by Brent Tuttle, CIPP/US, E*
Recently, the 7th Circuit handed down a ruling in a data breach case that has class action plaintiffs’ attorneys poppin’ bottles. The case is Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).
Between July 16, 2013 and October 13, 2013, malware found its way onto the Neiman Marcus computer systems. This potentially exposed 350,000 credit cards, 9,200 of which were known to have been used fraudulently. (The Court of Appeal noted that all 9,200 fraudulent charges were subsequently reimbursed.)
The company discovered this breach January 1, 2014 and publicly disclosed it nine days later. The company offered all customers who shopped at Neiman Marcus between January 2013 and January 2014 one year of free credit monitoring and identity theft protection.
This announcement prompted a number of class action suits spearheaded by four individual plaintiffs who represent 350,000 other customers whose credit card information may have been stolen; the disclosures indicated that social security numbers and other PII had not been exposed. The complaint relies on several theories: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.
The company moved to dismiss the claim, arguing that the plaintiffs lacked Article III standing, a usually successful procedural tactic in data breach litigation. A litigant with standing to sue must have “suffered [a] concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). Plaintiffs alleged injuries relating to lost time, money, and aggravation in dealing with the breach, as well as “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Neiman Marcus at 6. The case was dismissed by the district court, based on the 2013 Supreme Court case Clapper v. Amnesty Int’l USA, which held that allegations of possible future injury are not sufficient.
Seventh Circuit’s Decision:
On July 20, 2015, in a unanimous decision by a three–judge panel, the Seventh Circuit reversed the district court’s decision. The Seventh Circuit stated “Clapper does not…foreclose any use whatsoever of future injuries.” In Clapper, the Supreme Court decided that Amnesty International did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications were actually intercepted by the government, but only that such interceptions might have occurred. This was too speculative to establish standing. However, Clapper left open what is known as the “substantial risk” standard, stating “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (2013). The Seventh Circuit ruled that the data breach plaintiffs alleged a sufficient substantial risk of harm.
The Seventh Circuit concluded that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonably likelihood’ that such an injury with occur.” Neiman Marcus at 9 (citing Clapper, 133 S. Ct. at 1147). Thus, the 350,000 Neiman Marcus customers whose information may have been stolen have standing to sue despite the fact that no real harm may ever come about. Or as Vietnam veteran Walter Sobchak might say, these plaintiffs may move forward based on “…what appears…to be a series of victimless crimes.”
Neiman Marcus represents a significant change in the tide for data breach litigation and as this is the first Court of Appeals to lower the bar for plaintiffs to gain standing, it may very well open up the floodgates elsewhere. This decision has the potential to send not just waves, but tsunamis, through the judicial system (at least within the Seventh Circuit). The ruling handed down in Neiman Marcus via “substantial risk” is distinct from past theories of injury previous courts have relied on dismissing data breach plaintiffs for lack of Article III standing. Past cases (some within the Seventh Circuit) had rejected the “clearly impending” theory of injury. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (holding “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”; see also Strautins v. Trustwave Holdings, Inc., No. 12-C-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); see also Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 468 (D.N.J. 2013).
However beyond the 7th Circuit, at least two cases in the Ninth Circuit have also afforded data breach plaintiffs standing through the substantial risk standard, one of which was cited in the Seventh Circuit’s opinion. See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014); see also In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-md-2258, 2014 WL 223677, at *9 (S.D. Cal. Jan. 21, 2014).
The Seventh Circuit’s justification upon which it placed the above reasoning is questionable. The court states “…it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” That is quite a presumption, is it not? How can anyone truly know the purpose behind a hack or data breach? There may be other purposes, such as causing fear itself, seeking to increase the costs of Neiman Marcus, or simply exploiting a security weakness because it is there. On remand, would this be a rebuttable presumption relegated to the damages phase of a trial?
Further, one wonders if the facts of the Neiman Marcus case will be extrapolated: Is there such presumption for the Sony breach? (Coincidentally a suit involving that breach has been allowed to move forward. See Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015)). What about the Office of Personnel Management breach? Is it plausible to presume any intent or motive with that incident? The enemies of the U.S. government may have different motives from the enemies of Neiman Marcus.
How about the Ashley Madison hack that was in the headlines earlier last week? Adult Friend Finder earlier this summer? These breaches certainly don’t seem to fit within the Seventh Circuit’s reasoning above. Those may have been primarily targeting the businesses, not the customers.
Another consideration is that hackers might take haystacks of data in order to identify the desirable needles. Can a court presume that a breach isn’t really targeting a needle as opposed to the entire haystack? And what sort of public policy does this promote by allowing the entire haystack a bite at the apple if it’s unknown whether they were ever actually harmed or the target thereof? The Seventh Circuit’s language in Neiman Marcus may just be a presumption, but it’s going to be an expensive presumption for data breach defendants to bear.
It is further problematic that the Seventh Circuit partially grounded its decision on the basis that “[i]t is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers whom it had contact information and who shopped at their stories between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Neiman Marcus at 11. It may be true that Neiman Marcus’s actions are unlikely a result of ephemeral risk. However, the Seventh Circuit ignored the fact that at least one state data breach law requires Neiman Marcus to pay for such services if offered (See Cal. Civ. Code § 1798.82(G)). Furthermore, many laws require that data breach notices provide the victim with information as to where they can obtain free credit reports (See VA. Code Ann. 18.2-186.6; see also Wash. Rev. Code § 42.56.590; see also W. Va. Code § 46A-2A-102.) It is a logical fallacy to conclude that Neiman Marcus’s actions, then, were related to an assessment of risk rather than statutory obligations.
There are other legitimate reasons, beyond risk, why Neiman Marcus would offer such services. First, it makes for good public relations, to give the appearance their response is proactive. Second, it typically renders moot the standard plaintiff’s claim that the breach forced them to purchase their own credit monitoring. However, the Seventh Circuit has challenged that tactic as well. On remand, the court not so subtly advises the district court to investigate how long stolen data puts consumers at risk (a question they will not find an answer to). It seems this will be used to assert whether the 350,000 potentially harmed customers will need credit monitoring services beyond the twelve months that Neiman Marcus has offered to pay for, something the Seventh Circuit says “easily qualifies as a concrete injury.”
It is troubling that the Seventh Circuit has utilized evidence that Neiman Marcus is taking measures to mitigate any further harm from the breach against them. Customarily, evidence of remedial measures is inadmissible to prove a breach of duty. Although it may be admissible as proof of harm (or standing), the prejudice may outweigh the probative value.
In sum, there is a “substantial risk” that we’ll see a lot more class action data breach suits getting filed under this new theory. This should make for some interesting developments in the field data breach litigation as most plaintiffs have not previously been able to get around the Article III standing issue. However, it’s hard to say whether the ruling will have a positive net impact on privacy for consumers, or merely just benefit plaintiffs’ attorneys looking for a payday. Legislative changes are also likely to impact the data breach class action landscape. Two things are almost certain to come out of the Neiman Marcus ruling: OPM is probably getting sued in the Seventh Circuit and it might be a good time to invest in Orville Redenbacher.
*Brent Tuttle is a Summer Associate at Randazza Legal Group