On July 20, 2015, the U.S. Court of Appeals for the Seventh Circuit held in Remijas v. Neiman Marcus Group that injuries associated with resolving fraudulent charges and protecting oneself against future identity theft after a data breach at Neiman Marcus sufficed to establish standing under Article III of the U.S. Constitution.
Sometime in 2013, hackers stole the credit card numbers of approximately 350,000 Neiman Marcus customers. Several plaintiffs then filed class-action lawsuits alleging claims for negligence, breach of contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of state data breach laws. Neiman Marcus moved to dismiss the consolidated cases under Rule 12(b)(1) for lack of subject-matter jurisdiction, and alternatively under Rule 12(b)(6) for failure to state a claim. Neiman Marcus alleged that the plaintiffs lacked standing because they had not demonstrated that they suffered either an “actual injury” or a “certainly impending” future injury. The district court granted the motion, and the plaintiffs appealed.
A three-judge panel of the Seventh Circuit reversed. It considered all three parts of the standing inquiry — injury, causation and redressability — and concluded that (at least at the pleadings stage), the plaintiffs had satisfied their burden.
The court held that two of the plaintiffs’ theories satisfied the “injury” requirement in Article III:
- The increased risk of future fraudulent charges and/or identity theft.
- Plaintiffs’ expenses in resolving fraudulent charges on their accounts (so-called “mitigation expenses”).
Much of the court’s opinion focused on the first theory. Because 9,200 customers’ cards had already been used fraudulently, and because the litigation was in an early stage, the court inferred a “substantial risk” of future harm. After all, the court posed, “Why else would hackers break into a store’s database and steal customers’ private information?”
The panel refrained from deciding whether the plaintiffs’ other theories of injury satisfied Article III, but noted that it was “dubious” about them. For example, the plaintiffs argued that they overpaid for products at Neiman Marcus because the store failed to invest in an adequate security system. They also complained of the loss of their “private information” as a distinct injury. While noting that that there was “no authority” that would support such a finding, the court “refrain[ed] from deciding” those issues.
The court likewise rejected Neiman Marcus’s arguments on causation and redressability. Having found the plaintiffs had standing, the panel reversed the district court’s dismissal, and remanded for further proceedings. That included consideration of Neiman Marcus’s alternative arguments under Rule 12(b)(6) for failure to state a claim.
The court’s opinion is the first in 2015 to have held that plaintiffs in a data breach class action satisfied the standing requirements imposed by Article III. By contrast, federal courts in Nevada, New Jersey, Pennsylvania, Louisiana and Texas had all dismissed data breach class actions earlier in 2015 for failure to satisfy the standing requirement. The panel’s opinion also creates a circuit split with a 2011 decision of the Third Circuit Court of Appeals. See Reilly v. Ceridian Corp., 664 F.2d 38 (3d Cir. 2011).