Data holders must prepare for lawsuit wave after ruling

From Home Depot to Anthem to the federal government, high profile breaches of personal data are proliferating. Must victims of data breaches allege that their money or their identity were stolen to have standing to sue the entity that held their data? The 7th U.S. Circuit Court of Appeals recently answered no. Holders of consumer information should prepare for an avalanche of class actions.

We previously wrote about this issue, focusing on In re Adobe Systems Inc. Privacy Litigation, 66 F.Supp.3d 1197 (N.D. Cal. 2014), and Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646 (S.D. Ohio, 2014). In re Adobe found that data breach victims need not allege theft of funds or misuse of personal information to have Article III standing. Galaria found the opposite.

A key question in the 9th Circuit is whether Krottner v. Starbucks Corp., 628 F.3d 1139 (2010), was abrogated by Clapper v. Amnesty International, 133 S. Ct. 1138, 1147 (2013).

In Krottner, a thief stole a computer from Starbucks that contained unencrypted names, addresses and Social Security numbers of approximately 97,000 employees. None of the named plaintiffs alleged that property was stolen from them. The 9th Circuit found the threat of future identity theft to be a sufficient injury-in-fact. It said there was a "credible threatof harm" that was "both real and immediate, not conjectural or hypothetical."

Clapper found that human rights activists lacked standing to sue to overturn amendments to Foreign Intelligence Surveillance Act. The likelihood that the plaintiffs would be spied upon, the Supreme Court said, was too speculative.

The Supreme Court said the 2nd Circuit's "objectively reasonable likelihood" standard for injury-in-fact was too low. To satisfy Article III, it held, an alleged injury that has yet to occur must be "certainly impending." But Clapper contained a footnote noting that prior Supreme Court cases found standing based on a "substantial risk that the harm will occur."

In Remijas v. Neiman Marcus Group LLC, 14-3122 (July 20, 2015), the 7th Circuit became the first appellate court since Clapper to address whether data breach victims have standing even if they cannot allege that the hackers stole their funds or identity. The credit card information of potentially 350,000 Neiman Marcus customers was exposed to hackers, and roughly 9,200 credit cards were used fraudulently. Social Security numbers and birth dates had not been compromised.

The plaintiffs brought a nationwide class action on various grounds including negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy and violation of multiple state data breach laws.

The 7th Circuit reversed the district court's granting of Neiman Marcus' motion to dismiss for lack of standing. It quickly found that the class members whose credit card information was misused had standing, even though they were reimbursed for the unauthorized charges. Those victims suffered the "aggravation and loss of value of the time needed" to undue the effects of the unauthorized charges.

Neiman Marcus focused primarily on the victims who could not allege that the hackers misused their credit card information. The 7th Circuit found that Clapper did not replace the "substantial risk" of harm test for standing and discussed approvingly In re Adobe.

The 7th Circuit said the victims whose information had not been misused suffered two categories of injuries that satisfied Article III. One was the substantial risk of misuse of credit card information in the future since hackers act to profit from the data they access, and a government report cited by the court shows identity theft could occur over a year after a data breach. Second, the victims had already suffered injuries in lost time and money protecting themselves against future identity theft and fraudulent charges.

Other alleged injuries were unlikely to provide standing on their own, but the court noted this was dicta. Such theories included that the plaintiffs would not have shopped at Neiman Marcus, or would have paid less for their purchases, if they knew of Neiman Marcus's inadequate cybersecurity. Another "dubious" theory was that Neiman Marcus was unjustly enriched by "pocket[ing]" money that it should have spent on cybersecurity. And the court doubted that loss of private information is an "intangible commodity," the theft of which constitutes a concrete injury.

The 7th Circuit rejected two factual arguments of Neiman Marcus. One was that the hacking of another entity might have caused the plaintiffs' data to be exposed. The other was that banks would invariably reimburse victims.

After Neiman Marcus, district courts will likely find standing in similar cases, at least in the 7th and 9th Circuits. So how should data holders respond?

(1) Invest in good cyber security and forensic tools. The cybersecurity hygiene of many companies that have been hacked has often been poor. Data breaches are unavoidable, but with good hygiene, liability can be reduced greatly. Additionally, robust forensics allows companies to severely limit potential plaintiff class size.

(2) Buy adequate insurance. Defending against a class action is inherently expensive and risky.

(3) Promptly publicize any breach, notify customers, and offer customers free anti-identity theft services in order to help mitigate damages and create a positive image. Also, disclosure will likely be required by law. Cal. Civ. Code Section 1798.29.

(4) Discuss with counsel the intricacies of the law regarding maintenance of personal data and development of a cybersecurity plan. See, e.g., Cal. Civ. Code Section 1798.81.5. Directors and officers need to understand how to effectively question and monitor the CIO in order to identify and limit existing risk in real time. A data security ombudsman may need to be appointed as well.

In the coming years, companies will likely not be able to knockout data breach class actions with Rule 12 motions. With proper foresight and strategic thinking, however, companies can prevail with early summary judgment motions or at the class certification stage.