The Seventh Circuit Court of Appeals’ recent ruling in Remijas v. Nieman Marcus, 2015 U.S. App. LEXIS 12487 (7th Cir. July 20, 2015), reversed the lower court and held that customers of luxury retailer Neiman Marcus had alleged sufficient injury to demonstrate their constitutional standing despite the fact that only a portion of the putative class had actually been subject to fraudulent charges.
The 2013 U.S. Supreme Court decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), interpreting Article III standing requirements for damages to be “certainly impending” is routinely the basis of data breach class action defendants’ efforts to challenge the plaintiffs’ constitutional standing arguing that while the plaintiffs’ personal data may have been compromised, there are no actual damages since individual plaintiffs do not typically pay for credit monitoring, fraudulent charges or credit card replacement costs.
Multiple class-action complaints were filed against Neiman Marcus following its 2013 data breach. The matters were consolidated in June 2014 under four named plaintiffs alleging four different categories of actual injury: (1) lost time and money resolving fraudulent charges; (2) lost time and money protecting against future identity theft; (3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity; and (4) lost control over the value of their personal information. The plaintiffs also alleged a likelihood of imminent future injury based on an increased risk of future fraudulent charges and a greater susceptibility to identity theft.
In September 2014, the U.S. District Court for the Northern District of Illinois in Chicago dismissed the case for lack of Article III standing based primarily on the principles set forth by Clapper.
In its reversal, the appellate court first found that the 9,200 putative class members who actually incurred fraudulent charges had demonstrated a concrete injury, despite already being reimbursed for those charges, because they had “suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.” This is not really a departure from prior data breach cases as courts have long held that remediation expenses arising from an actual, concrete injury are, themselves, considered a concrete injury.
With respect to the approximately 340,000 other putative class members the Court expressed...
