Neiman Marcus has made history as the standard for luxury retail. But it is also making history as a watershed case in data breach class action litigation. On January 10, 2014, Neiman Marcus announced that between July 16, 2013 and October 30, 2013, its customers’ credit card information was exposed after hackers infiltrated the retailer’s data systems. Neiman Marcus informed its customers that data from 350,000 cards were potentially exposed, and about 9,200 of the 350,000 cards were used fraudulently. In addition to notifying all customers who had shopped in its stores between January 2013 and January 2014 of the data breach, Neiman Marcus also offered the customers one year of free credit monitoring and identity theft protection.
Several Neiman Marcus customers filed a class action complaint on behalf of all those whose credit card information had been exposed by the breach. The complaint alleged claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, and violations of multiple state data breach laws. Neiman Marcus moved to dismiss the complaint on the grounds that Plaintiffs could not allege any actual, present injuries and therefore lacked standing to pursue their claims under Article III of the U.S. constitution.
As I mentioned in a previous post about standing problems in the Android case, a party must suffer some actual or threatened injury that can fairly be traced to the challenged action of the defendant to have standing to pursue their claim. No standing, no case. Plaintiffs alleged two “imminent injuries: (1) increased risk of future fraudulent charges, and (2) greater susceptibility to identity theft. Basically, Plaintiffs argued that they had not yet become victims of identity theft, but they were now more likely to be.
The District Court dismissed the case finding a lack of standing. The District Court, like many trial courts faced with data breach causes of action, relied upon the United States Supreme Court’s 2013 decision in Clapper v. Amnesty International U.S.A.. Clapper held that “allegations of future injury are not sufficient” to establish Article III standing. Indeed, since the Supreme Court’s ruling in Clapper, data breach defendants have routinely argued that Clapper requires dismissal and have routinely prevailed with that argument. Until now.
On July 20, 2015, the Seventh Circuit issued a ruling permitting a data breach class action to proceed against Neiman Marcus. In a game changing decision, Remijas v. Neiman Marcus became the first Circuit Court opinion to find the following:
1. Customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur”;
2. Plaintiffs who have not yet suffered actual fraud or identity theft are nonetheless injured because they must spend money, time, and attention to canceling and replacing cards, monitoring their credit score, and otherwise “sorting things out”;
3. A retailer’s offer of credit monitoring and identity-theft protection to customers following data breach was “telling” evidence that risk of harm was not “ephemeral.”
The Court further remarked “[a]t this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas is a game changer because prior to the Seventh Circuit’s decision, the mere act of having your consumer data stolen was not enough to survive a motion to dismiss. Now, it might be.
Remijas is a watershed case for any company regularly compiling or retaining customer data. Let me rephrase that: Remijas is a watershed case for any company. For years, Clapper was the insurmountable hurdle hindering class action suits because it permitted Article III standing for possible future injuries only when the threatened injury was “certainly impending.” In other words, plaintiffs would need to show some evidence that, without doubt, their identity would be stolen imminently. But the “objectively reasonable likelihood” standard in Remijas lowers the crucial standing bar announced in Clapper. This standard assumes that the mere act of having your data stolen demonstrates a likelihood that it identity theft and fraud are soon to follow. The Remijas decision also creates a circuit split with the Third Circuit that relied upon Clapper in its dismissal of Reilly v. Ceridian Corp., a similar data breach class action.
Neiman Marcus has petitioned the Seventh Circuit for an en banc rehearing on this case because of the Seventh Circuit’s deviation from both Clapper and Reilly. These sorts of rehearings are not routinely granted, but because of the deviation from Supreme Court and Third Circuit precedent, the Seventh Circuit may be inclined to grant the rehearing. However, if Remijas is permitted to stand, other data breach plaintiffs may be encouraged to file class action suits because they have a strong weapon to combat motions to dismiss. This could also amplify the frequency and expense of data breach class action litigation for defendants.
What’s the take away? This case should serve as another reminder about the importance of strong cybersecurity protections for any business (for other reminders, please see Uber, AshleyMadison.com, and China cyber attacks). If Remijas stands, the Seventh Circuit’s break from precedent will likely open the floodgates to more class action suits during the aftermath of a breach. Suffering a data breach is inevitable when conducting business in the 21st century. No matter how small your company might be, the risk of an attack always exists. But now the breach aftermath has become even busier with companies having to navigate their way through state breach notification laws, working with regulators, and facing possible litigation that just became more complex and nuanced than ever before.
As of this writing, Neiman Marcus has not yet received a decision on whether a rehearing will be granted. No one yet knows whether and how the case will continue to develop. But in the meantime, companies should be aware that courts could rely on the Remijas opinion in assessing data breach victims’ standing to sue based on the potentiality of future harms. Faruki Ireland & Cox attorneys will be monitoring the Remijas case, and will keep you updated on any further developments.