The Seventh Circuit reversed the Federal District Court for the Northern District of Illinois, Eastern Division, which had held that Neiman Marcus cardholders who fell victim to a data breach, but had either been compensated by their credit card companies for any fraudulent activities or had not suffered fraudulent activities on their accounts at all, did not have standing to bring a putative class action against the retailer.
The Seventh Circuit disagreed, finding that the cardholders did have standing: the allegation of impending future harm and the concrete injury they had suffered in taking steps to mitigate or prevent that harm is sufficient to satisfy the requirements of Article III. In so holding, the court rejected the district court’s “overreading” of Clapper v. Amnesty Int’l USA, which has buttressed many 12(b)(1) dismissals in data breach class action suits. In Clapper, the Supreme Court found that a group of human rights organizations could not assert standing based on suspicions that the government had intercepted their communications with terrorists. The Seventh Circuit urged the lower courts to recognize an important distinction between mere suspicion of injury and a “substantial risk” of injury. Substantial risk of injury, the court held, was not “jettison[ed]” by the Supreme Court, since a substantial risk “may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” The court accordingly held that in the case of a data breach, where “the purpose . . . is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” plaintiffs may properly assert Article III standing based on a substantial risk of injury.
Forbes Business provides an overview of the case, calling this decision “good news for data breach victims, for a change.” Similarly optimistic, Alison Frankel of Thomson Reuters says that thanks to this opinion, plaintiffs-side attorneys will no longer need to resort to “artful drafting” to avoid Clapper, which was until now considered the “silver bullet for data breach defendants.”
Neiman Marcus was one of at least three retailers whose consumer credit card data was hacked in 2013. Approximately 350,000 credit card numbers were exposed, and 9,200 of those credit cards were used fraudulently in the months following the breach. Upon learning of the breach, four Neiman Marcus credit card holders brought a putative class action suit against the retailer claiming, inter alia, negligence, invasion of privacy, and violation of data protection laws. Relying on Clapper, the Federal District Court for the Northern District of Illinois dismissed the putative class’s suit for lack of Article III standing. In reversing the district court’s decision, the Seventh Circuit asserted that Clapper does not consummately bar consumers from bringing suit based on substantial risk of future injury. The court found that both the 9,200 plaintiffs whose cards had already been used fraudulently and the approximately 340,800 who were at risk faced a substantial risk of future injury: the steps taken to monitor one’s credit score, change account numbers, and for those whose cards were stolen, deal with (potentially insufficient) reimbursement of fraudulent charges, is particularized injury enough.
This case will change the landscape for data breach cases in the Seventh Circuit and in any other jurisdictions that choose to follow its lead, but it isn’t a guaranteed win for consumers. As David Almeida and Mark Eisen of Sheppard Mullin Richter & Hampton point out in their article featured in the National Law Review, data breach class actions may no longer get hung up at the Article III stage, but class certification may be more difficult as plaintiffs choose to assert one or more of the many particularized injuries proffered by the Seventh Circuit.
Brittany Doyle is a 2L at the Harvard Law School.