Seventh Circuit

Late last week, the Seventh Circuit affirmed a trial court’s ruling granting dismissal at summary judgment of claims against FCA US LLC (“FCA,” formerly known as Chrysler) and Harman International Industries, Inc. (“Harman”) for lack of Article III standing.  See Flynn v. FCA US LLC, — F. 4th —-

Continue Reading Seventh Circuit Affirms Dismissal Of Class Claims Based Upon Speculative Hacking Risk

On May 5, 2020, the Seventh Circuit held that violations of the section 15(b) disclosure and informed consent provisions of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) constitute “an invasion of personal rights that is both concrete and particularized” for the purposes of establishing Article III standing to sue in federal courts.  However, the Seventh Circuit also held that the alleged harms associated with violations of section 15(a) of BIPA were insufficient to establish Article III standing.  Section 15(a) mandates public disclosure of a retention schedule and guidelines for permanent destruction of collected biometric information.

Covington has previously discussed developments in BIPA litigation, which has proliferated in recent years with the advancement of relevant technologies.  The increase in BIPA litigation has been accompanied by a rise in disputes over the nature of the harm required to sustain an action, both in state and federal courts.  Although this issue was seemingly resolved at the state-level by the Illinois Supreme Court’s 2019 Rosenbach decision, federal courts have continued to grapple with the issue for the purposes of Article III standing.
Continue Reading Seventh Circuit Rules on Article III Standing Issues in Illinois BIPA Lawsuit, Allowing Case to Proceed in Federal Court

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.

Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.”
Continue Reading Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit

Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.

Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently.  The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.

Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury.  The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet.
Continue Reading Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules

The Seventh Circuit held yesterday, in a decision written by Judge Posner, that damages are not available under the Video Privacy Protection Act (“VPPA”) for violations of the statute’s data deletion requirement, only for unlawful disclosures of video-viewing information. 

Subsection (b) of the VPPA prohibits knowing disclosure of personally identifiable

Continue Reading Seventh Circuit Strikes VPPA Claim for Retention Damages