United States District Court, N.D. Illinois, Eastern Division
September 16, 2014
HILARY REMIJAS, MELISSA FRANK, DEBBIE FARNOUSH, and JOANNE KAO, individually and on behalf of all others similarly situated, Plaintiff,
THE NEIMAN MARCUS GROUP, LLC, a Delaware limited liability company, Defendant.
MEMORANDUM OPINION AND ORDER
JAMES B. ZAGEL, District Judge.
Plaintiffs Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao, individually and on behalf of all others similarly situated, have brought this action against Defendant Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts. Defendant now moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(1) for lack of Article III standing, and pursuant to Fed.R.Civ.P. 12(b)(6) for failure to state a claim. For the following reasons, Defendant's motion to dismiss is granted for lack of standing.
Defendant is a high-end department store. In 2013, hackers breached Defendant's servers, resulting in the potential disclosure of 350, 000 customers' payment card data and personally identifiable information. At some point following the breach, it became clear that, of the payment cards that may have been affected, at least 9, 200 were subsequently used fraudulently elsewhere. Plaintiffs are among the 350, 000 customers, and they have brought this lawsuit against Defendant for failing to adequately protect against such a security breach, and for failing to provide timely notice of the breach once it happened.
Plaintiffs assert that they have been injured in that Defendant's alleged misconduct exposed them to an increased risk of future fraudulent credit card charges, and an increased risk of identity theft. Plaintiffs also assert present injuries, including the loss of time and money associated with resolving fraudulent charges, the loss of time and money associated with protecting against the risk of future identity theft, the financial loss they suffered from having purchased products that they wouldn't have purchased had they known of Defendant's misconduct, and the loss of control over and value of their private information. Defendant argues that none of these asserted injuries is sufficient to establish Article III standing.
It is a plaintiff's burden to establish Article III standing. Apex Digital, Inc. v. Sears, Roebuck, & Co., 572 F.3d 440, 443 (7th Cir. 2009). This requires the plaintiff to demonstrate: (1) an "injury in fact" that is concrete and particularized and either actual or imminent; (2) that the injury is fairly traceable to the challenged action by the defendant; and (3) that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147 (2013). Because standing is not a mere pleading requirement, but rather an indispensable part of the plaintiff's case, it must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation. Apex Digital, 572 F.3d at 443. Plaintiffs assert four principal categories of injury. I address each in turn.
A. The Increased Risk of Future Harm
Allegations of future potential harm may suffice to establish Article III standing, but the future harm must be "certainly impending." See Clapper, 133 S.Ct. at 1147 (collecting cases). Three courts in this District have recently taken up the question of standing and the increased risk of future harm plaintiffs encounter in the context of such cyber-attacks. See Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D.Ill. July 14, 2014); Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D.Ill. March 12, 2014); In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D.Ill. Sept. 3, 2013).
The courts in Strautins and Barnes & Noble both held that the alleged increased risk of future harm was insufficient to establish standing. Defendant argues that this case is like Strautins and Barnes & Noble. In Moyer, the Court held that the alleged increased risk of future harm was sufficient to establish standing, but Defendant contends that this holding was premised on a misreading of relevant case law, and it should not be followed. The differing outcomes in Strautins and Barnes & Noble on the one hand, and Moyer on the other are in part attributable to conflicting readings of the Supreme Court's recent decision in Clapper.
The Strautins Court concluded that Clapper implicitly overruled a facially more relaxed standard for evaluating standing in this context articulated in Pisciotta v. Old Nat. Bancorp, 499 F.2d 629, 634 (7th Cir. 2007). In Pisciotta, the Court held that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." Id. The Strautins Court held that, by emphasizing the "certainly impending" standard, the Supreme Court "seems rather plainly to reject the premise, implicit in Pisciotta [ ], that any marginal increase in risk is sufficient to confer standing." Strautins, 2014 WL 960816, at *5. The Barnes & Noble Court relied on Clapper 's "certainly impending" analysis without reference to Pisciotta.
The Moyer Court, by contrast, understood Clapper to have applied a particularly rigorous standing analysis to a claim that particularly called for it - a claim that implicated the actions of the political branches of government in the fields of intelligence gathering and foreign affairs, and that argued that an action taken by one of the other two branches of the federal government was unconstitutional. See Moyer, 2014 WL 3511500, at *5; see also Strautins, 2014 WL 960816, at *5 n. 11. These cyber-attack/credit card cases implicate neither questions of national security nor the constitution. The Moyer Court concluded that there was room for Clapper and Pisciotta to co-exist. See Moyer, 2014 WL 3511500, at *6.
For my part, I note that the "certainly impending" standard pre-dates Clapper, see Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979), though I also note that the Clapper Court itself acknowledged that the underlying facts called for an "especially rigorous" standing inquiry, see Clapper, 133 S.Ct. at 1147. Those facts are not present here. Read literally, Pisciotta could be understood to have held that any marginal increase in the risk of future injury is sufficient to confer Article III standing. That would be difficult to square with Clapper, which sets a threshold that an increase in the risk of harm must meet in order to confer standing. Id. But in my view, it is hard to imagine that that is what the Pisciotta Court intended, and such a literal reading of Pisciotta would not be reasonable. The Pisciotta Court raised the issue of standing sua sponte, and was not prompted to thoroughly discuss it. Though it does not expressly say so, Pisciotta was constrained by the "certainly impending" standard, first articulated 27 years earlier in Babbit, and I read that standard into the opinion.
Legal standards aside, the underlying facts in Pisciotta, Strautins, Barnes & Noble, and the instant case materially differ with respect to standing. First, in Pisciotta, it appears as though the plaintiffs' data were actually stolen (at the very least, the Court's analysis assumed as much). See Pisciotta, 499 F.3d at 634. At issue with respect to the plaintiffs' injury, then, was whether and how likely the stolen data would actually be misused. Id. This is distinct from Strautins and Barnes & Noble, where the respective Courts found that the plaintiffs had alleged merely that there was a possibility that their data had been stolen. See Strautins, 2014 WL 960816, at *4, *6; Barnes & Noble, 2013 WL 4759588, at *4. Compared to the facts in Pisciotta, the fact that any given plaintiff's data may not have even been stolen yielded a much weaker inference that the data were actually at a sufficiently increased risk of being misused. In my view, this is a principled distinction that could justify holding that Pisciotta satisfied the "certainly impending" standard (albeit under a less rigorous application of the standard outside the national security/constitutional context) while holding that Strautins and Barnes & Noble did not.
The facts in the instant case present a third permutation. Here, the overwhelming majority of the plaintiffs allege only that their data may have been stolen. In this sense, the instant case is like Strautins and Barnes & Noble. Unlike Strautins and Barnes & Noble, however, Plaintiffs also allege (and Defendant acknowledges) that 9, 200, or approximately 2.5% of these customers have actually had fraudulent charges appear on their credit cards. In other words, these customers' data were actually stolen and were actually misused. This allegation permits several inferences of varying strength with respect to Plaintiffs' claims to standing.
First, it certainly permits the inference that these 9, 200 customers did indeed have their data stolen as a result of the cyber-attack on Defendant. That is an injury in fact, the sufficiency of which for purposes of standing will be addressed below. Second, it permits a weaker, though in my view still plausible, inference that others among the 350, 000 customers are at a "certainly impending" risk of seeing similar fraudulent charges appear on their credit cards as a result of the cyber-attack on Defendant. The significance of that potential future injury for purposes of standing will also be discussed below. I do not believe, however, that this allegation permits a plausible inference that any of the 350, 000 customers are at a "certainly impending" risk of the other future injury claimed by Plaintiffs - identity theft.
It is not clear to me that the "fraudulent charge" injury alleged to have been incurred by the 9, 200 customers, or, a fortiori, the risk that the same injury may befall others among the 350, 000 customers at issue, is an injury sufficient to confer standing. To satisfy their burden to establish standing, plaintiffs must show that their injury is concrete, particularized, and, if not actual, at least imminent. See Clapper, 133 S.Ct. at 1147. As discussed above, I am satisfied that the potential future fraudulent charges are sufficiently "imminent" for purposes of standing. But of course, even having conceded imminence, both injuries (present and future) must still be concrete. Here, as common experience might lead one to expect, Plaintiffs have not alleged that any of the fraudulent charges were unreimbursed. On these pleadings, I am not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as "concrete" injuries. See Barnes & Noble, 2013 WL 4759588, at *6; Hammond v. Bank of N.Y. Mellon Corp., 2010 WL 2643307, *8 (S.D.N.Y. June 25, 2010). Without a more detailed description of some fairly substantial attendant hardship, I cannot agree with Plaintiffs that such "injuries" confer Article III standing.
Next, as noted above, I am not persuaded that the 350, 000 customers at issue are at a certainly impending risk of identity theft. Unlike the Pisciotta plaintiffs, the plaintiffs here do not allege that data belonging to all of the customers at issue were in fact stolen. They allege that approximately 2.5% of the customers at issue saw fraudulent charges on their credit cards, supporting a strong inference that those customers' data were stolen as a result of Defendant's data breach. And again, I accept the inference from this that additional customers are at a "certainly impending" risk of future fraudulent charges on their credit cards. But to assert on this basis that either set of customers is also at a certainly impending risk of identity theft is, in my view, a leap too far. The complaint does not adequately allege standing on the basis of increased risk of future identity theft.
B. Time and Money Spent to Mitigate the Risk of Future Fraud and Identity Theft
Plaintiffs also claim the time and money allegedly spent toward mitigating the risk of future fraudulent charges and identity theft constitutes injury sufficient to confer standing. The cost of guarding against a risk is an injury sufficient to confer standing only if the underlying harm the plaintiff is seeking to avoid is itself a cognizable Article III injury. See Moyer, 2014 WL 3511500, at *4 n. 1. As discussed above, however, on these pleadings I am not satisfied that either of the future injuries claimed in the complaint are themselves sufficient to confer standing.
The "fraudulent charge" injury, absent unreimbursed charges or other allegations of some substantial attendant hardship, is not in my view sufficiently concrete to establish standing. In any event, the complaint contains no meaningful allegations as to what precisely the costs incurred to mitigate the risk of future fraudulent charges were. Generally, when one sees a fraudulent charge on a credit card, one is reimbursed for the charge, and the threat of future charges is eliminated by the issuance of a new card, perhaps resulting in a brief period where one is without its use. If the complaint is to credibly claim standing on this score, it must allege something that goes beyond such de minimis injury.
As discussed above, the complaint does not adequately allege that the risk of identity theft is sufficiently imminent to confer standing. So long as that is the case, the "time and money spent to mitigate" claim as to the risk of identity theft, which may well be more substantial than the same claim as to the risk of fraudulent credit card charges, is not a cognizable Article III injury.
C. The Financial Injury For Having Purchased Defendant's Products
Plaintiffs also assert that they paid a premium for the retail goods purchased at Defendant's stores, a portion of which Defendant was required to allocate to adequate data breach security measures. Because Defendant did not do so, Plaintiffs allege, Plaintiffs overpaid for their respective purchases and would not have otherwise made them. As Plaintiffs would have it, this financial injury establishes standing.
The argument is creative, but unpersuasive. All of the cases to which Plaintiffs cite in support of this proposition involved products which possessed some sort of deficiency. Plaintiffs purchased bottled water and it turned out to be municipal tap water. Chicago Faucet Shoppe, Inc. v. Nestle Waters N. Am Inc., 2014 WL 541644, *3 (N.D.Ill. Feb. 11, 2014). Plaintiffs purchased children's toys and they turned out to be toxic. In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748, 751 (7th Cir. 2011). As the Seventh Circuit noted, the fact that members of the class in such a case did not suffer physical injury did not mean that they were not injured. "The plaintiffs' loss is financial: they paid more for the toys [or water] than they would have." Id.
In my view, a vital limiting principle to this theory of injury is that the value-reducing deficiency is always intrinsic to the product at issue. Under Plaintiffs' theory, however, the deficiency complained of is extrinsic to the product being purchased. To illustrate the problem this creates: suppose a retail store does not allocate a sufficient portion of its revenues to providing adequate in-store security. A customer who is assaulted in the parking lot after patronizing the store may well have a negligence claim against the store owner. But could he or she really argue that she overpaid for the products that she purchased? Or even more to the point: even if no physical injury actually befell the customer, under Plaintiffs' theory, the customer still suffered financial injury because he or she paid a premium for adequate store security, and the store security was not in fact adequate.
As set forth in Aqua Dots, this theory of injury is plainly sensible. In my view, however, expanding it to include deficiencies extrinsic to the purchased product would effectively render it meaningless.
D. The Loss of Control Over and Value of Plaintiffs' Private Information
Finally, I am also unpersuaded by Plaintiffs' claim to standing based on the loss of control over and value of their private information. Again, the injury as pled is not sufficiently concrete. Cf. Barnes & Noble, 2013 WL 4759588 (no actual injury of this sort where plaintiffs do not allege that their personal information was sold or that the plaintiffs themselves could have sold it).
For the foregoing reasons, Defendant's motion to dismiss for lack of Article III standing is granted.