7th Cir.: Neiman Marcus Data Breach Injuries Sufficient for Article III Standing

Last week, the Seventh Circuit Court of Appeals declined to rehear en banc a panel decision against Neiman Marcus over a credit card data breach, cementing its ruling that plaintiffs have Article III standing to bring a class action for the time and cost spent resolving fraudulent charges and safeguarding their accounts from future fraud. Remijas, et al. v. Neiman Marcus Group, LLC, No. 14‐3122 (7th Cir. Sept. 17, 2015) (order available here). In July 2015, the panel had reversed an Illinois district court’s dismissal for lack of Article III standing, and remanded the case. Remijas, No. 14‐3122 (7th Cir. July 20, 2015) (slip op. available here).

In a consolidated first amended complaint filed in June 2014, the Remijas plaintiffs alleged that their credit card information had been compromised in the 2013-2014 breach of the luxury retailer’s payment systems, which affected approximately 350,000 customers, over 9,000 of whom experienced fraudulent charges. U.S. District Judge James Zagel granted the Neiman Marcus’s motion to dismiss exclusively on Article III standing grounds, finding that because Neiman Marcus had offered a free year of credit monitoring for certain store customers and any unauthorized charges complained of would be reimbursed, the plaintiffs had not suffered “injuries” sufficient to confer standing. The Court of Appeals reversed, reasoning that the prophylactic costs that cardholders might incur, such as a credit or identify theft monitoring subscription and replacement card fees, “easily qualif[y] as . . . concrete injur[ies]” and that there are “identifiable costs associated with the process of sorting things out.” Slip op. at 7, 11.

Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the panel stated, “Customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Slip op. at 9 (internal citations omitted). In Clapper, the Supreme Court held that the possibility of the government intercepting communications with suspected terrorists (under the Foreign Surveillance Act) was insufficient to confer constitutional standing. Distinguishing Clapper, the Remijas court found identity theft to be a foreseeable consequence of a data breach and that plaintiffs have standing to bring claims for the time and expense taken to prevent such fraud, unlike the alleged and speculative harm in Clapper. Id. at 8-11.

On August 3, 2015, Neiman Marcus filed a petition for rehearing en banc, which was summarily denied on September 17, 2015. The denial of the defendant’s petition for rehearing reinforces the holding that data breach victims have Article III standing to sue based on the possibility of future, imminent injuries and loss of time and money spent on preventative measures against such injuries, thus depriving data breach defendants of the oft-asserted standing argument.

Authored by: 
Mao Shiokura, Associate
CAPSTONE LAW APC