Seventh Circuit rejects commonly cited data breach defense

Posted on: August 6th, 2015 by Steve Larson

Data SecurityThe Seventh Circuit has held that Neiman Marcus customers affected by a hacking incident are likely to suffer some form of future fraud.  This should curtail defendants’ use of a Supreme Court ruling that plaintiffs suing over a potential injury must prove impending certainty.  With its decision, the Seventh Circuit became the first federal appeals court to address whether the U.S. Supreme Court’s decision in Clapper v. Amnesty International — which held that plaintiffs suing over a future potential injury must show that it is “certainly impending” — applies in a data breach suit.

While some courts have held that plaintiffs whose information has been compromised in a breach have sufficient standing, defendants have successfully used Clapper, which rejected a challenge to 2008 amendments to the Foreign Intelligence Surveillance Act, to have other suits tossed for failure to state a concrete injury. According to the plaintiffs bar, the circuit court decision will make it harder for them to do so.

The Seventh Circuit’s ruling overturned a district court’s dismissal of customers’ claims against Neiman Marcus over a 2013 data breach. The federal appeals court said the high court’s ruling in Clapper applied to a much more speculative situation, differentiating it from the breach that Neiman Marcus announced had occurred.

The case is Remijas et al. v. The Neiman Marcus Group LLC, case number 14-3122, in the U.S. Court of Appeals for the Seventh Circuit.