Change in the Prevailing Winds in Consumer Data Breach Cases?
Seventh Circuit Rules Consumers Have Standing to Sue in Neiman Marcus Payment Card Data Breach Case
In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing. The appellate panel held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit. The district court, following Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013), had construed plaintiffs’ allegations of potential future harms to be too remote to confer standing. The Seventh Circuit distinguished Clapper, finding that Clapper does not foreclose suit based on all future harm, just suit based on speculative future harm. Unlike Clapper, which concerned potential NSA interceptions of the plaintiffs’ communications, Remijas alleged actual theft of payment card data, making the potential for misuse of that information, in the Seventh Circuit’s view, not unduly speculative. Accordingly, costs to avoid potential injury to consumers’ credit were deemed cognizable harm for purposes of Article III standing.
In so ruling, the Seventh Circuit breaks with recent decisions that had relied on Clapper to dismiss consumer data breach claims, see, e.g., Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013), and instead joins with First Circuit in recognizing consumer standing to sue based costs to mitigate potential credit impairment or injury flowing from a data breach, see Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011). Recent district court decisions also finding consumer standing to sue in payment card breach cases include In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) (“Adobe Systems”); and In re Target Corp. Data Sec. Breach Litig., MDL No. 14-2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014).
As previously noted in this space, the September 2014 decision in Adobe Systems marked a departure from cases following Clapper with respect to the issue of consumer standing in data breach cases. Decisions like Adobe may be driven by a perception that data theft is a growing problem that requires judicial redress, even in the absence of out-of-pocket losses resulting from a data breach. As we wrote in December:
In the event that 2015 sees a level of data breach activity commensurate with that seen in 2014, a perception that payment card data has become less secure could erode courts’ willingness to construe standing requirements strictly. Courts could conclude that it is better to follow the rationale in Adobe than to deprive potential plaintiffs of a remedy in the face of a significant and growing problem, even though that problem . . . seldom imposes real costs on consumers.
If decisions distinguishing Clapper do indeed represent a growing trend in the lower courts to liberalize standing in consumer data breach cases, that trend is contrary to the current direction of the Supreme Court. The Court has signaled reluctance to find that non-pecuniary injuries can give rise to Article III standing, both in Clapper and in its recent decision to grant certiorari to hear the appeal in Spokeo, Inc. v. Robins, No. 13-1339. The question certified in Spokeo is whether “Congress may confer Article III standing upon a plaintiff who suffers no concrete harm . . . by authorizing a private right of action based on a bare violation of a federal statute.” A ruling in Spokeo that concrete injury is required for Article III standing is expected to have far-reaching effects on the question of standing across a broad range of federal litigation.
The Seventh Circuit was careful to distinguish the standing issue before it in Remijas from the issue presented in Spokeo, and it is unlikely that the Supreme Court’s resolution of whether a statutory violation confers standing would have any effect on the standing question decided in Remijas. A decision to reverse in Spokeo could nonetheless augur receptiveness to an arguments limiting standing, such as the argument that Clapper should be extended to consumer data breach claims. Even so, a resolution of the current split in authority on standing in consumer data breach cases will likely have to await a circuit court holding that Clapper requires dismissal of consumer data breach claims, which would then create a circuit court split that would posture the issue for resolution by the Supreme Court.