Neiman Marcus Fallout: Standing in Data Breach Class Actions

Many predicted data breach class-action lawsuits would rise following the U.S. Court of Appeals for the Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group LLC, which stemmed from the 2013 theft of credit card and other personal information from the retailer. But so far, the floodgates have yet to fly open. As the Seventh Circuit and two district courts that relied upon it show, Neiman Marcus weighs in importantly on standing—but it’s not quite the free-for-all that potential defendants feared.

Plaintiffs in federal class-action lawsuits must demonstrate an “injury-in-fact” to confer subject matter jurisdiction on the court. This is known as Article III standing under the U.S. Constitution. In Neiman Marcus, the Seventh Circuit reversed the trial court’s dismissal of the case based on standing because it felt plaintiffs suffered sufficient harm to confer Article III standing.

Specifically, the district court had held that “to have standing, a litigant must ‘prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.’" The Seventh Circuit analyzed the meaning of “concrete and particularized injury,” holding that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” (Citing Clapper v. Amnesty Int'l USA). The court also held that plaintiffs’ risk-mitigating activity—reviewing credit reports and signing up for credit-monitoring services—was a concrete injury and conferred standing. It rejected all other theories of harm for standing purposes.

The Seventh Circuit has evoked its Neiman Marcus decision twice this year. In August, the court dismissed a case after holding that plaintiffs had Article III standing. In Tierney v. Advocate Health & Hosps. Corp., thieves stole four unencrypted computers containing four million patient records. Because the thieves attempted to access one plaintiff’s bank account and open a cellphone account in the name of another plaintiff, the court held that an injury-in-fact was established. The court went on, however, to affirm the district court’s dismissal of plaintiff’s Fair Credit Reporting Act claims and relinquishment of state law claims, which resulted in dismissal of the federal case.

In November, the Seventh Circuit revisited standing in an important case involving personally identifiable information. In Silha v. ACT Inc., plaintiffs alleged that defendant sold their personally identifiable information without telling them. The court held that plaintiffs failed to show an injury in fact, even assuming that the allegations regarding the defendant’s business model were correct. The defendant submitted plaintiffs’ personally identifiable information to potential colleges and universities on the plaintiffs’ behalf, but it charged the institutions for the data. Plaintiffs alleged that the defendant’s conduct caused them harm, but the Seventh Circuit held the fact that defendant profited from using plaintiffs’ personally identifiable information—even though plaintiffs did not share in the profit—was insufficient to confer Article III standing.

Two district courts outside the Seventh Circuit have cited Neiman Marcus this fall. In Smith v. Triad of Alabama LLC, plaintiffs were hospital patients who had personally identifiable information and protected health information stolen. The court held that they demonstrated an injury in fact for Article III standing because the thieves used the stolen data to file fraudulent tax returns in the names of some class members.

In Antman v. Uber Techs. Inc., the theft of names and driver’s license numbers was insufficient as a data breach to support a class-action lawsuit against Uber. Here, the plaintiffs brought the Neiman Marcus decision to the court’s attention, but the court held “[w]ithout a hack of information such as Social Security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.” As a result, there could be no Article III standing.

Standing may be easier for class-action plaintiffs to demonstrate if their data was hacked, but as these cases demonstrate, surviving a standing motion is not always as easy as commentators predicted it would be in the wake of Neiman Marcus.