Plaintiffs in consumer data breach class actions have struggled to establish Article III standing. Article III standing requires an alleged ‘‘concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.’’ In Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) the Supreme Court held that mere allegations of ‘‘possible future injury’’ are not sufficient for standing, though a well-pled allegation that such harm is ‘‘certainly impending’’ could establish standing. In the three years since the Clapper decision, courts have frequently cited Clapper in assessing standing in data breach class actions, mostly in dismissing actions.
In Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015) the plaintiff brought a putative class action against the company following a data breach involving customer credit card information. Shortly after learning of the breach, defendant publicly acknowledged that a data breach had occurred involving 350,000 of its issued credit cards and that there were over 9,200 cards known to have been used fraudulently. Defendant provided individual notice to its customers who were hit with fraudulent charges on their credit cards and offered a free year of credit monitoring. The plaintiff alleged both actual and future harms, including an increased risk of future fraudulent charges and greater susceptibility to identity theft. The district court dismissed the complaint, finding that neither the ‘‘fraudulent charge’’ injury alleged to have been incurred by the 9,200 customers, nor the risk that the same injury may befall others among the 350,000 customers at issue, is an injury sufficient to confer standing because Clapper requires an injury to be concrete, particularized, and at least imminent. In particular, the 9,200 customers whose cards had been fraudulently used did not suffer a ‘‘concrete’’ injury where such customers were not financially responsible for the unauthorized charges, and the remaining customers are not at a ‘‘certainly impending risk of identity theft.’’
The Seventh Circuit – with Chief Judge Wood writing for the three-judge panel – reversed the district court, ruling that a data breach plaintiff may have standing based strictly on an alleged impending harm. The Seventh Circuit concluded that the facts alleged by plaintiff support the finding that the plaintiff has standing to bring claims against Neiman Marcus for the imminent harms of future fraudulent credit card charges or identity theft. The court emphasized that the risk of fraudulent charges or identity theft in this instance is ‘‘very real’’ – noting that the plaintiff alleges that the data breach occurred when hackers deliberately targeted Neiman Marcus to steal credit card information. Given this alleged fact, the Seventh Circuit determined that ‘‘Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.’’ Indeed, the court continued, ‘‘Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.’’
More recently, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700 (7th Cir. 2016) the plaintiffs sought damages resulting from the theft of their credit and debit card data. Concluding that the plaintiffs had not suffered the requisite personal injury, the district court dismissed the action for lack of standing. The Seventh Circuit — with Chief Judge Wood again writing for the three-judge panel — reversed and remanded the district court’s order in light of Remijas. The Court concluded that several of plaintiffs’ alleged injuries fit within the categories the Court delineated in Remijas: “[Plaintiffs describe the same kind of future injuries as the Remijas plaintiffs did: the increased risk of fraudulent charges and identity theft they face because their data has already been stolen. These alleged injuries are concrete enough to support a lawsuit.” The Court rejected P.F. Chang’s argument that, unlike in Remijas, it contests whether the plaintiffs’ data was exposed in the breach. According to the Court: “To the extent this is a valid distinction (and that is questionable), it is one that is immaterial. At the pleading stage, the plaintiffs’ factual allegations must ‘[]cross the line from conceivable to plausible.’” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007).