Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.

Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.”

Neiman Marcus’s rehearing petition argues, among other things, that the panel’s reliance on the “objectively reasonable likelihood” standard for determining if a plaintiff has standing based on a potential future injury directly conflicts with a 2013 Supreme Court ruling, Clapper v. Amnesty International USA. In Clapper, the Supreme Court said plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” and the high court held that “the Second Circuit’s ‘objectively reasonable likelihood’ standard is inconsistent” with that requirement.

“By using an obviously wrong and overly lenient standard to determine whether the plaintiffs’ alleged future injuries provided standing, the panel committed a critical error,” Neiman Marcus’s petition argues.

In addition, Neiman Marcus argues that “there was no risk … that [plaintiffs] would be financially responsible for any fraudulent credit card charges,” and that breaches like that experienced by Neiman Marcus — which involved only payment card data and did not expose sensitive data such as Social Security numbers — “create no meaningful risk of identity theft.” Neiman Marcus’s petition also criticizes the panel for using the retailer’s offer of a year of free credit monitoring and identity-theft insurance to a broad group of customers — including customers whose data could not “conceivably” have been compromised in the breach — as evidence that the risk of injury to customers was sufficiently concrete. Such a holding “creates an unfortunate disincentive for companies to do so in the future,” Neiman Marcus wrote.

A rehearing is especially important in this case, the petition argues, because although the panel’s decision conflicts with rulings by the Third Circuit and “numerous district court decisions,” Neiman Marcus’s case is “the only appellate decision squarely considering a retail data breach in which only payment card data is stolen,” and thus “the opinion could well shape the law of standing in such cases for years to come.”

© 2015 Covington & Burling LLP

Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims. While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows.

Arguments as to standing are grounded in Article III, Section 2 of the United States Constitution, which limits the jurisdiction of federal courts to “cases” or “controversies.”   To constitute a case or controversy, a claim cannot arise from a speculative or potential harm, but rather must concern an actual or imminent injury.  Thus, in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), the Supreme Court ruled that mere interception of private data – in that case, by the National Security Agency, through its wiretaps of telephone and email communications – did not confer standing to sue.  Clapper held that speculation that intercepted data might be misused did not confer Article III standing; actual use or misuse of the intercepted information was required.  Defendants in privacy cases, citing Clapper, have succeeded in dismissing data breach claims for lack of standing where data breach plaintiffs have not alleged actual misuse of their data.  See, e.g., Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013).

Home Depot’s brief in support of its motion to dismiss relies heavily on Clapper to support its argument that none of the named plaintiffs have suffered actionable injuries.  Home Depot contends that consumers could not have been injured when card issuers hold consumers harmless for fraudulent charges and Home Depot offered free credit monitoring to affected customers.  The Home Depot brief dismisses plaintiffs’ attempts to plead non-monetary harms, alleging that none of the alleged harms constitute injuries that are cognizable under Article III.  For example, some plaintiffs alleged that they suffered inconvenience and embarrassment as a result of temporarily frozen bank accounts.  According to Home Depot, in the absence of any out-of-pocket losses such alleged harms are not actionable injuries.  Some plaintiffs incurred out-of-pocket credit monitoring costs, but Home Depot takes the position that doing so was gratuitous in light of the free services offered by Home Depot.  Some plaintiffs also alleged out-of-pocket costs associated with fraudulent charges on their payment cards, but Home Depot contends that such injuries are not fairly traceable to Home Depot because such charges should have been covered by the card issuers.

There are also plaintiffs who alleged that they suffered identity theft.  Home Depot argues that such allegations should be rejected as implausible because, based on plaintiffs’ own allegations, the data theft did not result in the theft of social security numbers or date of birth information, both of which would be required to successfully steal an identity was not compromised in the HD data breach.

Although Home Depot makes strong arguments why plaintiffs lack standing, it is constrained to admit in its brief that the court hearing the Target data breach cases rejected an identical standing argument that and been advanced by Target.  In the opinion denying Target’s motion to dismiss, the court gave Target’s standing arguments cursory treatment, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  Although Target, like Home Depot, contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . ,” the court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”

Home Depot characterizes the Target decision as an outlier that offers no support for its rejection of Target’s standing arguments.  Further, the Target decision did not rule out the possibility injuries alleged would not be fairly traceable to Target’s conduct, stating that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  Although the settlement of Target’s consumer claims means that the proposition will not be tested in that case, the Target court’s recognition that injury matters for standing purposes provides some support for Home Depot’s position that the Target decision should be disregarded if it is apparent at the pleading stage that no injury has occurred.