While attending the recent ABA Internet of Things Institute, I heard something troubling from a particular panelist, a data breach class action defense attorney. This attorney, from a monolithic law firm, proclaimed that data breach class-actions were, essentially, on life support as result of the U.S. Supreme Court’s (“SCOTUS”) decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). I was a bit astonished by the certainty of the panelist’s position. I would respectfully, and vigorously, disagree. Data breach class-actions are alive and well. Moreover, based on the latest case law and the uptick in security incidents every year, I posit that that data breach class-actions are coming to a courthouse near you.
Clapper involved a lawsuit in which a group of attorneys and human rights, labor, legal, and media organizations alleged that the Federal Government had intercepted their private communications in conjunction with counterterrorism surveillance. SCOTUS correctly held that the alleged injury was too speculative to support legal standing to challenge the Foreign Intelligence Surveillance Act (“FISA”), because the plaintiffs possessed no actual evidence that their private communications were actually intercepted.
A handful of federal district courts around the country have applied Clapper to data breach class actions. These courts dismissed several of the cases, holding that in the absence of identity theft or other manifestation of damage, the plaintiff did not have standing. These cases have created a false sense of “security” amongst security front-liners, including, apparently, some defense attorneys.
Not. So. Fast. In back-to-back decisions, the Seventh Circuit turned the tables on SCOTUS and changed the fortunes of data breach litigants. First, In Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), the high–end department store Neiman Marcus experienced a data breach that potentially exposed payment–card data of all customers who paid with cards during the previous year. The plaintiff class consisted of customer who had shopped at Neiman Marcus during the time the information was exposed to the invader.
In Remijas, the court stated “there is ‘no need to speculate as to whether [the Neiman Marcus customers’] information has been stolen and what information was taken.’” The court concluded that the plaintiffs’ injuries were concrete and particularized enough to support Article III standing. The court identified two future injuries that were sufficiently imminent: (1) the increased risk of fraudulent credit or debit card charges; and (2) the increased risk of identity theft. The court further opined that such risks were not mere “allegations of possible future injury,” but instead were the type of “certainly impending” future harm that SCOTUS requires to establish standing.
Two weeks ago, the Seventh Circuit doubled down on its Remijas holding in Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700, (7th Cir. 2016), a case involving data breaches at 33 P.F. Chang’s restaurant locations. In Lewert, the Seventh Circuit impliedly relaxed the standing requirements for data breach cases even further. P.F. Chang’s attempted to distinguish the case
from Remijas by arguing that the Lewert plaintiffs had dined at a Northbrook, Illinois, restaurant that was not among the 33 locations subject to the breach.
The Seventh Circuit rejected P.F. Chang’s argument and concluded that a lawsuit could compensate for the costs of purchasing credit-monitoring services, lost points on a debit card, or unreimbursed fraudulent charges (though the panel raised doubts about whether the costs of plaintiffs’ meals or the right to their identities constituted injuries). Citing Remijas, the court held that the plaintiffs were at risk for future fraudulent charges given that the breach had already occurred.
“They describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen,” wrote Chief Judge Diane Wood. “These alleged injuries are concrete enough to support a lawsuit.”
So, in my opinion, Clapper does not constitute the death knell of data breach class action lawsuits.i In fact, Clapper is well reasoned, and ultimately, correctly decided. The Clapper Court held that plaintiffs’ injuries were too speculative because there was no evidence that a breach or disclosure (i.e. intercepted communications) had even occurred. This holding comports perfectly with traditional notions of subject matter jurisdiction and Article III standing. Conversely, in Remijas and Lewert, plaintiffs established that a breach or disclosure had actually occurred. Therefore, the court reasoned, plaintiffs’ had a substantive and concrete injury in the potential financial consequences of the breach.
Effectively, the Seventh Circuit has established that the mere occurrence of a data breach or disclosure constitutes actionable injury, regardless of whether identities are stolen or fraudulent charges are incurred. For once, it seems that the courts are actually in lockstep with the practical realities of law (albeit a little late to the party). The breach IS the injury. The breach is a bell that cannot be un-rung. In a climate where government officials have conceded to an inability to protect information, data collectors must be held accountable at the first instance where malefactors obtain personal information. We, as a government, society, and legal profession, cannot allow these entities to breathe a sigh of relief and go on their merry way just because a hacker does not use the stolen information. To do so allows a free pass and misses a chance to teach accountability and make information security a top priority.
i This article does not address the potential for state court actions in negligence and intentional tort. State court actions will be addressed in a future article.