Illinois Court Dismisses Data Breach Class Action For Lack of Standing

An Illinois court recently dismissed a consumer class lawsuit against Neiman Marcus related to a 2013 data breach for lack of standing due to failure to state a concrete injury. In the case, Remijas v. The Neiman Marcus Grp., LLC, the plaintiffs had brought a variety of claims, including claims of negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, and invasion of privacy. They alleged that the retailer had failed to adequately protect against a security breach, and failed to timely provide notice of the breach. They asserted that they were injured by the increased risk of fraudulent credit card charges and identity theft, as well as by the time and money associated with protecting them against these increased risks. Plaintiffs also alleged that they were injured by paying a premium on goods sold by Neiman Marcus, and that this premium should have paid for adequate safeguards from data breaches. Turning to the U.S. Supreme Court case in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), the court first found that potential future fraudulent charges were sufficient to be “imminent” under the standard, but determined that both present and future charges were not sufficiently “concrete.” Moreover, the court noted, consumers with fraudulent charges arguably could be reimbursed for those charges: they had made no allegations that the charges were not reimbursable. As to the future risk of identity theft, the court held that plaintiffs did not sufficiently allege that the customers faced a “certainly impending risk of identity theft.” The court also rejected plaintiffs’ allegations that the time and money associated with protecting themselves against these risks was not a cognizable Article III injury. Likewise, the court rejected plaintiffs’ “creative” sales premium theory as adequate data breach protective measures were not intrinsic to the actual products purchased. Finally, the court rejected allegations that the loss of control of customer’s private information were injuries as these injuries were not sufficiently pled.

TIP: While some courts – like this one – have found that plaintiffs’ risk of future harm is insufficient to establish standing, not all courts have followed this reasoning. [See, e.g. In re Adobe Sys., Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014).] This case is thus a reminder for companies to evaluate their data security protection measures.