Class Action Plaintiffs Have Standing Based on Actual Injuries and Costs of Mitigation Following Corporate Hacking, Says Seventh Circuit

The Court of Appeals for the Seventh Circuit recently held that class action plaintiffs alleging injuries due to corporate hacking scandals have standing to pursue those claims in federal court, based on both actual injuries suffered repairing damage done by fraudulent charges, as well as costs of mitigating potential future harm, such as credit monitoring. Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Circ. July 20, 2015). As with other cases that come to the same conclusion, the court placed great emphasis on the fact that the data thieves were specifically targeting personal data, as well as the company’s admission of the breach and offer of a year of credit monitoring to those whose information had been exposed.

Neiman Marcus was hacked by sophisticated cyber criminals sometime in 2013, which was not discovered until some customers notified the company of fraudulent charges on their cards in December 2013. The company undertook an investigation and publicly announced the hack on January 10, 2014. Over 350,000 customers’ credit cards were exposed, and 9,200 of those cards are known to have been used fraudulently. Neiman Marcus notified all customers for whom the company had either physical or email addresses, and who had shopped at its stores between January 2013 and January 2014, of the potential exposure of their cards. Neiman Marcus also offered those customers a year of free credit-monitoring and identity-theft protection services.

Numerous class action lawsuits were filed based on these disclosures, which were eventually consolidated before the District Court for the Northern District of Illinois. The four putative representatives in the consolidated action alleged negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws. The plaintiffs had all made purchases at Neiman Marcus during the relevant time period, and three out of the four alleged that fraudulent charges had appeared on their accounts. The district court granted Neiman Marcus’s motion to dismiss for lack of Article III standing, holding that the Supreme Court’s decision in Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013) precluded standing based on allegations of future harm.

The Seventh Circuit reviewed the decision and reversed, holding that Clapper had not impacted the “substantial risk” standard, which permits plaintiffs to allege standing based upon costs incurred seeking to mitigate or avoid a harm for which a substantial risk exists that the harm will come to pass. As a district court judge in the Northern District of California held in In re Adobe Systems Inc., Privacy Litigation, No. 13-5226, Dkt. Entry No. 55 (N.D. Cal. Sept. 4, 2014), where hackers had deliberately targeted customers’ private data and misused some of that stolen data, other customers whose data had been taken can demonstrate “certainly impending” harm. Both courts noted that customers should not have to wait for hackers to misuse their data before a claim ripened, and the Seventh Circuit noted that the longer a plaintiff waited to sue, the harder it would be to prove the harm was “fairly traceable” to defendant’s conduct.

Finally, the Seventh Circuit also drew a negative inference from Neiman Marcus’s offer of credit monitoring and identity theft protection to all customers for whom it had contact information and who had shopped at its stores during the relevant time period. The court insinuated that Neiman Marcus likely did not make that offer “because the risk is so ephemeral that it can be safely disregarded.” Slip Op. at 11. From this, the court concluded that the requirement for a “substantial risk” of injury from Clapper may be met merely by showing the company that was hacked has found sufficient risk to warrant offering credit monitoring to a class of potentially affected customers.

The Seventh Circuit’s decision in Neiman Marcus is concerning for large companies, which face the constant barrage of cyberattacks seeking to access private customer data, and must also comply with various state laws, some of which require breached companies to offer free credit monitoring to certain affected customers. Nonetheless, such companies may be able to demonstrate that such offers were made to comply with statutory mandates, rather than through any valid assessment of whether class plaintiffs have a substantial risk of future harm.