As we predicted in our essay, standing attacks are becoming less useful in obtaining the dismissal of data breach lawsuits. Last week, the Seventh Circuit Court of Appeals found that customers of Neiman Marcus were able to satisfy Article III’s standing requirements despite the fact that there was no indication that the social security numbers or other personal information of customers had been exposed in any way.
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. As the company began to investigate these charges, it discovered potential malware in its computer system. Malware is malicious software designed to infiltrate damage or otherwise cause unintended or unauthorized conditions or actions. In this case, the malware attempted to collect credit card data between July 16, 2013 and October 20, 2013. Around 350,000 cards were potentially exposed and of those 350,000, 9,200 were known to have been used fraudulently.
In the wake of the breach, Senior Vice President and Chief Information Officer for the Neiman Marcus Group, Michael Kingston, testified before the United States Senate Judiciary Committee. Although he testified that there was “no indication that social security numbers or other personal information [was] exposed in any way,” his testimony sparked a class-action complaint.[1] The complaint relied on a number of theories for relief, including negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.
In framing its analysis on the alleged harms, the Court found that “[t]hese plaintiffs must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.”
Although there was no evidence that the plaintiff’s data had been misused, the Court found that the plaintiffs had suffered particularized harm for which a judicial decision could provide redress. The Court found that a favorable judicial decision could redress any injuries for less than the full reimbursement of unauthorized charges. Although some credit card companies offer customer’s “zero liability” policies in which the customer is not held responsible for fraudulent charges, this practice is a business practice and not a federal requirement. As such, it did not defeat the injury in fact requirement nor the redressability requirement.
So, where does this new opinion leave us? While we don’t know exactly what the future holds for standing arguments in data breach lawsuits, we can surmise that the opinion we expressed in our CounterPoint article holds true – attacks on standing may not be the best way to defend against data privacy claims. Thanks to Erica Woebse for her contribution. Please email Brian Gibbons with any questions.
[1] Originally there were a number of class-action complaints. They were consolidated in a First Amended Complaint, which was filed on June 2, 2014 by Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao.