On July 20, 2015, the U.S. Court of Appeals for the Seventh Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. The issue of Article III standing, in the context of data breaches, has been examined by a number of courts related to the Home Depot breach, the Target breach as well as a number of other similar cases. The roots of this argument are found in the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, which requires that a plaintiff must allege a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. To date, a number of courts have dismissed data breach cases because they lacked standing, as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative to survive a motion to dismiss.
In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”
In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”
Since this decision, a number of commentators have argued that the Neiman Marcus decision will breathe new life into data breach litigation. While the Neiman Marcus decision is important on the issue of Article III standing, there are a number of cases that could have a greater impact on data breach litigation. For example, the Seventh Circuit identifies one important case in its Neiman Marcus decision, “We note that these allegations go far beyond the complaint about a website’s publication of inaccurate information, in violation of the Fair Credit Reporting Act, that is before the Supreme Court in Spokeo, Inc. v. Robins.”
As previously reported, even though the Spokeo case does not involve a data breach, it still could have an immediate impact on data breach litigation. That is, if the U.S. Supreme Court were to rule in favor of the plaintiffs in Spokeo, it could potentially lower the threshold for plaintiffs to establish standing in data breach claims. Developments in Spokeo can be monitored on the Supreme Court’s blog. Consequently, while the Neiman Marcus decision is important, it may be tempered by the Supreme Court’s decision in Spokeo.