BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

The Seventh Circuit Revisits Standing for Data Breach Class Actions

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 8 Feb 2016 17:25:59 -0700
http://www.jdsupra.com/legalnews/the-seventh-circuit-revisits-standing-58047/

One obstacle for named plaintiffs in proposed data breach class actions is
the extent to which plaintiffs must allege an injury-in-fact to have
standing. Disputes often arise about whether proactive efforts to mitigate
against the potential misuse of stolen data, such as utilizing credit
monitoring services, are sufficient to confer Article III standing. Since
the U.S. Supreme Court issued its decision in Clapper v. Amnesty
International USA, 133 S. Ct. 1138 (2013), which held that standing could
not be established if the speculative danger of possible future acts was
not “certainly impending,” federal courts have dismissed many putative
class actions arising out of data breaches for a lack of standing. These
courts have applied Clapper to conclude that a data breach alone does not
constitute an injury, and evidence regarding the potential future misuse of
data is often too attenuated to confer standing.

The Seventh Circuit, however, recently bucked that trend in Remijas v.
Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), which held that
plaintiffs may have standing without alleging actual misuse of their stolen
data. Our sister blog, the Data Privacy Monitor, recently discussed Remijas
here (
http://www.dataprivacymonitor.com/data-breaches/significant-developments-in-privacy-class-actions-in-2015-and-what-to-watch-for-in-2016/).
In Remijas, hackers allegedly gained access to payment card data for
350,000 Neiman Marcus customers, 9,200 of whom experienced fraudulent
charges on their payment cards (all were reimbursed). The Seventh Circuit
reversed the district court’s order dismissing the case for lack of
standing, determining that the theft of data necessarily implied harm
because the misuse of data was the only plausible explanation for the data
breach. Moreover, the court used the fact that Neiman Marcus purchased
credit monitoring or identity theft protection services for affected
customers to support this conclusion, noting that Neiman Marcus would not
have done so if the risk could be disregarded. And so, Remijas concluded,
the purchase of mitigation services for those who had not yet alleged
unauthorized charges was not “speculative” but was sufficiently concrete to
confer standing.

The Seventh Circuit is now revisiting Remijas in Lewert v. P.F. Chang’s
China Bistro, Inc., Case No. 14-3700. In Lewert, two plaintiffs alleged
that nearly 7 million payment cards used to make purchases at 30 P.F.
Chang’s restaurants were compromised due to a breach dating back to 2013.
Although both plaintiffs made purchases at the defendant’s restaurants,
neither plaintiff alleged that they dined at the 30 restaurants involved in
the breach. One of the plaintiffs alleged that there were four attempts to
make fraudulent charges on his account, although all charges were declined
by his bank, and he was promptly issued new payment cards. The other
plaintiff did not allege any attempt to make unauthorized charges on his
account. Prior to Remijas, the district court granted P.F. Chang’s motion
to dismiss for lack of standing. Lewert v. P.F. Chang’s China Bistro, Inc.,
No. 14-CV-4787, 2014 WL 7005097, at *1 (N.D. Ill. Dec. 10, 2014). The
Lewert plaintiffs appealed, and the Seventh Circuit ordered the parties to
specifically address the application of Remijas to their case.

The parties have briefed their positions, and oral argument was held on
January 13, 2016. The plaintiffs maintain that the alleged infiltration of
the defendant’s payment system may not be limited to the 30 restaurants
identified by P.F. Chang, and could include the restaurants where the
plaintiffs dined. The plaintiffs also pointed to indications that some
information, purportedly stolen from other P.F. Chang customers, had been
sold on the black market. Thus, relying on Remijas, the plaintiffs
concluded that the data breach itself created an impending and substantial
risk of future harm sufficient to confer standing.

The Seventh Circuit has an opportunity in Lewert to refine Article III
standing requirements in data breach cases. Whatever the outcome, the
decision promises to be an important one for the data breach class action
defense bar.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: