For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this: (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case. But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.
The Clapper Rule
In 2013, the U.S. Supreme Court held in Clapper that individuals claiming a reasonable likelihood that their communications would be intercepted under the Foreign Intelligence Surveillance Act (“FISA”) had no Article III standing, because no injury had occurred. According to the Court, a “reasonable likelihood” of future injury is not enough for standing to sue, and the individuals’ choice to take costly measures to protect their confidential communications does not suffice as injury for standing purposes.
Clapper in Data Breach Cases
To date, virtually every defendant asserting a Clapper-based motion to dismiss in data security breach cases has been successful. District courts ruling otherwise are few and far between:
- The Southern District of California, in a class action arising out of the 2011 Sony PlayStation network breach, In re Sony Gaming Networks & Customer Data Security Breach Litigation held that plaintiffs had standing merely because their information had been wrongfully disclosed without any allegation that their information had actually been misused.
- The Northern District of California followed suit in In re Adobe Systems, Inc. Privacy Litigation, holding that plaintiffs had standing to bring claims against Adobe arising from a massive 2013 breach, even though they could not allege actual misuse of their stolen personal information.
- The Minnesota district court in In re Target Corporation Customer Data Security Breach Litigation limited Clapper’s applicability when it allowed various consumer claims to survive Target’s motion to dismiss, finding that plaintiffs had an alleged injury in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payments charges or new card fees.”
The Seventh Circuit’s decision in Neiman Marcus is the first federal appellate review of a data breach class action dismissed under the Clapper standing requirements. The Seventh Circuit ruled that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Quoting a Clapper footnote, the court reasoned that standing can also be established when there is a “substantial risk” of harm and plaintiffs “reasonably incur costs to mitigate or avoid that harm.”
According to the Seventh Circuit, Neiman Marcus customers have standing to sue because they are at substantial risk of fraudulent charges or identify theft. Victims of data breaches “should not have to wait until hackers commit identity theft or credit-card fraud.” The increased risk of future harm and harm-mitigation expenses satisfies the injury-in-fact requirement because, unlike in Clapper, the risk is not speculative.
The Seventh Circuit also found standing because some plaintiffs allegedly paid for credit monitoring services. It noted that, while harm-mitigation measures will not always qualify as an injury for purposes of standing, the purchase of credit monitoring in the context of a data breach “easily qualifies as a concrete injury” because the threatened harm of a data breach is “imminent.” In a Catch-22, the court relied on the fact that Neiman Marcus had offered one year of free credit monitoring to categorize the harm as “imminent,” therefore distinguishing the Neiman Marcus from the speculative harm in Clapper.
So, how consequential is the Seventh Circuit’s ruling? The Neiman Marcus decision is only binding precedent for courts in the Seventh Circuit, and it is a ruling on a motion to dismiss, not ultimate liability. And the ultimate liability to consumers may not be that large. Data breaches undoubtedly frustrate the affected individuals, but they usually occur without much quantifiable loss. In a recent study of consumer sentiment about data breaches, three quarters of consumers whose information had been compromised described the experience as “stressful,” and 45 percent were very or extremely concerned about suffering identity theft. Yet 81 percent had no out-of-pocket expenses from the breach. Those who did averaged just $38. Fifty-five percent reported doing nothing independently, post-breach, to protect themselves from ensuing identity theft. Only 5 percent paid a service provider to monitor their credit reports, and only 1 percent hired a lawyer to sue the breached company.
But the significance of Neiman Marcus has less to do with plaintiffs’ damages and much more to do with the cost of litigation, and ultimately the cost of cyber insurance. If other courts follow the Seventh Circuit’s lead, data breach claims will more likely survive motions to dismiss, subjecting breached organizations and their cyber insurers to the expense of full-blown discovery. And unlike identity theft, there’s nothing speculative about e-discovery costs.