(Reuters) - Three years ago, the 7th U.S. Circuit Court of Appeals upended data breach class action litigation when it ruled in Remijas v. Neiman Marcus (794 F.3d 688) that consumers whose confidential information has been stolen by hackers have constitutional standing to sue. The 7th Circuit was the first federal appellate court to reject defense arguments that data breach victims hadn’t suffered enough of an injury to satisfy the standing requirements the U.S. Supreme Court established in 2013’s Clapper v. Amnesty International (568 U.S. 398). Neiman Marcus proved to be a harbinger: After the 7th Circuit decision, the 3rd, 6th, 9th and D.C. Circuits have all agreed that data breach victims have standing to bring class actions, despite Clapper. The 4th and 8th Circuits still aren’t convinced, but the emerging appellate consensus is that the 7th Circuit was right in Neiman Marcus.
Will we look back three years from now and say the same thing about a data breach decision the 7th Circuit issued Wednesday?
The appeals court revived a class action (2018 WL 1737128) against Barnes & Noble by consumers whose debit card information was exposed in a 2012 hack, holding that the named plaintiffs adequately alleged an injury under state consumer protection laws. Chief Judge Diane Wood and Judges Frank Easterbrook and David Hamilton rejected Barnes & Noble’s argument that none of the supposed injuries – lost time, impeded access to bank accounts and the cost of credit monitoring services – met pleading standards.
Judge Easterbrook, writing for the panel, said Barnes & Noble’s argument was just a different version of data breach defendants’ challenges to plaintiffs’ constitutional standing – and was equally futile in the context of a motion to dismiss for failure to state a claim. “This seems to us a new label for an old error,” the opinion said. “To say that the plaintiffs have standing is to say that they have alleged injury in fact, and if they have suffered an injury then damages are available (if Barnes & Noble violated the statutes on which the claims rest)...These injuries can justify money damages, just as they support standing.”
I suspect the decision is going to be controversial. Barnes & Noble’s brief to the 7th Circuit includes a long list of decisions in which courts have tossed data breach class actions for failure to state a claim even if plaintiffs met standing requirements. The 8th Circuit’s 2017 ruling in Kuhns v. Scottrade (868 F.3d 711), for instance, affirmed the dismissal of a class action by plaintiffs whose confidential information was stolen by hackers who broke into the brokerage’s database. Those hackers actually used the information to set up a fake brokerage and illegal gambling operations, but the 8th Circuit said (among other things) that the complaint failed to allege actual damages. “Massive class action litigation should be based on more than allegations of worry and inconvenience,” the 8th Circuit said.
The lead plaintiffs in the Barnes & Noble class action are from California and Illinois, so Barnes & Noble also cited rulings from those jurisdictions that cast doubt on the adequacy of the alleged injuries under California and Illinois consumer laws. In 2016’s Dugas v. Starwood Hotels (2016 WL 6523428), San Diego federal judge Gonzalo Curiel dismissed state-law claims by data breach plaintiffs, holding that the theft of their personal information is not “a loss of money or property.” The Starwood opinion highlighted that injury allegations sufficient to establish standing don’t necessarily state an adequate claim.
Illinois rulings, meanwhile, have explicitly said that the purchase of credit monitoring services does not give data breach plaintiffs a claim strong enough to survive dismissal. “There is a subtle but important distinction between whether an injury gives a litigant standing and whether the same injury gives rise to a legal claim upon which relief may be granted,” wrote U.S. District Judge Elaine Bucklo of Chicago in 2014’s Moyer v. Michaels Stores (2014 WL 3511500). “Illinois courts have rejected the argument that an elevated risk of identity theft constitutes actual damage (and) Moyer’s purchase of credit monitoring protection also falls short of constituting an economic injury under Illinois law.”
The 7th Circuit, obviously, was unconvinced. In the Barnes & Noble ruling, it said lower state and federal courts were wrong about the adequacy of an Illinois state-law claim based on the purchase of credit monitoring (and predicted the Illinois Supreme Court would agree). “A monthly $17 out of pocket is a form of ‘actual damage’,” the opinion said. “It is real and measurable; Illinois does not require more.”
And California consumer protections justify a claim based on lost time and lost access to funds, the appeals court said. “Losing the use of money for three days may be a trifle to some people (though to others it may be a calamity), but a trifling loss suffices under California law,” the 7th Circuit said. “And state courts have said that significant time and paper-work costs incurred to rectify violations also can qualify as economic losses.”
I emailed Barnes & Noble lawyer Kenneth Chernof of Arnold & Porter Kaye Scholer and plaintiffs’ lawyer Erich Schork of Barnow & Associates to ask about the impact of the 7th Circuit decision. I didn’t immediately hear back from either.