A consumer uses her credit card to make a purchase at a major retailer. Six months later she’s notified that, due to a recent hack on the retailer’s computer systems, her credit card number has been stolen. She quickly checks her accounts but there’s no activity. All is quiet over the next few weeks. Nonetheless, she’s nervous. She cancels the credit card and enrolls in a $4.99/month credit monitoring service.
Based on these facts, should this consumer be able to join a class action suit against the retailer for the data breach?
Until recently, the answer most likely would have been no. Consumer class actions were barred from bringing a federal suit because they lacked “imminent “ injury for Article III standing, a standard taken from Clapper v. Amnesty International. After all, many retailer defendants argued, no actual I.D. theft or fraudulent credit card charges had occurred.
Enter Remijas v. Neiman Marcus Group, LLC, in which the Seventh Circuit Court of Appeals accepted the argument that harms “associated with resolving fraudulent charges and protecting oneself against future identity theft” did in fact produce “imminent injuries” sufficient for standing, namely those “associated with resolving fraudulent charges and protecting oneself against future identity theft.”
To many, Remijas is a watershed ruling, one through which the Article III standing door might be opened.
Compounding Remijas is Spokeo v. Robins, which is expected to be a significant U.S. Supreme Court decision on the scope of standing for “digital injuries.” Recently argued, Spokeo has “the potential to redefine standing in federal court” on whether Congress can confer Article III standing by authorizing a private right of action based on a violation of a federal statute to a plaintiff who has suffered no concrete harm. Without such an endowment, the plaintiff would not otherwise be able to invoke federal jurisdiction.
This matters for data breach cases because if the Court finds that Congress can create a private right action regardless of evidence of “concrete harm,” a sympathetic legislature could codify that the personal experiences of customers involved in data breaches should warrant a putative private right of action. Thus, this decision would work in tandem with Remijas as another arrow in a customer’s proverbial quiver against the retailer.
And, the potential fallout of Spokeo could go farther than digital harms. Any industry worried about being sued by customers without concrete injury should be watching.
Editors note: The early days of Spokeo were covered this past summer, you can read that article here.