The Breach Problem
Many times a year we see news stories about the latest and largest electronic data breach. Some scandals revolve around the theft of extremely private Personally Identifiable Information (PII), like the user database of infidelity website Ashley Madison. Others directly target the wallets of millions of consumers, like the credit card security breaches at Target and Home Depot. Worldwide, more than 1,500 data breaches caused the loss of a billion records in 2014. Since 2013, over 1.25 billion records have been lost in the United States alone. The FBI’s Internet Crime Complaint Center (IC3) received over 250,000 complaints in 2014, totaling over $800 million in losses deriving from online fraud, scams, and data breaches. In 2014, total losses incurred due to credit card fraud were up 19% to over $16 billion. Clearly, the threat of data breaches is significant both in terms of total cost and the number of individuals affected.
Current Legal Protections
In the consumer sector, the Federal Trade Commission is tasked with enforcement of consumer privacy standards. According to their website, they rely on “law enforcement, policy initiatives, and consumer and business education to protect consumers’ personal information[.]”Protecting Consumer Privacy, Federal Trade Commission, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy. The FTC has also recognized the value of using civil litigation as a means to keep companies focused on protecting their consumers PII. They recently sued (and won) in a case against Wyndham Hotels under a theory of unfair competition after Wyndham failed to sufficiently encrypt their servers, resulting in the theft of over 600,000 customer records, including both personal and financial information. However, the FTC suing in civil court for a data breach, even if technically permissible, seems a roundabout way of protecting consumers’ privacy and may suffer from being out of consumers’ hands.
A Precedential Roadblock
Without designated consumer privacy laws or security requirements from the federal government, many individual data breach victims were left with few options in pursuing compensation. While credit card companies generally reimburse consumers subject to actual fraud, this represents only a fraction of those affected by the loss of their data. Even those who did not incur fraudulent charges must spend considerable time changing their credit card or bank account information, and must be vigilant going forward to guard against the ongoing danger of identity theft. No matter how negligent a breached company was in protecting consumer data, these individuals were often unable to make use of class action lawsuits as courts repeatedly dismissed their attempts for failing to state a sufficient injury-in-fact for Article III standing.
Supreme Court precedent dealing with FISA surveillance (and having nothing to do with consumer protection) supposedly held that the possibility of future injuries in these consumer data breach cases was insufficient to warrant Article III standing. In Clapper v. Amnesty International, the Supreme Court addressed a FISA challenge led by US human rights attorneys representing foreign clients, alleging injury based on “an objectively reasonable likelihood that their communications [would] be acquired at some point in the future.” Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138, 1145 (2013). The Court held that “allegations of future injury are not sufficient” and that the threat of future injury must be “certainly impending” and “fairly traceable,” whereas respondent’s arguments in this case were based on “highly speculative fear[.]” Id. This case has been a keystone of the defense in the class actions based on consumer data breaches, although the Seventh Circuit has given a strong indication that the courts are no longer willing to excuse corporate negligence with consumer data.
An Evolving Solution
The lawsuit arising from the breach of Neiman Marcus systems, in which 1.1 million credit cards were stolen, delivered the first Federal Circuit Court decision in favor of Article III standing for consumer victims of data breaches. Remijas v. Neiman Marcus Group, LLC, 794 F. 3d 688 (7th Cir. 2015). Plaintiffs in this case claimed four distinct present injuries and two imminent injuries. In the former category are “1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) financial loss of buying items at Neiman Marcus they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.” The two imminent injuries are “increased risk of future fraudulent charges and greater susceptibility to identity theft.” Id. at 692.
The court addressed the former first, and applied the reasoning set out in previous district court cases, such as In re Adobe, to the effect that the theft of one’s credit card information, which is then made available to others to use, is distinct from the facts of Clapper. Id. In Clapper, there were no allegations that any surveillance had actually occurred, and there would have to be a highly attenuated series of five decisions and actions before an actual injury took place. In re Adobe Sys., Inc. Priv. Litig., 66 F. Supp. 3d 1197 (N.D. Cal 2014). Crucially, the court noted that the Supreme Court acknowledged, and declined to overrule its own precedent, which did not require literal certainty of future harm, and had granted standing where plaintiffs had incurred costs to mitigate a “substantial risk” of future harm. Id. at 1213.
In Remijas v. Neiman Marcus, the 7th Circuit reiterated and confirmed this distinction for the first time at a federal appellate level, and even took matters a step further. Rather than establish factual evidence that stolen data is being misused, the court accepted the inference that the purpose of stealing credit card data is to make fraudulent charges or assume stolen identities, as evidenced by the 9,200 cards that had already experienced fraudulent charges. Remijas, 794 F.3d at 694. The court also drove home the point made in Adobe at footnote five that requiring consumers to wait until their data has been fraudulently used would both be illogical, and provide the defendant with an unwarranted chance to argue that the fraud is not “fairly traceable” to their breach. Id. at 693. While evidence to support this inference is not totally irrelevant, it is beyond the burden at the pleading stage and the plaintiffs’ allegations are sufficient to survive the 12(b)(1) motion. Id.
As for the time and money lost resolving fraudulent charges and protecting against future identity theft, the 7th Circuit found that mitigation expenses are a valid injury where the future harm they seek to prevent are sufficiently imminent, interpreting Clapper in the same way as the District Court in In re Adobe. Id. at 694. The court went on to point out that Neiman Marcus clearly recognized the threat of future harm and the prudence of taking mitigating measures — they provided all affected customers with one year of credit monitoring and identity theft protection. Neiman Marcus would not have done so, the court reasoned, if “the risk [of fraud] is so ephemeral that it can be safely be disregarded.” Id. Because the price of these services is not insignificant (about $225 per customer per year), the court concludes it “easily qualifies as a concrete injury. Id. Based on the combination of immediate and imminent harms, the 7th Circuit overruled the District Court dismissal, and established that these common injuries are sufficient for Article III standing in a data breach lawsuit.
While the Neiman Marcus decision is only a first step, it is a critical one. If consumers are to be allowed to form a class and seek greater protection of their private information by the companies they purchase goods and services from, the Courts must continue to distinguish data breaches from FISA surveillance, and grant Article III standing to consumer plaintiffs.