The Seventh Circuit has revived a class action against Neiman Marcus for losses customers allegedly suffered as a result of a data breach involving payment card information. A federal district court had dismissed the claims, finding – consistent with federal courts around the country – that the plaintiffs lacked standing because they failed to allege they suffered concrete harm from the breach. The Seventh Circuit reversed that decision, perhaps signaling a more widespread reexamination of standing in the data breach context.

Background

In January 2014, Neiman Marcus announced that it had suffered a data breach involving customer payment card information. In a letter to its customers, Neiman Marcus reported that information from up to 350,000 payment cards was exposed to malware installed on its system and that 9,200 card accounts had experienced fraudulent activity. The company stated there was no indication that any customer personally identifiable information (“PII”) (such as social security numbers or birth dates) was ever at risk.

In March 2014, several customers who had used payment cards at Neiman Marcus during the breach period brought a class action alleging, among other things, that Neiman Marcus was negligent in securing customer payment card information. Despite Neiman Marcus’ assurance to the contrary, the plaintiffs also alleged that the hackers accessed PII.

In its motion to dismiss, Neiman Marcus argued that the plaintiffs did not have standing to pursue the case because (1) the plaintiffs were reimbursed for all fraudulent charges made on their accounts, and (2) the risk that they may suffer identity theft in the future did not qualify as the “certainly impending” harm required by Clapper v. Amnesty International USA, et al., 133 S. Ct. 1138 (2013). In Clapper – a case commonly cited by courts dismissing data breach plaintiffs’ claims for lack of standing – the Supreme Court held that threatened injury must be “certainly impending” to establish injury sufficient for standing. Potential future injury is not enough (find further discussion of the impact of Clapper here). Finding Neiman Marcus’ arguments persuasive, the district court dismissed the case without prejudice.

The Seventh Circuit’s Opinion

The Seventh Circuit reversed the district court, finding that the 9,200 Neiman Marcus customers who had suffered fraudulent charges on their accounts had unquestionably experienced actual injury. The court held that even if the fraudulent charges were fully reimbursed by the banks, there were “identifiable costs associated with the process of sorting things out.” (Elsewhere, the court referred to “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.”) These identifiable costs constituted an actual injury sufficient to confer standing on these plaintiffs.

The court also found that even class members who did not have fraudulent charges on their accounts had standing. Emphasizing that there was an “objectively reasonable likelihood” that fraudulent charges or identity theft would occur in the future, the court stated that “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing.”

Moreover, the court held that any mitigation costs, such as the costs of credit monitoring and identity theft protection “easily qualifie[d] as concrete injury.” In Clapper, the Supreme Court held that mitigation expenses did not qualify as actual injury where the harm was not imminent. But the Seventh Circuit distinguished the speculative harm in Clapper, which involved claims that the government may have intercepted confidential communications between the plaintiffs and their clients, from the harm allegedly present here. “Neiman Marcus does not contest the fact that the initial breach took place. An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service that offers monthly credit monitoring.”

Interestingly, the court cited Neiman Marcus’ offer of one year of credit monitoring and identity theft protection to customers – a standard practice for breached companies – as additional evidence of concrete harm. “It is unlikely that [Neiman Marcus] did so because the risk is so ephemeral that it can safely be disregarded.” This is directly contrary to the approach of other courts, which have found that providing free credit monitoring to affected consumers can negate standing because it decreases the risk that a consumer experiences any actual harm. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014).

The court was also not persuaded by Neiman Marcus’ argument that all fraudulent charges had been and would continue to be reimbursed. It cited mitigation expenses already incurred by the plaintiffs in attempt to avoid future fraudulent charges, and future injury that may not be reimbursed. The court noted that although many credit card companies offered customers “zero liability policies,” the “zero liability” feature was a business practice, not a legal obligation. Federal law only requires that a customer’s liability for unauthorized use of a credit card not exceed $50, and debit cards receive somewhat less protection. The court stated there was no guarantee that card issuers would fully reimburse customers for fraudulent charges in the future.

Bellwether or Outlier?

The Seventh Circuit’s standing analysis conflicts with the way most courts have addressed standing in data breach cases in the wake of Clapper. Most courts have found that the potential for fraudulent charges in the future is not sufficiently “imminent” to establish standing and that such risk does not meet the “certainly impending” standard. See, e.g., In re Zappos.com, Inc., 2015 WL 3466943, at *1 (D. Nev. June 1, 2015); Green v. eBay, Inc., 2015 U.S. Dist. Lexis 58047, at *2 (May 4, 2015); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014).

Companies should expect plaintiffs’ attorneys to rely heavily on the Neiman Marcus opinion going forward. For example, customers are seeking to revive a data breach class action against Barnes & Noble after it was dismissed for lack of standing in 2013. See In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). Barnes & Noble argues that even under the logic of the Seventh Circuit’s Neiman Marcus decision, the plaintiffs have not adequately pled standing because they have not shown that their information was actually impacted by the breach.

Standing continues to be a central issue in data breach class action litigation. Companies with consumer-facing operations should monitor developments in this area, because the law on standing in the data breach context is far from settled.