United States District Court, N.D. Illinois, Eastern Division
HILARY REMIJAS, MELISSA FRANK, DEBBIE FARNOUSH, and JOANNE KAO, individually and on behalf of all others similarly situated, Plaintiff,
THE NEIMAN MARCUS GROUP, LLC, a Delaware limited liability company, Defendant.
MEMORANDUM OPINION AND ORDER
JAMES B. ZAGEL, District Judge.
Plaintiffs Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao, individually and on behalf of all others similarly situated, have brought this action against Defendant Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts. Defendant now moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(1) for lack of Article III standing, and pursuant to Fed.R.Civ.P. 12(b)(6) for failure to state a claim. For the following reasons, Defendant's motion to dismiss is granted for lack of standing.
Defendant is a high-end department store. In 2013, hackers breached Defendant's servers, resulting in the potential disclosure of 350, 000 customers' payment card data and personally identifiable information. At some point following the breach, it became clear that, of the payment cards that may have been affected, at least 9, 200 were subsequently used fraudulently elsewhere. Plaintiffs are among the 350, 000 customers, and they have brought this lawsuit against Defendant for failing to adequately protect against such a security breach, and for failing to provide timely notice of the breach once it happened.
Plaintiffs assert that they have been injured in that Defendant's alleged misconduct exposed them to an increased risk of future fraudulent credit card charges, and an increased risk of identity theft. Plaintiffs also assert present injuries, including the loss of time and money associated with resolving fraudulent charges, the loss of time and money associated with protecting against the risk of future identity theft, the financial loss they suffered from having purchased products that they wouldn't have purchased had they known of Defendant's misconduct, and the loss of control over and value of their private information. Defendant argues that none of these asserted injuries is sufficient to establish Article III standing.
It is a plaintiff's burden to establish Article III standing. Apex Digital, Inc. v. Sears, Roebuck, & Co., 572 F.3d 440, 443 (7th Cir. 2009). This requires the plaintiff to demonstrate: (1) an "injury in fact" that is concrete and particularized and either actual or imminent; (2) that the injury is fairly traceable to the challenged action by the defendant; and (3) that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147 (2013). Because standing is not a mere pleading requirement, but rather an indispensable part of the plaintiff's case, it must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation. Apex Digital, 572 F.3d at 443. Plaintiffs assert four principal categories of injury. I address each in turn.
A. The Increased Risk of Future Harm
Allegations of future potential harm may suffice to establish Article III standing, but the future harm must be "certainly impending." See Clapper, 133 S.Ct. at 1147 (collecting cases). Three courts in this District have recently taken up the question of standing and the increased risk of future harm plaintiffs encounter in the context of such cyber-attacks. See Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D.Ill. July 14, 2014); Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D.Ill. March 12, 2014); In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D.Ill. Sept. 3, 2013).
The courts in Strautins and Barnes & Noble both held that the alleged increased risk of future harm was insufficient to establish standing. Defendant argues that this case is like Strautins and Barnes & Noble. In Moyer, the Court held that the alleged increased risk of future harm was sufficient to establish standing, but Defendant contends that this holding was premised on a misreading of relevant case law, and it should not be followed. The differing outcomes in Strautins and Barnes & Noble on the one hand, and Moyer on the other are in part attributable to conflicting readings of the Supreme Court's recent decision in Clapper.
The Strautins Court concluded that Clapper implicitly overruled a facially more relaxed standard for evaluating standing in this context articulated in Pisciotta v. Old Nat. Bancorp, 499 F.2d 629, 634 (7th Cir. 2007). In Pisciotta, the Court held that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." Id. The Strautins Court held that, by emphasizing the "certainly impending" standard, the Supreme Court "seems rather plainly to reject the premise, implicit in Pisciotta [ ], that any marginal increase in risk is sufficient to confer standing." Strautins, 2014 WL 960816, at *5. The Barnes & Noble Court relied on Clapper 's "certainly impending" analysis without reference to Pisciotta.
The Moyer Court, by contrast, understood Clapper to have applied a particularly rigorous standing analysis to a claim that particularly called for it - a claim that implicated the actions of the political branches of government in the fields of intelligence gathering and foreign affairs, and that argued that an action taken by one of the other two branches of the federal government was unconstitutional. See Moyer, 2014 WL 3511500, at *5; see also Strautins, 2014 WL 960816, at *5 n. 11. These cyber-attack/credit card cases implicate neither questions of national security nor the constitution. The Moyer Court concluded that there was room for Clapper and Pisciotta to co-exist. See Moyer, 2014 WL 3511500, at *6.
For my part, I note that the "certainly impending" standard pre-dates Clapper, see Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979), though I also note that the Clapper Court itself acknowledged that the underlying facts called for an "especially rigorous" standing inquiry, see Clapper, 133 S.Ct. at 1147. Those facts are not present here. Read literally, Pisciotta could be understood to have held that any marginal increase in the risk of future injury is sufficient to confer Article III standing. That would be difficult to square with Clapper, which sets a threshold that an increase in the risk of harm must meet in order to confer standing. Id. But in my view, it is hard to imagine that that is what the Pisciotta Court intended, and such a literal reading of Pisciotta would not be reasonable. The Pisciotta Court raised the issue of standing sua sponte, and was not prompted to thoroughly discuss it. Though it does not expressly say so, Pisciotta was constrained by the "certainly impending" standard, first articulated 27 years earlier in Babbit, and I read that standard into the opinion.
Legal standards aside, the underlying facts in Pisciotta, Strautins, Barnes & Noble, and the instant case materially differ with respect to standing. First, in Pisciotta, it appears as though the plaintiffs' data were actually stolen (at the very least, the Court's analysis assumed as much). See Pisciotta, 499 F.3d at 634. At issue with respect to the plaintiffs' injury, then, was whether and how likely the stolen data would actually be misused. Id. This is distinct from Strautins and Barnes & Noble, where the respective Courts found that the plaintiffs had alleged merely that there was a possibility that their data had been stolen. See Strautins, 2014 WL 960816, at *4, *6; Barnes & Noble, 2013 WL 4759588, at *4. Compared to the facts in Pisciotta, the fact that any given plaintiff's data may not have even been stolen yielded a much weaker inference that the data were actually at a sufficiently increased risk of being misused. In my view, this is a principled distinction ...