The Seventh Circuit reversed the Federal District Court for the Northern District of Illinois, Eastern Division, which had held that Neiman Marcus cardholders who fell victim to a data breach, but had either been compensated by their credit card companies for any fraudulent activities or had not suffered fraudulent activities on their accounts at all, did not have standing to bring a putative class action against the retailer.
The Seventh Circuit disagreed, finding that the cardholders did have standing: the allegation of impending future harm and the concrete injury they had suffered in taking steps to mitigate or prevent that harm is sufficient to satisfy the requirements of Article III. In so holding, the court rejected the district court’s “overreading” of Clapper v. Amnesty Int’l USA, which has buttressed many 12(b)(1) dismissals in data breach class action suits. In Clapper, the Supreme Court found that a group of human rights organizations could not assert standing based on suspicions that the government had intercepted their communications with terrorists. The Seventh Circuit urged the lower courts to recognize an important distinction between mere suspicion of injury and a “substantial risk” of injury. Substantial risk of injury, the court held, was not “jettison[ed]” by the Supreme Court, since a substantial risk “may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” The court accordingly held that in the case of a data breach, where “the purpose . . . is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” plaintiffs may properly assert Article III standing based on a substantial risk of injury.