A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.
Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.”
Neiman Marcus’s rehearing petition argues, among other things, that the panel’s reliance on the “objectively reasonable likelihood” standard for determining if a plaintiff has standing based on a potential future injury directly conflicts with a 2013 Supreme Court ruling, Clapper v. Amnesty International USA. In Clapper, the Supreme Court said plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” and the high court held that “the Second Circuit’s ‘objectively reasonable likelihood’ standard is inconsistent” with that requirement.
“By using an obviously wrong and overly lenient standard to determine whether the plaintiffs’ alleged future injuries provided standing, the panel committed a critical error,” Neiman Marcus’s petition argues.
In addition, Neiman Marcus argues that “there was no risk … that [plaintiffs] would be financially responsible for any fraudulent credit card charges,” and that breaches like that experienced by Neiman Marcus — which involved only payment card data and did not expose sensitive data such as Social Security numbers — “create no meaningful risk of identity theft.” Neiman Marcus’s petition also criticizes the panel for using the retailer’s offer of a year of free credit monitoring and identity-theft insurance to a broad group of customers — including customers whose data could not “conceivably” have been compromised in the breach — as evidence that the risk of injury to customers was sufficiently concrete. Such a holding “creates an unfortunate disincentive for companies to do so in the future,” Neiman Marcus wrote.
A rehearing is especially important in this case, the petition argues, because although the panel’s decision conflicts with rulings by the Third Circuit and “numerous district court decisions,” Neiman Marcus’s case is “the only appellate decision squarely considering a retail data breach in which only payment card data is stolen,” and thus “the opinion could well shape the law of standing in such cases for years to come.”