Data breaches are on the rise. So are the number of breach-related class actions.

At plaintiffs' class action firms, the basic facts are assumed, the complaints are drafted, and the claims are ready to file before a breach ever happens. When a breach occurs, the lawyers race to file first. But what happens then?

Until recently, the answer was the plaintiffs lost more often than not. Why? Courts found that someone who was not harmed by the breach did not have "standing" to sue because he was not personally affected by the challenged conduct.

Many observers were starting to think that the threat of litigation surrounding breaches wasn't as bad as everyone thought. The Seventh Circuit Court of Appeals, in Chicago, may have changed that perception with its July 20, 2015 decision in Remijas et al. v. Neiman Marcus Group, LLC1.

Neiman Marcus suffered an ongoing breach over the second half of 2013; 350,000 credit card records were stolen. The company discovered the breach in December but said nothing to affected consumers until January. Almost 10,000 of the hacked accounts had fraudulent charges. Other cardholders claimed that they purchased credit monitoring, so they could track their accounts going forward. The rest were unaffected, or at least were not aware of any actual harm. The trial court threw out the case. The Seventh Circuit reversed, establishing a more forgiving standard for standing than other courts have applied in other similar cases.

Rejecting the argument that credit card issuers typically cover fraudulent charges, so consumers were not harmed, the court found that customers whose cards showed fraudulent charges had a tangible injury and thus standing to sue. The court also concluded that purchasing credit monitoring was sufficient to show a real injury, reasoning that by offering victims a year of free credit monitoring, Neiman's proved the point that the threat of fraudulent charges was real (why else would Neiman's do it?). Finally, the court noted plaintiffs' claims that Neiman's deliberately delayed disclosing the breach until after the holiday shopping season, allowing hackers to use the stolen data before cardholders even knew they were at risk. The court also echoed the old "Needless Markup" moniker by remarking that Neiman's should have put more of the money it earned selling overpriced merchandise into its data security and less into its corporate pockets.

The court distinguished data breach cases from recent cases in which courts found that plaintiffs lacked standing to sue.

First, the Seventh Circuit distinguished a Fair Credit Reporting Act case now before the Supreme Court involving the people-finder site Spokeo. In that case, the plaintiff alleged FCRA violations because Spokeo inaccurately described him as better educated and wealthier than he actually was, and said he was married when in fact he was single. The FCRA includes provisions calling for penalties, apart from actual damages, when a firm knowingly violates its guidelines. The Spokeo plaintiff filed a classic gotcha case: the information was wrong, but he suffered no harm (unless, perhaps, calling him married is cramping his lifestyle). Most expect the Supreme Court to say that a technical statutory violation with no attendant harm is not sufficient to create Article III standing. The Seventh Circuit preempts later arguments that Spokeo overrules the Neiman's decision by saying that the Neiman's case involves far broader and more concrete allegations of harm than those alleged in Spokeo.

Second, the court discussed the Supreme Court's decision in a case filed by political activists challenging the post-9/11 warrantless wiretap program. The Supreme Court said that without proof the plaintiffs actually had been tapped they did not have the right to sue—even though the reason they could not show they had been tapped is because the government refused to tell them. The Neiman's case is different, the court concludes, because many of these plaintiffs know that they have been harmed.

So what does this mean? Plaintiffs are happy; companies are not. The court sets a clear, straightforward standard that makes it easier for plaintiffs to survive an initial motion to dismiss, and is likely to be highly influential nationwide. The predominance of data breach class actions are filed in Chicago and in the federal courts in San Francisco and Silicon Valley, and decisions stating clear rules in this area are likely to be followed in other circuits.

The opinion does not decide whether cases filed as class actions will actually proceed as such, because companies still can argue that whether any particular person suffered harm requires a review of individual facts. That argument typically leads courts to say that plaintiffs cannot proceed as a class. Often, though, the big win for plaintiffs in these cases is surviving a motion to dismiss, allowing them to take broad discovery that can lead to embarrassing facts about the lack of data protection, absent or inadequate breach response planning, and, if it proves true, that the company deliberately delayed notifying consumers out of fear about the holiday shopping impact, the kind of reputational harm that companies can't fix.

Footnote

1. Case 14-3122 (7th Cir. 2015)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.