through class action certification where they will need to show their injuries.

If you or your institution has any questions or concerns regarding cybersecurity related issues, please email Cynthia A. Augello at caugello@cullenanddykman.com or call her at 516-357-3753.