An increase in data breach class actions could be the result of a recent decision of the Seventh Circuit holding that allegations of future harm stemming from a data breach can establish Article III standing. The majority of federal courts that have addressed the issue have found that allegations of potential future harm resulting from identity theft are insufficient to confer standing in federal court, even where plaintiffs have spent money protecting against such possible harm. The Seventh Circuit joins the Ninth Circuit in holding plaintiffs alleging such harm have standing to pursue their claims in federal court.

Plaintiffs in Remijas v. Neiman Marcus Group, LLC, were customers of Neiman Marcus, whose credit card numbers were stolen by hackers in a 2013 data breach. Plaintiffs filed a class-action complaint asserting various theories of liability including negligence, invasion of privacy and violation of state data breach laws. The district court dismissed the complaint after finding plaintiffs lacked standing.

The Seventh Circuit reversed, holding that “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.” The court likened the case to a recent data breach involving Adobe, wherein the U.S. District Court for the Northern District of California declared that “the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real.” The fact that the data breach was the result of a malicious attack by hackers—as opposed to the accidental loss of data through inadvertence or negligence—heightened the danger of future harm, according to the Seventh Circuit. “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such injury will occur,” the Court wrote.  

The Court also ruled that the plaintiffs’ allegations of lost time and damages flowing from the expenditure of money to protect themselves from future identity theft and fraudulent charges, including monitoring their credit, qualified as actual injuries because the harm is substantially likely. The Court found it significant that Neiman Marcus offered credit monitoring and identity-theft protection to customers affected by the breach, noting it “is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” 

In finding that the plaintiffs’ claims were sufficient to establish Article III standing, the Court rejected Neiman Marcus’ argument that plaintiffs cannot show their injuries are fairly traceable to the data breach—as opposed to one of the other large-scale breaches that occurred around the same time. The Court noted that, while this may be a valid defense, the mere fact that another store might have caused the data breach does not negate plaintiffs’ standing to sue. The Court also rejected Neiman Marcus’ claim that plaintiffs had not suffered any compensable injuries because they had been reimbursed for fraudulent charges, noting that such reimbursement did not cover injuries for mitigation expenses or future harm.

The Seventh Circuit’s opinion in Remijas furthers a growing Circuit Court split over the viability of data breach class actions premised on the fear of future harm from identity theft, and is likely to lead to an increase in data breach class actions in cases involving hacking. Armed with this case, plaintiffs’ lawyers are likely to argue that the act of hacking itself makes it substantially likely that victims will suffer fraud and/or identity theft.

Members of Ballard Spahr’s Privacy and Data Security Group and Consumer Financial Services Group regularly advise financial institutions on compliance with data security and privacy issues, including counseling companies about any applicable information security laws and regulations, providing guidance on cybersecurity policies and procedures as well as breach response plans, and advocating on behalf of companies facing breach-related litigation.

If you have questions, please contact Privacy and Data Security Group Practice Leaders Daniel JT McKenna at 215.864.8321 or mckennad@ballardspahr.com, Philip N. Yannella at 215.864.8180 or yannellap@ballardspahr.com, or Suzanne O. Lufadeju at 215.864.8213 or lufadejus@ballardspahr.com. 


Copyright © 2015 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practice

Class Action Litigation
Consumer Financial Service
Litigation
Privacy and Data Security