United States: Seventh Circuit Allows Data Breach Class Action To Proceed Against Neiman Marcus, Despite Lack Of Current Harm To Credit Card Holders

Data breaches are often followed by class action suits in which the affected individuals seek damages. Corporations defending against such suits have used a 2013 Supreme Court case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), to fight off such claims. In Clapper, the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must meet a stringent bar for the suit to proceed: demonstrating that the harm is "certainly impending." Clapper defenses have a mixed record of success in the lower courts.

Now the Seventh Circuit has weighed in, holding that in the data breach class action before it, Clapper did not present a bar to suit.  In Remijas v. Neiman Marcus Group, LLC, putative class action plaintiffs brought suit against the luxury retailer stemming from a 2013 hack, which compromised approximately 350,000 credit cards.  The district court determined that the plaintiffs did not have standing because they lacked a showing of harm.  The Seventh Circuit reversed and concluded there was standing.

The Seventh Circuit opined that "Clapper does not . . . foreclose any use whatsoever of future injuries to support Article III standing," but instead that where – as in other data breach cases – the "substantial risk" of injury standard survived Clapper and was applicable to the case.  "[I]n our case there is no need to speculate as to whether [the Neiman Marcus customers' information] has been stolen and what information was taken. . . . [T]he Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such an injury will occur."  (Internal citations omitted.)

Remijas is a significant case, suggesting that even in the face of Clapper; the claim of only future harm may not be a bar to a class seeking to adjudicate its claims.  As the case law continues to develop, we would expect to see more consistent patterns emerging in how the courts will handle data breach cases – from question of standing as in Remijas, to the question of damages.  Stay tuned.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.