On September 15, 2015, the court hearing In re Target Corporation Customer Data Security Breach Litigation, No. 14-md-02522 (D. Minn.) certified a nationwide class of financial institutions that issued payment cards compromised in a data breach of Target computer systems. See No. 14-md-02522, Dkt. No. 589 (D. Minn. September 15, 2015). In addition, the court certified Kessler Topaz as Co-Class Counsel. The Target case arose from the breach of Target’s computer systems in late 2013, allowing hackers to gain “virtually unfettered access” to the system and extract the financial information of more than 40 million customers. See id. at *1. The financial institution plaintiffs in the Target case issued payment cards such as credit and debit cards to customers who used those cards at Target stores while the 2013 data breach was taking place. They brought claims against Target for negligence and violations of Minnesota’s Plastic Security Card Act, Minn. Stat. § 325E.64, in connection with the losses they incurred in notifying customers of the breach, reissuing cards, and reimbursing customers for fraudulent transactions, among other things. In a reasoned opinion rejecting multiple arguments by Target as to why a class of institutions should not be certified, the District Court held that the institutions’ claims satisfied the requirements of Rule 23 of the Federal Rules of Civil Procedure and that certification is therefore appropriate. Notably, the court cited Target’s own practice of reissuing cards as one of its reasons for granting class certification. See id. at 7-8 (“What Target suggests is that, because there was no requirement to act, financial institutions should have done nothing in the face of dire alerts regarding the data breach issued by the card-issuing companies and by Target itself and the known potential consequences for the institutions’ customers. The absurdity of this suggestion is evident from the fact that Target itself reissued all of its [store-branded] cards, both debit and credit, in the weeks after the breach.”). The Target certification order represents the first time that a nationwide class of financial institutions has been certified in a data breach case, providing financial institutions an important means to recover their losses.
The Target case follows a recent trend of courts expanding victims’ rights in data breach cases. For example, on July 20, 2015, the Seventh Circuit issued an opinion in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), explaining that consumers whose card data have been stolen have standing under Article III of the U.S. Constitution to sue in federal court, even if their stolen information has not yet been fraudulently used.1 That opinion reflects an important shift in how courts apply Constitutional standing principles in data breach litigation, and will allow customers to bring claims following a data breach. Similarly, on August 24, 2015, the Third Circuit issued a decision in FTC v. Wyndham Worldwide Co., ___ F.3d ___, 2015 WL 4998121 (3d Cir. August 24, 2015) recognizing that the Federal Trade Commission (“FTC”) has the power to regulate companies’ cybersecurity practices under the “unfair practices” prong of the Federal Trade Commission Act, 15 U.S.C. § 45 (the “FTC Act”). The Wyndham opinion is critical in that it puts companies on notice that they may be subject to an action by the FTC if they fail to adequately protect customer data.
Over the past two years, defendants in data breach cases have cited the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), which held that allegations of future injury can establish Article III standing only if that injury is “certainly impending,” and that “allegations of possible future injury are not sufficient.” 133 S. Ct. at 1147 (emphasis added). Although Clapper did not arise from a data breach, certain courts have read the case to mean that data breach victims cannot sue for the loss of their information until their information has actually been fraudulently used. See, e.g., In re Barnes & Noble Pin Pad Litigation, 2013 U.S. Dist. LEXIS 125730, at *8 (N.D. Ill. Sept. 3, 2013) (citing Clapper and stating that “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing”).
The Neiman Marcus case represents an important departure from this approach to Clapper. The Neiman Marcus case arose from the theft of approximately 350,000 credit card numbers from customers of the high-end department store between July 2013 and October 2013, causing approximately 9,200 of those customers to find fraudulent charges on their accounts. Neiman Marcus reimbursed its customers for the fraudulent charges, and offered credit-monitoring services to all 350,000 customers whose information was stolen. A class action complaint was thereafter filed against the company, alleging claims for negligence, breach of implied contract, unfair and deceptive business practices, and violations of multiple state data breach laws, inter alia, on behalf of the 350,000 customers whose credit card information was stolen. Neiman Marcus argued that the plaintiffs in that case lacked standing under Clapper because it had reimbursed the members of the class whose information had already been fraudulently used, and the remainder of the class had not yet been victims of identity theft.
The Seventh Circuit rejected Neiman Marcus’s position, noting that “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Neiman Marcus, 794 F.3d at 693 (quoting Clapper, 133 S. Ct. at 1147). In addition, the Seventh Circuit observed that requiring plaintiffs to wait until the threatened harm materialized “would create a different problem: the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not fairly traceable to the defendant’s data breach.” Id. (internal quotation marks and citation omitted). As for customers who had already been reimbursed by Neiman Marcus for fraudulent charges, the court recognized that further “unreimbursed fraudulent charges and identity theft may happen in the future,” and so those plaintiffs could maintain their claims in spite of the reimbursement. Id. at 692. Moreover, in regard to the likelihood that fraudulent charges would be incurred by class members, the Court aptly stated that “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Id. In this vein, the court held that costs incurred by class members to obtain identity-theft protection are also “easily qualifie[d] as a concrete injury” because, under Clapper, such mitigation expenses constitute a compensable injury where the risk being mitigated is imminent. Id. at 694. Thus, the court reasoned, “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach” such that the plaintiffs had standing to bring claims against the company. Id. at 693.
Separately, in the Wyndham case, Wyndham Worldwide Corp. (“Wyndham”) suffered three serious data breaches in 2008 and 2009, in which hackers stole the personal and financial data of more than 619,000 consumers, leading to more than $10.6 million in fraudulent charges. See 2015 WL 4998121, at *1. The FTC brought an action against Wyndham for alleged unfair practices that made customers vulnerable to the attack, including, inter alia: storing consumer payment card information in clear unencrypted readable text; failing to use firewalls; failing to adequately restrict the access of third-party vendors to the company’s servers; and failing to take reasonable measures to detect and prevent unauthorized access to the company’s computer network. In fact, Wyndham did not even learn of the hacks until 2010 when a credit card company received complaints from cardholders. Despite these failures, Wyndham had advertised to customers that it maintained “industry standard” practices to safeguard customer financial information. Based on this conduct, the FTC alleged in its action that Wyndham’s cyber-security practices “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” and constituted an unfair business practice in violation of the FTC Act.
Wyndham argued first that the FTC’s should be dismissed because the FTC Act’s definition of “unfair” practices does not include Wyndham’s alleged cyber-security failings. The court began with the basic three-part test for determining whether a practice is unfair: (i) the practice causes or is likely to cause substantial injury to consumers; (ii) the injury cannot reasonably be avoided by consumers; and (iii) the injury is not outweighed by countervailing benefits to consumers or competition. Wyndham, 2015 WL 4998121, at *5. Wyndham asserted that these elements alone are not sufficient to make a claim under the FTC Act, and that the FTC must also show that the practice was “unethical. “ The court rejected Wyndham’s argument as inconsistent with Supreme Court precedent, but nevertheless found that the argument was moot in Wyndham’s situation because “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Id. at 5. The court also rejected a separate argument by Wyndham that a company’s practices cannot be unfair when the company itself is a victim of hacking, because Wyndham “offer[ed] no reasoning or authority” to support that position, and in addition “the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” Id. at 6. Lastly, the court rejected Wyndham’s argument that the history of the FTC Act demonstrated Congress’s intent that the Act not apply to companies’ cybersecurity practices. Id. at 7-9. Thus, although the court did not make an ultimate determination as to whether Wyndham committed unfair practices in violation of the FTC Act, the Third Circuit rejected Wyndham’s assertion that “its conduct cannot be unfair,” and allowed the FTC’s action to proceed. Id. at 9.
These cases represent a turning point in the way courts approach certain important issues in data breach cases. Critically, the District Court’s landmark certification order in Target establishes that nationwide classes of financial institutions are able to obtain relief from companies on a class-wide basis for the disclosure of sensitive data. Additionally, the Seventh Circuit’s opinion in Neiman Marcus assures investors that they do not need to wait until after their financial information has been fraudulently used before bringing an action against the company that failed to adequately protect their data. This will help ensure that customers are properly compensated for their losses and companies are held accountable for their actions. Finally, the Third Circuit’s opinion in Wyndham puts companies on notice that they will face a potential action by the FTC if their data protection procedures fail to properly safeguard customer information. Taken together, the cases reflect a growing trend in favor of plaintiffs in data breach litigation and more firmly incentivize companies to ensure that they have robust data protection practices in place.
1 Article III limits the power of federal courts to hear only certain “cases” and “controversies.” See Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1146 (2013). One corollary of that provision is to require that plaintiffs suffer an injury that is “concrete, particularized, and actual or imminent” before they have standing to bring claims in federal court. Id. at 1147.