Seventh Circuit Expands Standing for Consumers Bringing Suits for Data Breaches
By Kelly Winslow
This week, the Seventh Circuit held that plaintiffs bringing claims for stolen credit card information have standing to sue to recover fraudulent charges, as well as fraud prevention expenses, resulting from a data breach. The three-judge panel
The case arises from a class action filed by consumers for negligence, breach of contract, deceptive business practices and a number of other theories for relief. The plaintiffs allege that Neiman Marcus’ security system was hacked, which resulted in a massive data breach that compromised the credit card numbers of 350,000 of its consumers. The district court
The Seventh Circuit’s decision hinged on the issue of whether plaintiffs’ stated future injuries were sufficient for standing under the Supreme Court’s decision in
The plaintiffs in Neiman Marcus based their standing argument in part on two future harms: an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit rejected the district court’s holding that these future harms were insufficient for standing, stating that the district court was incorrect in assuming that Clapper “foreclose[s] any use whatsoever of future injuries to support Article III standing.” The Seventh Circuit distinguished Clapper, a case in which plaintiffs brought suit based on potential government interception of plaintiffs’ communications, noting that in Clapper the injuries were “speculative harm based on something that may not even have happened” and could not support standing. In contrast, the Seventh Circuit found that the consumers in this case were able to show a “substantial risk of harm” in part because there was no doubt that the breach occurred; defendant admitted that consumers’ credit card information was stolen and that there had been fraudulent charges as a result of the breach. (Of course, not all putative class members suffered such charges; what that portends for plaintiffs’ future prospects is uncertain.)
Defendants in several data breach suits have invoked Clapper as a successful basis on which to dismiss for lack of standing. The Seventh Circuit’s decision here could represent a shift in direction. The case appears to open the door for plaintiffs in data breach cases to show standing based upon a broader range of alleged future injuries, specifically those “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft.” Moreover, the Seventh Circuit decision may reflect an emerging sense among some courts that plaintiffs in data breach cases have been too readily dismissed, notwithstanding the frequent absence of tangible harm. How widespread that sentiment may be bears watching as the number of data breaches continues to proliferate.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.