As I discussed in a recent post, on July 20, 2015, the Seventh Circuit issued its opinion in the Neiman Marcus consumer data breach class action lawsuit. In its opinion (a copy of which can be found here), the appellate court ruled that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. The court held that the impending injuries alleged were sufficient to support Article III standing.
In the following guest post, Micah Skidmore of the Haynes and Boone law firm takes a closer look at the decision and discusses some important insurance coverage issues that the court’s ruling about future injuries may present.
I would like to thank Micah for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Micah’s guest post.
The recent Neiman Marcus decision from the Seventh Circuit has lowered the bar for plaintiffs suing in the wake of a data breach. In addition to actual injury, future “impending” injuries substantiated by an “objective,” “substantial risk of harm” and actual costs incurred to prevent or mitigate “imminent” harm are sufficient to support Article III standing. While the Neiman Marcus decision may provide some clarity regarding standards of pleading and liability (at least for plaintiffs), for those defendants reliant on network security/privacy liability insurance to protect against data breach claims, the opinion prompts an urgent question: does my policy cover liability for future injuries and preventive measures?
The Neiman Marcus Decision
While much has already been written about the Neiman Marcus opinion,[i] a few contextual details are in order. In June 2014, four plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of approximately 350,000 other customers of Neiman Marcus, whose credit card numbers were exposed to malware between July and October 2013. Of the total number of customers implicated in the data breach, only 9,200 customers’ card numbers were known to have been used in fraudulent transactions.[ii]
The district court dismissed plaintiffs’ consolidated complaint for lack of standing. On appeal, the Seventh Circuit considered, among other things, whether two “imminent injuries” justified reversal: “an increased risk of future fraudulent charges and greater susceptibility to identity theft.”[iii] Writing for a three-judge panel, Justice Wood confirmed that if the harm is “certainly impending” and the risk “substantial” or “concrete,” future, unrealized injuries are sufficient to meet the “injury-in-fact” requirement for Article III standing: “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”[iv] Moreover, because the forthcoming injury was imminent, expenses intended to protect against identity theft and fraudulent charges also “qualif[y] as a concrete injury.”[v]
The Court did pause before embracing plaintiffs’ other injury arguments. Assertions that plaintiffs “overpaid for the products at Neiman Marcus because the store failed to invest in an adequate security system” or that the “loss of [customers’] private information, which they characterize as an intangible commodity,”[vi] constitutes an injury-in-fact were met with skepticism. But in the end, the Court refused to decide whether these losses qualified the class for Article III standing and instead based the reversal of the district court’s dismissal on the “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft.”[vii]
In addition to “injury-in-fact,” the Court briefly touched on the causation and redressability prongs of the Article III standing test. To Neiman Marcus’s argument that plaintiffs could not eliminate the possibility that their injuries were attributable to substantial data breaches at other retailers around the same time, Justice Wood responded that plaintiffs had met their burden for “pleading purposes.”[viii] In doing so, however, the Court raised the possibility that causation could be presumed subject to a showing by the defendant that its conduct was not the “but for” cause of the plaintiffs’ damages.[ix] The Court similarly rejected claims that corporate policies reimbursing consumers for fraudulent transactions made plaintiff’s claims unredressable by judicial decision. Even if reimbursement for fraudulent charges was universal and unlimited, which is by no means the case, “mitigation expenses” and “future injuries” are redressable according to the Court.[x]
The Coverage Issue
Two out of the three standing issues reviewed by the Court in Neiman Marcus were resolved by reference to the potential future injuries and related mitigation expenses claimed by the underlying class of consumers. To avoid dismissal, future claimants—whether within or beyond the jurisdiction of the Seventh Circuit—harmed by data breaches past, present and future will undoubtedly be sure to include plenty of allegations of increased risk of fraudulent transactions and identity theft as well as expenses incurred to reduce these imminent injuries. Defendants responding to these allegations will want to know not only whether such allegations meet Article III standing requirements, but whether the terms of their network security/privacy liability policies insure the allegations and damages claimed. More broadly stated, the question becomes whether it makes any difference for purposes of coverage under a given “cyber” policy whether the damages claimed provide compensation for past injuries or are intended to redress anticipated future harm or preventive measures.
This issue of defining the boundaries of liability coverage for preventive measures is reminiscent of past disputes over coverage for so-called “prophylactic measures” in the environmental space. Years ago, courts, carriers and corporate policyholders were divided over whether CERCLA costs paid to prevent or mitigate environmental loss constituted “damages” under a CGL policy. Compare Maryland Cas. Co. v. Armco, Inc., 822 F.2d 1348, 1354 (4th Cir. 1987) (“In the absence of clear contract language or specific Congressional authorization in CERCLA, we decline to extend the obligations of insurance carriers beyond the well-illumined area of tangible injury and into the murky and boundless realm of injury prevention.”) with AIU Ins. Co. v. Superior Court, 799 P.2d 1253, 1272 (Cal. 1990) (“[E]ven if government response costs are incurred largely to prevent damage previously confined to the insured’s property from spreading to government or third party property (i.e., the costs are ‘mitigative’ in character), reimbursement of such costs constitutes ‘damages’ in ordinary terms.”). While a majority of courts adhere to a broad reading of “damages,” vestiges of these arguments persist in a variety of claims.
In 2008, for example, the Texas Supreme Court reviewed arguments by insurers seeking to avoid a duty to defend underlying class action complaints seeking headsets to eliminate exposure to so-called radio-frequency radiation allegedly connected with cellphone usage. Zurich Am. Ins. Co. v. Nokia, Inc., 268 S.W.3d 487, 494 (Tex. 2008). According to the insurers, “plaintiffs seek headsets, not damages, removing their claims from coverage.” Id. at 493.
While the Court ultimately found a duty to defend—on the basis of other damages alleged[xi]—the Nokia case is only one of many instances in which parties have debated distinctions between remedial and preventative measures for purposes of liability coverage. As history has a way of repeating itself, one can only (ironically) anticipate imminent and impending disputes between insurers and insureds over whether the future injuries and mitigatory expenses addressed in Neiman Marcus qualify as “damages” under the typical network security/privacy liability policy.
What to Do?
In the spirit of prophylactic measures, carriers and policyholders should not leave this issue to judges and juries but should proactively address coverage for preventative measures in the terms of their policies. Not all policies are created equal. One privacy and network liability form issued by a prominent carrier defines “damages,” for purposes of an insuring agreement for covered liability, to mean “compensatory damages, any award of prejudgment or post-judgment interest, and settlements which the Insured becomes legally obligated to pay on account of any Claim first made against any Insured during the Policy Period . . . .” Another security and privacy protection policy issued by a different, equally well-known carrier defines “damages” as “any amount, including judgments and settlements, pre- and post-judgment interest, the Insured is legally obligated to pay as a result of a Claim against the Insured.” If you are a policyholder defending against a suit alleging an imminent, albeit future risk of fraudulent transactions or identity theft, which policy would you prefer? Or, would you prefer neither in favor of a contract that expressly defines “damages” to include awards for the future risk of fraudulent transactions or identity theft or for fees for replacement cards, credit monitoring and similar avoidance efforts?
The Court’s review of Article III “causation” presents another potential underwriting discussion point. By way of example, the same definition of “damages” in a prominent privacy & network liability insurance policy includes a requirement that the “compensatory damages” be for or because of a “wrongful act.” Other common “cyber” liability forms connect “damages” with “claims,” not “wrongful acts.” If causation is presumed and the burden of proof belongs to the defendant insured to prove that another retailer’s data breach caused plaintiffs’ damages, where will the evidence come from to satisfy the insurer that sums claimed under the policy are damages the Insured is legally obligated to pay “for Wrongful Acts to which this Policy applies”? This may appear to be a hyper-technical point unworthy of commercial consideration, but (all other things being equal), which policy language would you prefer if you are a defendant insured?
Only time will tell whether consumer classes will be successful in recovering amounts for anticipated injuries and the cost of preventative measures associated with future cyber attacks. No one can say for sure whether insurers will challenge the character of such awards as covered “damages.” But in the absence of this knowledge, policyholders may want to borrow a page from the class action plaintiffs’ playbook by anticipating future injuries and employing preventive measures. It may be that those insureds, who do, again have the greatest standing to bring claims when harmed.
Micah Skidmore is a partner in the Insurance Coverage Group at Haynes and Boone, LLP. Micah represents corporate policyholders in significant insurance coverage disputes, including assistance in recovering defense costs, settlements, judgments and other losses under various types of insurance policies. In addition to representing clients in general business litigation matters, Micah also advises clients on insurance and indemnity issues in corporate transactions, including mergers, acquisitions and real estate transactions.
[i] Remijas v. Neiman Marcus Group, LLC, 2015 WL 4394814 (7th Cir. July 20, 2015).
[ii] Id. at *1.
[iii] Id. at *3.
[iv] Id. at *4.
[v] Id. at *5 (“An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service that offers monthly credit monitoring. . . . It is also worth noting that our analysis is consistent with that in Anderson v. Hannaford Bros. Co., where the First Circuit held before Clapper that the plaintiffs sufficiently alleged mitigation expenses—namely, the fees for replacement cards and monitoring expenses . . . .”).
[vi] Id. at *6.
[vii] Id. at *7.
[viii] Id. (reasoning that the store’s admission that 350,000 cards were compromised and its efforts to notify affected customers “adequately raise the plaintiffs’ right to relief above the speculative level”).
[ix] Id. (“If there are multiple companies that could have exposed the plaintiffs’ private information to the hackers, then ‘the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the “but for” cause of the plaintiffs’ injury.’”).
[x] Id. at *8 (“[A] favorable judicial decision could redress any injuries caused by less than full reimbursement of unauthorized charges.”).
[xi] Nokia, 268 S.W.3d at 494 (“We need not decide, however, whether headsets qualify as damages, because although each of the complaints seek compensation for the cost of headsets, they also assert that the plaintiffs have been injured and seek damages based on their physical exposure to radiation.”); see also Voicestream Wireless Corp. v. Fed. Ins. Co., 112 Fed.Appx. 553, 555-56 (9th Cir. 2004) (“[T]he policies themselves do not define the term ‘damages.’ To the extent that seeking damages, in part, in the form of a headset neither clearly falls within a policy provision, nor is clearly excluded by the text of the policy, the policies are ambiguous. As with ‘bodily injury,’ this ambiguity must be construed against the Defendant Insurers.”).