United States: Hear Ye! The Court May Be in Session for Cyber Breach Claims Against Victimized Retailers

Co-authored by Benjamin Jakubowicz, Summer Associate

Data breaches happen. Even the most conscientious consumers transacting with the most diligent institutions are not completely shielded from the prying eyes of professional data thieves. Among the most frequently targeted are merchants that accept credit cards. Compromised card numbers captured through malware-infected point of sale terminals are at the heart of staggering fraud losses.

Much attention—rightfully so—is given to the hardships consumers endure after being notified that their account information or personal information has been pilfered. Resolving fraudulent credit charges and protecting oneself against future identity theft are costly, time-consuming endeavors. Breached retailers, like consumers, also confront costly hardships. An entity whose database was breached will likely suffer reputation damage, lost sales revenue and system downtime, plus the cost of providing credit-monitoring services to customers and clients. 

The Case Against Class Actions

Retailers also face the inevitable class action lawsuits on behalf of cardholders. Those suits frequently have been turned away at the courthouse steps for lack of standing, largely due to a horse-high barrier erected by Clapper v. Amnesty International USA, decided by the U. S. Supreme Court in 2013. The Court ruled that a plaintiff lacks standing to sue unless it can show "actual" or "certainly impending" injury "fairly traceable" to the defendant's conduct.  The Court cautioned that a proactive plaintiff cannot "manufacture" standing by incurring expenses for non-imminent injuries.   

These requirements stopped many data breach class actions in their tracks because the majority of individuals whose credit cards are compromised can only demonstrate speculative injury. But one federal appeals court recently gave plaintiffs a leg up over the Clapper fence, possibly clearing the way for an increase of breach-related claims in lower federal courts. 

In Remijas v. Neiman Marcus Group, LLC, a class comprised of 350,000 customers of the Neiman Marcus Group, LLC ("Neiman Marcus") sued the high-end retailer following notification that their account information, but not their personal information, may have been leaked.  More than 9,000 customers claimed fraudulent credit account activity. Regardless, the trial court ruled that the class lacked standing and dismissed the case. Why? The card losses had been reimbursed by Neiman Marcus.

How Much Harm is Enough?

The Seventh Circuit Court of Appeals reversed that decision, saying the 9,200 customers had standing even though each had already been reimbursed, finding that the personal hassles of "sorting things out" is sufficient injury to provide standing. Neiman Marcus alleged these harms were too speculative to fit the requirements set forth in Clapper, but the Court said that time and money spent replacing cards and monitoring credit reports were concrete enough. 

In its reversal, the Court distinguished Clapper on several grounds. First, it noted that while the U. S. Supreme Court imposed the "certainly impending" injury standard in Clapper, it did not jettison the previous "substantial risk" of injury standard. The Court further distinguished Clapper based on factual differences. In Clapper, a human rights organization was denied standing to challenge the Foreign Intelligence Surveillance Act based on suspicions that certain communications might have been intercepted by the government; the plaintiffs in Remijas could clearly demonstrate that their information had been compromised. The Court disagreed with Neiman Marcus' contention that the plaintiffs must wait until their identity had been stolen or their cards had been used fraudulently before suing, since it was likely that those injuries would occur. The Court presumed hackers intend to use the information they steal.  

Are Credit Card Theft and Identity Theft the Same?

Curiously, the Court seemed to equate the theft of credit cards with identity theft:  "It would not be enough to review one's credit card statements every month because the thieves might—and often do—acquire new credit cards unbeknownst to the victims." This analysis seems questionable because the leak was limited to account information (cardholder name and account number), which is likely insufficient to accomplish identity theft without additional personal information, such as a SSN and an address. 

This dubious equivalency was noted by Neiman Marcus in a petition for rehearing en banc, filed August 3, 2015. In its petition, Neiman Marcus argued that the Court misapplied Clapper, twisted Neiman Marcus's offer of free credit monitoring into evidence of actual harm suffered by the plaintiffs, and "confused payment-card information with the more sensitive personal identifying information" necessary for identity theft. The retailer also noted the precedential impact of the panel decision and pointed to several pending lower court cases where plaintiffs have already cited the Remijas opinion.   

While the petition is pending, Remijas may foreshadow fewer dismissals of card breach related class actions in the Seventh Circuit. Its reasoning will likely inform motion practice in other courts considering standing in light of Clapper. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.