Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.
Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently. The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.
Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury. The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet.
In the Neiman Marcus case, the Seventh Circuit found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court.
Those customers whose cards already were used to incur fraudulent charges can establish standing — even if the fraudulent charges were reimbursed — based on having “suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges,” the Seventh Circuit held.
The court also found that customers whose cards have not been used for fraudulent charges nonetheless could establish standing based on the time and money spent “protecting themselves against future identity theft and fraudulent charges.” Although “[m]itigation expenses do not qualify as actual injuries where the harm is not imminent,” in this case “Neiman Marcus does not contest the fact that the initial breach took place,” and the court found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection. The Seventh Circuit appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral,” in contrast to the Clapper plaintiffs’ claims, which the Seventh Circuit viewed as having alleged only “speculative harm based on something that may not even have happened to some or all of the plaintiffs.”
The Seventh Circuit also noted that the plaintiffs’ allegations “go far beyond” the allegations raised by the plaintiff in Spokeo, Inc. v. Robins, a closely watched case in which the Supreme Court is scheduled to weigh in again on standing requirements. In Spokeo, the Supreme Court will consider whether Robins can establish standing – even without alleging that he suffered actual damages – merely by alleging that Spokeo violated the Fair Credit Reporting Act by publishing inaccurate information about Robins.
Plaintiffs in other data breach cases have had less success establishing standing. Last year, for instance, a federal district court in Ohio dismissed two proposed class actions relating to an October 2012 Nationwide Mutual Insurance Co. data breach, holding that plaintiffs’ allegedly increased risk of identity theft and fraud arising from the breach, and costs associated with mitigating that increased risk, were not “certainly impending” as required under Clapper, given that the alleged injuries would depend on the actions of independent parties. In an earlier, pre-Clapper case, the U.S. Court of Appeals for the Third Circuit similarly held that employees whose personal information might have been accessed in a data breach of a payroll processor did not have standing to sue because, although the plaintiffs alleged they were at increased risk of identity theft, had incurred credit monitoring costs, and had suffered emotional distress, those asserted injuries were too speculative to give the plaintiffs standing, at least without evidence “that the data has been—or will ever be—misused.”