As a result of the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), data breach class actions were largely considered dead in the water. The overwhelming majority of courts, relying heavily on Clapper, dismiss data breach actions for the simple reason that until a consumer suffers actual identity theft, she lacks Article III standing to sue. In other words, without actual identity theft, the risk of future harm—as well as any money spent attempting to protect against potential identity theft—is purely speculative and does not suffice to constitute a legally cognizable injury.
On July 20, 2015, the Seventh Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, which may have effectively removed the Clapper barrier to data breach suits in the Seventh Circuit. Remijas stemmed from the 2013 hacking of Neiman Marcus’s customer information, exposing roughly 350,000 customer credit cards. The Court began by reframing the once-commonly-held Clapper analysis: “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Further to that point, the Court noted that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such injury will occur.”
In evaluating the alleged “imminent” injuries, the Seventh Circuit paved the way for a wide variety of alleged injuries to underlie data breach suits. The Court indicated that (1) the risk of future fraudulent charges, (2) the risk of future identity theft and (3) mitigation expenses (i.e., credit monitoring and lost time and money protecting against future identity theft) may be sufficient to confer Article III standing. Importantly, the Court limited its analysis to Article III standing, and thus did not reach whether any of these “injuries” would suffice as “actual damages” sufficient to satisfy statutory standing under consumer protection laws.
Considering that the above injuries frequently appear in data breach complaints, Remijas may limit the viability of the Article III argument in the Seventh Circuit. Remijas, however, also alludes to what will likely be the next frontier in data breach class actions—certifiability. That is, the injury (and thus damage) at issue will vary greatly by class member. By way of example, putative class members may have different bank reimbursement policies that dictate different outcomes for fraudulent charges. Some putative class members may accept free credit monitoring from the defendant (a product often offered by companies suffering a data breach) and others may choose to buy their own. Some putative class members may have suffered identity theft for reasons unrelated to the data breach. And each putative class member likely has a different valuation of their time spent monitoring for identity theft and fraudulent charges.
Accordingly, while Remijas may have an immediate impact on the Article III defense, thus enabling data breach cases (at least in the Seventh Circuit) to survive a motion to dismiss, its practical impact on the viability of data breach class actions is far from certain.