In a ruling that could provide an important boost future consumer data breach class action litigation, the Seventh Circuit has reinstated the Neiman Marcus data breach lawsuit, ruling that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. As Alison Frankel said about the appellate court’s ruling in her July 21, 2015 post on her On the Case blog entitled “The Seventh Circuit Just Made it A Lot Easier to Sue Over Data Breaches” (here), “this is a really consequential decision.” The Seventh Circuit’s July 20, 2015 opinion in the Neiman Marcus case can be found here.
On January 10, 2014, retailer Neiman Marcus announced that between July 16, 2013 and October 30, 2013, its customers’ credit card information had been exposed as a result of hackers’ intrusion into its data systems. Data from 350,000 cards were potentially exposed. About 9,200 of the 350,000 cards were used fraudulently. The company notified all customers who had shopped in its stores between January 2013 and January 2014 of the data breach and offered the customers one year of free credit monitoring and identity-theft protection.
In response to the breach notification, several Neiman Marcus customers filed a class action complaint on behalf of all those whose credit card information had been exposed by the breach. The plaintiffs’ complaint alleged claims of negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.
The company moved to dismiss the complaint, arguing that because the plaintiffs could not allege any actual, present injuries, they lacked standing to pursue their claims under Article III of the U.S. constitution. (In order to establish Article III standing, the party seeking to sue must personally have suffered some actual or threatened injury that can fairly be traced to the challenged action of defendant and that is likely to be redressed by a favorable decision.) The plaintiffs alleged various types of actual injuries, mostly relating to the lost time and aggravation associated with dealing with the breach. The plaintiffs also allege that they have standing based on two “imminent injuries”: an increased risk of future fraudulent charges and greater susceptibility to identity theft.
In reliance on the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International U.S.A. (here), which held that “allegations of future injury are not sufficient” to establish Article III standing, the district court granted the company’s motion to dismiss. The plaintiffs appealed the dismissal to the Seventh Circuit.
The July 20 Opinion
On July 20, 2015, in an opinion written by Chief Judge Diane Wood for a unanimous three-judge panel, the Seventh Circuit reversed the dismissal and remanded the case to the district court for further proceedings.
In discussing the Article III standing issue, the Seventh Circuit said that “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries.” The Court quoted the Clapper decision as having said that “in some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid the harm.” The appellate court also noted that in a 2014 district court ruling in a data breach lawsuit involving Adobe Systems, the district court had found the “substantial risk” of harm to be sufficient to support Article III standing.
The Seventh Circuit said that the Neiman Marcus customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The court added that “at this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” noting that “presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identity.”
The Seventh Circuit also concluded that the plaintiffs had standing because some plaintiffs had paid for credit monitoring services, but declined to decide whether other alleged harms (such as the overpayment for Neiman Marcus products or the harm to their property rights in their personal information) were sufficient. The appellate court also concluded that the plaintiffs’ allegations satisfied two additional standing requirements, finding that their alleged injuries were traceable to Neiman Marcus and that their alleged harm could be redressed in the litigation.
For a time it seemed as the Supreme Court’s Clapper decision provided data breach class action lawsuit defendants with a reliable defense, because it afforded them the means to argue that data breach victims lacked Article III standing. To be sure, Clapper would not provide a defense against plaintiffs who had in fact sustained actual injuries, in terms of actual monetary expenses or other harms. But because the vast majority of most putative class members cannot demonstrate this type of actual harm, Clapper arguably provided the defendants with a legal escape route.
In the Neiman Marcus case, the Seventh Circuit said that, notwithstanding Clapper, the exposure of the customers’ credit card information was sufficient to satisfy constitutional standing requirements. As Alison Frankel said in her blog post about the appellate court’s ruling, “it’s the first time a federal appeals court has looked at a data breach class action that was dismissed because the trial judge said it fell short of Clapper standing requirements.” Rather than concluding that Clapper precluded the plaintiffs’ suit, the appellate court said that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” In holding that these plaintiffs’ claimed imminent injuries were sufficient to satisfy Article III standing requirements, the Seventh Circuit is basically saying that the theft of the customers’ credit card information alone is sufficient to satisfy constitutional standing requirements.
The appellate court’s ruling is of course only binding within the Seventh Circuit itself, but as the first circuit court decision on the issue, it is likely to be influential on district courts in other circuits. To the extent the district courts in other circuits find the Seventh Circuit’s ruling to be persuasive, it could eliminate one of the data breach lawsuit defendants more reliable means of trying to get the lawsuits dismissed.
This development arguably means that the lawsuits that now almost inevitably follow high profile data breaches could be more dangerous for the defendants – and, it should be added for readers of this blog, for their insurers, as well.
As you might expect, plaintiffs’ lawyers are pretty excited about the Seventh Circuit’s ruling. One press report quotes a plaintiffs’ attorney as describing the Neiman Marcus decision as “groundbreaking” and “a monumental win for all current and future data breach victims.”
You can chose your preferred adjectives to describe the case, but any way you slice it, this decision could prove to be a very big deal in the world of consumer data breach litigation.
Danielle Citron wrote a very interesting July 21, 2015 column about the Neiman Marcus decision for Forbes, which can be found here.
More About Class Action Litigation and Article III Standing: The question of standing for future injuries under Clapper is only one of the important threshold class action lawsuit issues circulating right now. The other current hot topic in the class action litigation arena is whether Congress may confer Article III standing on a plaintiff who had suffered no specific or concrete harm but who alleges a violation of a federal statute. This issue will come before the U.S. Supreme Court next term in the Spokeo case (which I discussed in an earlier post, here). In that case — which the Seventh Circuit in its recent opinion expressly distinguished from the Neiman Marcus case — the Supreme Court will examine whether a website’s publication of inaccurate information, in violation of the Fair Credit Reporting Act, is sufficient to meet Article III standing requirements.
A July 14, 2015 memo from the LeClair Ryan law firm discussing the possible impact of the Spokeo case on data breach class action litigation can be found here.
Another U.S. Securities Suit Arising out of an Overseas Bribery Investigation: As I noted in a recent post, there has been a rash of securities class action lawsuits filed this year against non-U.S. companies relating to corruption investigations against the companies in their home countries. You can now add another case to this growing list, as well as the burgeoning list of companies sued in U.S. securities laws based on allegations arising out of the Petrobras bribery scandal in Brazil.
As reflected in their lawyers’ July 22, 2015 press release (here), plaintiffs have filed a securities class action lawsuit in the Southern District of New York against Centrais Elétricas Brasileiras S.A. (Eletrobras) and certain of its directors and officers, based on alleged misrepresentations relating to the bribery investigation in Brazil. As discussed in recent press reports, in May, the company announced that testimony given in connection with the Petrobras investigation alleged that the CEO of Eletrobras Thermonuclear, a wholly owned subsidiary of Eletrobras, received illegal payments from companies bidding on a power plant project. In June, the company announced that it had hired an outside law firm to investigate possible violations of the Foreign Corrupt Practices Act at the company, as well as possible violations of the company’s Code of Ethics.
With this latest lawsuit, there have now been a total of three securities class action lawsuits filed in the U.S. against Brazilian companies based on allegations relating to the Petrobras bribery investigation in Brazil: first, in December 2014, there was the lawsuit filed against Petrobras itself (here); then earlier this month there was the lawsuit filed against Braskem (here); and now there is this latest lawsuit against Eletrobras. As I have noted elsewhere, these developments, and the related claims, have had a very disruptive effect on the Brazilian D&O insurance market.