The 7th Circuit just made it a lot easier to sue over data breaches

July 21, 2015

One of the truisms of big litigation is that plaintiffs lawyers are adaptive folks. That’s certainly been borne out over the last couple of years in class actions against corporations whose customer or employee information has been compromised in hacker attacks. Federal judges in district courts dismissed those cases in waves after the U.S. Supreme Court clarified in its 2013 decision in Clapper v. Amnesty International that to meet constitutional requirements to sue in federal court, plaintiffs have to allege they are at imminent risk of suffering a concrete injury.

Class action lawyers eventually figured out how to get around Clapper by suing in the name of lead plaintiffs who had allegedly suffered a concrete injury. In a big data breach case against Target, for instance, the trial judge ruled last year that customers had standing to bring a class action because they were temporarily unable to access money in their accounts. And earlier this year, Sony employees were permitted to move forward with their suit against the company because hackers had posted their personal information on Internet sites frequented by identity thieves, making their potential injury concrete. If Clapper was a silver bullet for data breach defendants, artful drafting could at least give plaintiffs lawyers a way to deflect it.

Now they don’t need to deflect, at least not in the 7th U.S. Circuit Court of Appeals. On Monday, a 7th Circuit panel reinstated a data breach class action against the retailer Neiman Marcus, holding that the theft of customers’ financial information was enough to satisfy constitutional standing requirements, even after Clapper.

“The Neiman Marcus customers should not have to wait until hackers commit identity theft or creditcard fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” wrote Chief Judge Diane Wood for a panel that also included Judges Michael Kanne and John Tinder.

This is a really consequential decision. It’s the first time a federal appeals court has looked at a data breach class action that was dismissed because the trial judge said it fell short of Clapper standing requirements. The 7th Circuit said flatly that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Sometimes, the opinion said – quoting a footnote from the Clapper opinion – standing can be established when there is a “substantial risk” of harm and plaintiffs “reasonably incur costs to mitigate or avoid that harm.”

According to the 7th Circuit, Neiman Marcus customers have standing to sue because are at substantial risk of fraudulent charges or identity theft. “Why else would hackers break into a store’s database and steal consumers’ private information?” the opinion said. Like Neiman Marcus customers in their brief to the 7th Circuit, the panel opinion cited a 2014 ruling by U.S. District Judge Lucy Koh in In re Adobe Systems Privacy Litigation, which said the test for standing in the 9th Circuit, even after Clapper, remains “a credible threat of real and immediate harm,” as established in the 2010 decision in Krottner v. Starbucks.

Judge Wood’s opinion also said the Neiman Marcus customers have standing because some plaintiffs paid for credit monitoring services. In Clapper, the Supreme Court said plaintiffs can’t establish constitutional standing by spending money to ward off speculative harm. But when a data breach has occurred, the 7th Circuit said, the harm is not speculative – as Neiman Marcus implicitly acknowledged by offering customers credit monitoring. “It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded,” the 7th Circuit opinion said.

Finally, the 7th Circuit sided with customers on two additional standing requirements, finding that their alleged injuries were traceable to Neiman Marcus and that their alleged harm could be redressed in the litigation. Neiman Marcus’ lawyers at Sidley Austin had argued against both points in the company’s appellate brief. It said customers didn’t know for sure that hackers obtained their credit information from Neiman Marcus’ systems because other retailers, including Target, experienced breaches at around the same time as the Neiman hack. It also argued that all of the fraudulent purchases cited by the name plaintiffs had been reimbursed by their credit card companies.

But the appeals court said Neiman Marcus’ own “admissions and actions” – notifying customers that as many as 350,000 cards might have been exposed to hackers – backed plaintiffs’ allegations that their injuries were traceable to the retailer. And although fraudulent charges have so far been reimbursed, the 7th Circuit said, that “is not true for the mitigation expenses or the future injuries.”

Plaintiffs lawyers are already cheering the Neiman Marcus decision. Gretchen Cappio of Keller Rohrback, who represents current and former employees suing over the Sony hack, said in an email statement that she expects other courts to follow the 7th Circuit’s analysis. “The 7th Circuit has recognized what privacy experts and many data breach victims already know: The release of personal information like credit card or Social Security numbers greatly increases the risks of identity fraud,” she said.

Theodore Maya of Ahdoot & Wolfson, who argued for the Neiman Marcus class at the 7th Circuit, didn’t respond to an email request for comment. David Hoffman of Sidley, who argued for the retailer, said in an email that the company is still reviewing the opinion.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see