Class action suits over stolen customer information were quickly becoming the next big thing in litigation. Companies, including Target, were in the crosshairs of plaintiffs’ attorneys hoping to score big off of the threat of identity theft and fraud, thanks to data breaches that have exposed personal information of hundreds of millions of customers. In 2013, the United States Supreme Court rather unwittingly took the wind out the plaintiffs’ bar’s sails with its decision in Clapper v. Amnesty International.

 Clapper was actually a case about the U.S. National Security Agency’s (NSA) ability to wiretap communications with non-citizens without a warrant regardless of whether the communication was with a U.S. citizen. Attorneys and human rights, labor, legal, and media organizations filed an injunction to get this provision of the Foreign Intelligence Surveillance Act (FISA) declared unconstitutional. The Supreme Court ruled that the plaintiffs in Clapper did not have standing because they could not show that their communications had been intercepted, only that they hypothetically could have been. In the opinion by U.S. Supreme Court Justice Alito, the court stated that standing requirements can be met only by showing actual harm or “certainly impending” injury. Further, it stated that “(Plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

 Defense attorneys began utilizing the Clapper decision to get cyber breach cases dismissed with great success. The argument was that if the plaintiffs could not show that their identity had been stolen or used to make fraudulent purchases, then they had not been injured and lacked standing. It was not enough to show that their risk of identity theft had been increased significantly. Further, reimbursed expenses and time spent closing accounts were considered de minimus and, based upon the above rationale, payments made for credit monitoring services were considered self-infliction of harm.

 After Clapper, plaintiffs had to allege either an actual monetary injury or a high probability of identity theft in order to survive a motion to dismiss. Thanks to a panel of judges for the 7th Circuit Court of Appeals in a July 20, 2015, decision, this is no longer the case. In Remijas, et. al. v. Neiman Marcus Group, LLC, the 7th Circuit ruled that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” The 7th Circuit further stated that “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”

 It is no secret that hackers steal customer data for the purpose of committing identity theft or credit card fraud, but it is not necessarily true that any individual whose personal information has been stolen will be a victim. Credit can be monitored, fraudulent charges can be reimbursed, and card numbers and passwords can be changed to help prevent actual injuries. As cyber breaches continue to affect companies, especially large retailers, it is also possible that any identity theft or fraud suffered by plaintiffs might be traceable to a non-defendant company. This logic did not deter the 7th Circuit from allowing class action plaintiffs standing to sue without suffering an actual injury. In fact, the court actually punished Neiman Marcus for complying with state breach notification laws and by offering credit monitoring services by citing this as evidence that the Neiman Marcus breach was the source of the plaintiffs’ threatened harm.

What It Means to You

While we can hope that the Supreme Court eventually get the opportunity to apply the Clapper logic to these types of cases, the 7th Circuit has effectively opened the floodgates for breach class actions in the near term. Breaches can and do occur at many organizations. If your organization collects or stores personal data, the decision in Neiman Marcus increases the probability of a class action lawsuit in the event this data is accessed by a hacker or lost by an employee. This decision also increases the length of the legal battle that may ensue.

It is increasingly more crucial for organizations to seek advice regarding their cyber-infrastructure, employee policies, and insurance coverage so that they find themselves in the best possible position to defend against potential lawsuits, and to prevail, in the event they suffer a cyber breach.