Purchasing Credit Monitoring May Not Protect Companies from Data Breach Class Actions
2014 set a record for data incidents, with nearly 30% of the 783 data incidents reported by companies caused by hacking. At least 97 incidents are reported to have occurred from hacking during 2015, affecting approximately 7 million records. Numerous class action lawsuits have been filed based on these hacking incidents.
Companies have defeated many such lawsuits early by arguing that the plaintiffs had not alleged an injury that could be addressed in court and, thus, did not have legal “standing” to bring such claims. The Seventh Circuit’s July 2015 opinion in the Neiman Marcus data breach class action may make it harder to land such an early knockout-punch to data breach class actions.
The Neiman Marcus Hack
On January 1, 2014, Neiman Marcus discovered malicious code had been placed on its computer systems after learning that fraudulent charges had appeared on some of its customers’ credit card statements. The retailer’s investigation determined that approximately 350,000 credit and debit card numbers had been potentially compromised by the malicious code between July and October 2013 and that 9,200 of those cards were used illegally. Neiman Marcus initially notified customers who had experienced fraudulent charges on their accounts. Later, Neiman Marcus notified all customers who made a purchase at its stores during 2013 and offered one year of free credit monitoring to everyone notified.
Disclosure of the breach spurred the filing of several class action lawsuits that were eventually consolidated. The plaintiffs asserted multiple common law claims against the retailer, including negligence, breach of implied contract, unfair and deceptive trade practices, and violations of multiple state data breach notification laws. The circumstances of the individual plaintiffs varied: some suffered fraudulent charges on a financial account, while others had simply shopped at a Neiman Marcus store during 2013 and received the Neiman Marcus data breach notice.
Neiman Marcus filed a motion to dismiss based on the plaintiffs’ lack of standing. The U.S. District Court judge agreed that the possibility of future identity theft and indeterminate costs to mitigate the risk of identity theft were not concrete injuries sufficient for standing and dismissed the case. The plaintiffs appealed, and the Seventh Circuit Court of Appeals reversed the trial court’s decision and allowed the suit to proceed.
“Standing” of the Neiman Marcus Plaintiffs: A Requirement to Avoid Dismissal
Neiman Marcus initially prevailed by arguing that the plaintiffs did not have “standing.” Standing has three components: 1) an injury 2) reasonably attributable to the defendant 3) that can be remedied by a favorable decision in court. Since 2013, several federal courts have concluded that the risk of future identity theft is not enough to establish standing, contrasted with cases where the plaintiffs asserted they had already been the victims of identity theft and suffered financial losses. Departing from this trend of rejecting possible future harm as an injury, the Seventh Circuit held that the plaintiffs had satisfied all three requirements of standing, even though the plaintiffs had been reimbursed for all fraudulent charges that had been made by that time.
The Seventh Circuit found several bases for standing, the most noteworthy being the possibility of future fraudulent charges and identity theft. The Court relied on the fact that the plaintiffs’ financial information had been stolen and a government report finding that stolen personal information may be used by a thief long after the theft. The Court thus inferred that the plaintiffs had shown a substantial risk of future harm sufficient to satisfy standing requirements at that early stage of the case. The Court questioned whether the plaintiffs could prove—and not just allege—sufficient facts to maintain the inference of future harm, but the Court declined to make the plaintiffs wait to sue until their credit cards had been used or identities stolen.
The Court also found standing based on the time and money the plaintiffs would spend fixing their tainted accounts and protecting against future theft. Courts often reject “mitigation expenses” as an injury because an overly paranoid plaintiff could manufacture standing by needlessly spending money to protect against a fictional future harm. However, protecting against future identity theft losses was held to be a non-speculative injury. The Seventh Circuit turned Neiman Marcus’ offer of credit monitoring against it, reasoning that the retailer would not have offered such a service if it did not believe the future harm to its customers was real.
The Seventh Circuit rejected two other arguments of the retailer. Neiman Marcus argued that the plaintiffs’ injury was not traceable to its data breach because other retailers had also experienced large-scale data breaches, so perhaps the claimed injuries were caused by data stolen from these retailers. The Seventh Circuit was not persuaded. The fact that Neiman Marcus notified the plaintiffs that their information may have been compromised was sufficient to lay the plaintiffs’ injuries at Neiman Marcus’ doorstep. The Court also stated that it would ultimately be Neiman Marcus’ burden to prove that another retailer’s data breach was the legal cause of the plaintiffs’ injuries.
Reimbursement for fraudulent charges also did not negate the plaintiffs’ standing. Whether the customer was fully reimbursed was irrelevant at this stage: the risk of future injury and time and expense of preventing future injury were still present, and this was enough to confer standing.
Clients facing potential data breaches can glean several lessons from the Neiman Marcus opinion:
- A company’s internal cybersecurity controls and monitoring can mitigate the size of a potential class. Neiman Marcus only discovered it had been hacked months after the fact and only after learning that its customers’ credit cards had been used fraudulently. Prompt discovery through internal monitoring might have limited the number of affected individuals. (See Data Breach Strategies for more information about pre-breach planning, response and post-breach tasks)
- A prompt forensic investigation after discovering a breach may provide valuable information on what types of information was affected and who has been affected. A company that maintains appropriate logs may be able to narrow the number of people who are required to receive notice of the breach. According to the Seventh Circuit, that Neiman Marcus notified anyone who had made a credit or debit card purchase during 2013 undercut its argument that it was not the cause of the plaintiffs’ injuries. Notifying only the discrete class of people actually affected shrinks the potential class of plaintiffs, decreasing the overall potential exposure posed by a class action lawsuit and possibly rendering a class action suit financially unviable for a plaintiff’s attorney to pursue.
- Offering credit card monitoring services as a path to an early dismissal of a class action suit is less plausible based on the Neiman Marcus opinion. This opinion also casts doubt on the ability of a company to avoid liability by attempting to blame other companies who also experienced major data breaches.
- Although the Seventh Circuit reversed the dismissal, Neiman Marcus might still prevail at the class certification or summary judgment stages. Questions of fact and law common to the class and predominance of those common questions are two of many requirements to certify a class action in federal court. A court cannot certify a class action if resolving the claims would require individualized inquiries for each class member. The potentially immense variation in reimbursement policies of credit card companies and the differing liability for fraudulent charges for debit card customers as compared with credit card customers could present barriers to satisfying the commonality and predominance requirements. Likewise, the differences in the data breach notification laws enacted in 47 states and in D.C. and Puerto Rico could be a hurdle to finding common questions of law among the class for claims made under those laws. Whether the inference of substantial future harm was reasonable may be a question for summary judgment when more facts are brought to light.
 Identity Theft Resource Center Breach Report Hits Record High in 2014, Identity Theft Resource Center (Jan. 12, 2015), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html.
 2015 1H Data Breach Hacking/Skimming/Phishing Category Summary, Identity Theft Resource Center (July 1, 2015). This figure is based on data the Identity Theft Resource Center had collected as of July 1, 2015.
 Class action status requires satisfying several specific legal requirements. A lawsuit is officially a “class action lawsuit” when a court certifies it as such. For ease of reading, this article will simply refer to the lawsuit in this case and other certified or uncertified class action lawsuits as a “class action lawsuit.”
 A copy of the Seventh Circuit’s opinion in Remijas v. Neiman Marcus Group, LLC is available here.
 The panel did not acknowledge that California state law requires offering credit monitoring when Social Security numbers, driver’s license numbers or California identification numbers are compromised. Those types of personal information were not at issue in this case, but the issue is open for future cases.