Once again, a court finds that data breach plaintiffs do not have the requisite Article III constitutional standing to pursue civil action against a retailer – itself the victim of a cyber attack.
Last week, the United States District Court for the Northern District of Illinois, Eastern Division granted high-end retailer Neiman Marcus’ 12(b)(6) motion to dismiss a law suit arising out of a data breach the company suffered in 2013.
In Remijas v. Neiman Marcus Group, Plaintiffs brought an action against Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violations of several state data breach acts.
In 2013, hackers breached Neiman Marcus’ computer network, resulting in the potential disclosure of 350,000 customers’ payment card data and personally identifiable information. Of the payment cards that may have been affected, it appeared that about 9,200 were subsequently used fraudulently elsewhere. Plaintiffs were among the 350,000 customers and alleged that Neiman Marcus failed to adequately protect customer data from breach, and failed to provide timely notice of the breach after it occurred.
Plaintiffs set forth a buffet of damages to satisfy Article III standing requirements. First, Plaintiffs argued that they have been exposed to an increased risk of future fraudulent credit card charges, and an increased risk of identity theft. Next, Plaintiffs sought damages including the loss of time and money associated with resolving actual or potential fraudulent charges and protecting themselves against the risk of future identity theft. Plaintiffs next argued that the loss of control over and value of their private information constituted cognizable harm. Finally, Plaintiffs argued that they overpaid for the merchandise they purchased because they presumed that the price included a premium for strict data security measures and that they wouldn’t have purchased these products at these prices had they known of Neiman Marcus’ purported misconduct.
Neiman Marcus argued that none of these asserted injuries is sufficient to establish Article III standing. The Court agreed.
The Court began by finding that allegations of increased risk of future potential harm may suffice to establish Article III “injury in fact” standing, but the future harm must be “certainly impending” and something more than merely marginal increases in the risk of future injury.
In Neiman Marcus, the overwhelming majority of the plaintiffs alleged only that their data may have been stolen.
However, approximately 2.5 percent of the affected class (9,200) had actually established that fraudulent charges appeared on their credit cards. The Court found a plausible inference of an “injury-in fact” as to the 9,200 consumers that actually experienced fraudulent charges. Additionally, it found that the remainder of the 350,000 class satisfied the “certainly impending” risk of seeing similar fraudulent charges.
However, the Court did not permit a plausible inference that any of the 350,000 (including the 2.5 percent of those that experienced fraudulent charges) were at a “certainly impending” risk of the other future injury claimed by Plaintiffs — identity theft.
After finding that the increased risk of future fraudulent charges was “certainly impending,” Plaintiffs still had to satisfy their burden to establish their injury was concrete, particularized, and, if not actual, at least imminent. The Court found that while the potential future fraudulent charges were sufficiently “imminent,” both injuries (present and future) were not sufficiently concrete.
In this regard, the Court pointed out that the Plaintiffs were not ultimately financially responsible for any of the fraudulent charges since they were reimbursed by their respective institutions. Without a more detailed description of attendant hardship, the Court found that the increased risk of future fraudulent charges alone did not satisfy Article III standing.
The Court dispensed with Plaintiffs’ other damages assertions as well. The Court rejected Plaintiffs’ argument that they paid a premium for the retail goods purchased at the store for adequate data breach security measures as constituting an “injury-in-fact” because Plaintiffs could not establish any deficiency in the goods purchased or their value. In other words, there was no financial harm to Plaintiffs in the sales transaction.
The Neiman Marcus decision joins the other recent jurisprudence finding that the threat of future potential harm from a data-breach is insufficient to confer Article III standing even when some of the plaintiff class actually suffered fraudulent charges (presumably) stemming from the data breach. Standing requires that such charges were unreimbursed (i.e., that the consumers were financially responsible for fraudulent charges) and/or “identity theft.”