A recent ruling from the 7th Circuit Court of Appeals – the first to find that consumers do suffer harm when their credit card information is stolen – may be headed back to appellate court after the defendant retailer accused the judges of “loose thinking.”
The 7th Circuit’s reversal in the lawsuit, brought against Neiman Marcus after a cyberattack, held that credit card holders have standing under Article III of the Constitution. Led by Chief Judge Diane Wood, the panel unanimously held the plaintiffs have enough for the complaint to proceed by having shown they are at risk for future injury even though fraudulent charges have been reimbursed.
Neiman Marcus has filed a petition for rehearing en banc in Hilary Remijas, et al. v. Neiman Marcus Group, LLC, 14-3122. The luxury retailer asserted the panel expanded the standard for Article III standing based on conclusory, speculative allegations.
“While some data breaches may pose actual risk of imminent identity theft and future injury, the panel’s loose thinking about the risks of a breach limited to payment cards … would expand federal jurisdiction to cases in which no actual injury or imminent injury exists … ” Neiman Marcus stated in its petition.
The 7th Circuit has not ruled on the petition but its decision is rippling through the federal circuit. It has been raised in cases against Wyndham Worldwide Corp., Barnes & Noble and Michaels Stores Inc.
Cybersecurity expert and Indiana University Vice President of Research Fred Cate said the Neiman Marcus case is “unbelievably important” because of how the judges responded but that the 7th Circuit reached the wrong decision. Almost every time victims of data breaches go to court, they either cannot prove they were injured or they cannot link their injury to a specific breach, he said. Therefore, the Chicago panel’s conclusion is not on legally sound ground.
Attorney Lynn Toops of Cohen & Malad did not agree. She described the ruling as good news for consumers and noted it was based on legal precedent.
“This is just the 7th Circuit following the law,” Toops said. “It follows Adobe, it follows Clapper and it follows some old case law from the 1940s. I don’t think the ruling is that far out there.”
Cohen & Malad is not involved in the Neiman Marcus complaint. However, it is representing plaintiffs in the data breach lawsuits against Target, Anthem and Medical Informatics Engineering Inc.
Timing the claim
A number of class-action lawsuits were filed after a data breach compromised potentially 350,000 credit cards used at the luxury retailer between July and October 2013. Neiman Marcus discovered the possible malware after customers notified the company of fraudulent charges on their credit card bills. A total of 9,200 credit cards were used fraudulently.
Neiman Marcus moved to dismiss the complaint on the grounds that the plaintiffs lacked standing and failed to state a claim. The U.S. District Court for the Northern District of Illinois, Eastern Division, granted the motion exclusive on standing grounds.
The plaintiffs countered they have standing because since the breach, they are at greater risk for future fraudulent charges and are more susceptible to identity theft.
Neiman Marcus pointed to the decision from the Supreme Court of the United States in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) which held future injuries must be “certainly impending” to satisfy Article III. In particular, the luxury retailer asserted none of the plaintiffs suffered injury because the fraudulent charges had all been reimbursed.
The 7th Circuit cautioned against over-reading Clapper. Unlike the plaintiffs in Clapper, it has already been established that the credit card information had been stolen and it is plausible to infer that the plaintiffs are at substantial risk of harm.
“… the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” Wood wrote for the 7th Circuit.
Although the 7th Circuit echoed conventional wisdom when it reasoned that stolen credit card numbers will be used for fraud, Cate said that conclusion is wrong. A vast majority of stolen data, he said, is never used. When cards are used, consumers are reimbursed for the charges.
The panel expressed their frustration but “they ignored a lot of reality,” Cate said.
If the petition for rehearing is granted, Cate believes the decision has a good chance of being overturned.
In its defense, Neiman Marcus pointed to the flood of data breaches that have hit other large-scale retailers. The plaintiffs could not show their injuries were the result of the Neiman Marcus incursion rather than a cyberattack of another company.
Toops noted the 7th Circuit spun that argument around and told Neiman Marcus to prove it. The court’s reasoning on this point handed the plaintiffs a “real bullet” to wave in the retailer’s face as the case proceeds, she said.
Answering Neiman Marcus’ argument, the 7th Circuit pointed to Summers v. Tice, 199 P2d 1, 5 (Cal. 1948) where the Supreme Court of California shifted the burden to the defendants who all claimed they were not responsible for shooting the plaintiff during a quail hunt.
“The fact that Target or some other store might have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue,” Wood wrote. “It is certainly plausible for pleading purposes that their injuries are ‘fairly traceable’ to the data breach at Neiman Marcus.”
To the point Neiman Marcus makes about the breaches that have occurred at other businesses, both Cate and Toops agreed the better answer would be for the companies to stop the hackers from accessing consumers’ credit card numbers and other personal information.
Cate suggested retailers should ask credit users for another form of identification and then look at it before allowing the purchase to be made. Currently, retailers are not requiring another form of identification or even matching the signatures.
So consumers are turning to the courts for remedy. The theory is the lawsuits will provide an incentive for retailers to protect their payment systems so they do not have to pay victims and attorneys.
Cate said Congress, rather than the courts, needs to act to help protect consumers. However, Toops said as data breaches have become more common and severe, people need the judicial system. Court is the avenue to protect consumers and compensate for wrong doing, she said.•