Vedder Thinking | Articles Seventh Circuit Resurrects Data Breach Class Action and Stymies Standing Challenge
On July 20, 2015, the Seventh Circuit reinstated a data breach class action in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, after a 2013 malware attack on Neiman Marcus's computer systems that resulted in the theft of customers' credit and debit card information. The plaintiffs argued that they had constitutional standing to pursue their claims against the retailer based on an alleged increased risk of future fraudulent charges and greater susceptibility to identity theft. This decision is troubling and could have a potentially significant and wide-ranging impact on pending and future class actions brought in the wake of similar data breaches. In fact, plaintiffs' lawyers already are citing the decision in other data breach class actions facing Rule 12 standing challenges. See, e.g., In re Barnes & Noble Pin Pad Litigation, No. 12-08617, U.S. Northern District of Illinois.
To have standing, a litigant must prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct and is likely to be redressed by a favorable judicial decision. Federal courts have dismissed similar putative data breach class actions following the U.S. Supreme Court's decision in Clapper v. Amnesty International, holding that plaintiffs must allege they are at imminent risk of suffering a concrete injury. In those cases, courts often have relied on the facts that (a) data breach plaintiffs had fraudulent charges reimbursed by credit card companies and (b) the defendant arranged for complimentary free credit and identity theft monitoring services.
The plaintiffs in the Neiman Marcus case alleged that approximately 350,000 credit and debit cards of the retailer's customers had been compromised as a result of the breach and that fraudulent charges had appeared on 9,200 of the cards. Although the plaintiffs conceded that the charges were later reimbursed or reversed, the Seventh Circuit ruled that those customers had Article III standing to bring their claims. Specifically, the court found that the plaintiffs pled sufficient allegations of harm based on their "aggravation and loss of the value of the time needed to set things straight, to reset payment associations after card numbers are changed, and to pursue relief for unauthorized charges."
In addition, the court found that the remaining plaintiffs whose cards had not been fraudulently used also had standing to pursue their claims. The court noted that the plaintiffs had alleged that the hackers deliberately targeted Neiman Marcus to obtain their credit and debit card information, and the court concluded that the plaintiffs "should not have to wait until hackers commit identity theft or credit-card fraud in order to give class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur."
The Seventh Circuit further held that mitigation expenses allegedly incurred by the plaintiffs, such as purchasing identity theft monitoring services, were sufficiently concrete injuries based on the imminent threat of future identity theft and fraudulent charges.
Turning to the second and third prerequisites for standing, causation and redressability, the Seventh Circuit rejected Neiman Marcus's argument that the plaintiffs could not demonstrate that their injuries were traceable to the breach at the retailer rather than to one of several other simultaneous large‐scale breaches, including the Target breach. The Seventh Circuit ruled that where there are multiple breaches that could have compromised the plaintiffs' information, the burden shifts to the defendant to prove that its actions were not the "but‐for" cause of the plaintiffs' injury.
As a result of the Seventh Circuit's decision in this case, plaintiffs may have increased success in establishing Article III standing to maintain a lawsuit following a data breach. In addition, courts (particularly in the Seventh Circuit) are likely to see an increase in the number of class action lawsuits filed as a result of data breaches. Organizations suffering data breaches now face a potentially more difficult and expensive path in defending data breach class action lawsuits.
In light of these developments, organizations should consider undertaking the following steps and customizing them to their specific circumstances and risks:
1. Conducting Periodic Cybersecurity Risk Assessments
- Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems
- Review and revise (as appropriate) written policies and procedures for the use, safeguarding, disclosure and disposition of personally identifiable information (PII), protected health information (PHI), non-public information (NPI) and other sensitive data
- Evaluate current practices for encrypting PII, PHI, NPI and other sensitive data
- Assess employee and vendor training on privacy, data security and data breach response
- Evaluate procedures limiting access to PII, PHI, NPI and other sensitive data
- Assess practices for guarding against, detecting and reporting malicious software and unauthorized intrusions into systems that mention PII, PHI, NPI and other sensitive data
2. Evaluating Potential Third-Party Vendor Risks
- Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information
- Obtain copies of vendors' written information security plans or certifications of compliance with applicable standards
- Determine whether contracts with vendors include adequate indemnity and breach notification response procedures and cyber insurance coverage
3. Developing and Periodically Testing a Comprehensive Incident Response Plan
- Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events
- Conduct periodic "table top" exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders
If you have any questions regarding the topics discussed in this bulletin, please feel free to contact Bruce A. Radke at +1 (312) 609 7689, Michael J. Waters at +1 (312) 609 7726, John C. Cleary at +1 (212) 407 7740 or your Vedder Price attorney with whom you have worked.