Seventh Circuit Rules Consumers Have Standing to Sue in Neiman Marcus Payment Card Data Breach Case
In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing. The appellate panel held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit. The district court, following Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013), had construed plaintiffs’ allegations of potential future harms to be too remote to confer standing. The Seventh Circuit distinguished Clapper, finding that Clapper does not foreclose suit based on all future harm, just suit based on speculative future harm. Unlike Clapper, which concerned potential NSA interceptions of the plaintiffs’ communications, Remijas alleged actual theft of payment card data, making the potential for misuse of that information, in the Seventh Circuit’s view, not unduly speculative. Accordingly, costs to avoid potential injury to consumers’ credit were deemed cognizable harm for purposes of Article III standing.
In so ruling, the Seventh Circuit breaks with recent decisions that had relied on Clapper to dismiss consumer data breach claims, see, e.g., Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013), and instead joins with First Circuit in recognizing consumer standing to sue based costs to mitigate potential credit impairment or injury flowing from a data breach, see Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011). Recent district court decisions also finding consumer standing to sue in payment card breach cases include In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) (“Adobe Systems”); and In re Target Corp. Data Sec. Breach Litig., MDL No. 14-2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014).
As previously noted in this space, the September 2014 decision in Adobe Systems marked a departure from cases following Clapper with respect to the issue of consumer standing in data breach cases. Decisions like Adobe may be driven by a perception that data theft is a growing problem that requires judicial redress, even in the absence of out-of-pocket losses resulting from a data breach. As we wrote in December:
In the event that 2015 sees a level of data breach activity commensurate with that seen in 2014, a perception that payment card data has become less secure could...
