The Seventh Circuit Undercuts Prominent Defenses in Data Breach Lawsuits and Class Actions
With two recent decisions sure to please the plaintiff’s bar, the U.S. Court of Appeals for the Seventh Circuit landed a blow to defendants facing class action and data breach lawsuits. In the first decision, the Seventh Circuit ruled that data breach plaintiffs, who regularly bring suits as class actions, have Article III standing despite suffering no actual harm so long as some future fraudulent activity resulting from the breach is “certainly impending.” In a second ruling, the Seventh Circuit killed off the heightened ascertainability requirement for class certification, adopted in the Third Circuit and various other courts, which requires plaintiffs to demonstrate a manageable method of identifying class members. The Court held to a “weak” ascertainability requirement for class certification, where the class definition must merely be sufficiently definite and based on objective standards.
Impending Harm in Data Breach Cases – Remijas v. Neiman Marcus Group, LLC
Courts across many jurisdictions have routinely dismissed data breach cases for a lack of standing where the plaintiff alleges only a possible future harm resulting from the breach. In a July 20, 2015 decision (Remijas v. Neiman Marcus Group, LLC, --- F.3d ---, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015)), the Seventh Circuit cut back this defense, ruling that Article III standing exists where the plaintiff faces a “certainly impending” risk of injury resulting from the data breach.
Article III standing requires an alleged “concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). In Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the Supreme Court held that mere allegations of “possible future injury” are not sufficient for standing, though a well-pled allegation that such harm is “certainly impending” could. Defendants in data breach cases have successfully argued that Clapper mandates a finding of no standing where a plaintiff fails to allege an actual present harm resulting from a data breach.
In Neiman Marcus, the plaintiff brought a putative class action against the company following a data breach involving customer credit card information. Shortly after learning of the breach, defendant publicly acknowledged that a data breach had occurred involving 350,000 of its issued credit cards and that there were over 9,200 cards known to have been used fraudulently. Defendant provided individual notice to its customers who were hit with fraudulent charges on their credit cards and offered a free year of credit monitoring.
The plaintiff alleged both actual and future harms. The Northern District of Illinois (J. Zagel) dismissed the complaint, finding that neither the “fraudulent charge” injury alleged to have been incurred by the 9,200 customers, nor the risk that the same injury may befall others among the 350,000 customers at issue, is an injury sufficient to confer standing because Clapper requires an injury to be concrete, particularized, and at least imminent. Remijas v. Neiman Marcus Group, LLC, No. 14 C 1735, 2014 WL 4627893, *3 (N.D. Ill. Sept. 16, 2014). In particular, the 9,200 customers whose cards had been fraudulently used did not suffer a “concrete” injury where such customers were not financially responsible for the unauthorized charges, and the remaining customers are not at a “certainly impending risk of identity theft.” Id.
The Seventh Circuit – with Chief Judge Wood writing for the three-judge panel – reversed the district court, ruling that a data breach plaintiff may have standing based strictly on an alleged impending harm. The Seventh Circuit concluded that the alleged facts in the instant case support the finding that the plaintiff has standing to bring claims against Neiman Marcus for the imminent harms of future fraudulent credit card charges or identity theft. The Court emphasized that the risk of fraudulent charges or identity theft in this instance is “very real” – noting that the plaintiff alleges that the data breach occurred when hackers deliberately targeted Neiman Marcus to steal credit card information. Given this alleged fact, the Seventh Court determined that “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Indeed, the Court continued, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Neiman Marcus, 2015 WL 4394814 at *4.
Critical to the Seventh Circuit’s ruling, is the further position that experiencing identity theft or fraudulent charges to one’s credit card are “concrete” injuries that provide for standing. The Court simply assumes, without explanation, that identity theft is sufficient. The Court concludes – and reverses the district court in the process – that a fraudulent charge is sufficient for standing because, even where the fraudulent charges are fully reimbursed (as the plaintiffs acknowledge occurred for the 9,200 cardholders known to have experienced fraudulent charges), there are other “identifiable costs associated with the process of sorting things out” such as the “aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.” Id. at *3.
The Court further suggests that the company’s offer of free credit-monitoring services “is telling” because “[i]t is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Id. at *5. This suggestion is surely fact-dependent, but it must be noted that the Court – perhaps unwittingly – appears to have incentivized companies that have experienced a data breach to choose not to provide credit-monitoring services to those whose data has been or potentially been compromised.
As the first federal court of appeals decision to address the application of Clapper in a data breach lawsuit, Neiman Marcus opens the door for certain plaintiffs who have suffered no harm from actual fraudulent activity or identity theft to bring suit against companies that have experienced a data breach. The decision no doubt invites plaintiffs, and their attorneys, to bring class action claims, arguing that any time a person’s identifying information is compromised, there is ipso facto a substantial risk of fraudsters using of that information. Such an argument would go beyond the holding of Neiman Marcus, which requires plaintiffs to demonstrate a “very real” and substantial risk of harm in the event that such plaintiffs have not yet been injured. Moreover, plaintiffs will continue to face the challenge of asserting viable claims that would demonstrate wrongdoing by the defendant in connection with the breach – a challenge plaintiffs have thus far often struggled to meet.
Class Ascertainability – Mullins v. Direct Digital, LLC
In a ruling issued July 28, 2015 (Mullins v. Direct Digital, LLC, --- F.3d ---, No. 15-1776, 2015 WL 4546159 (7th Cir. July 28, 2015)), the Seventh Circuit swept away the “heightened ascertainability” requirement for class certification. This requirement, prominently adopted in the U.S. Court of Appeals for the Third Circuit and percolating across various courts including some of the district courts in the Seventh Circuit, mandates a showing of a “reliable and administratively feasible” method to individually identify class members. The Seventh Circuit squarely rejected this heightened requirement in favor of a “weak” ascertainability requirement – namely, that a class must be clearly defined and based on objective criteria – and deepened the circuit split on ascertainability in the process.
Ascertainability is a judicially created requirement for class certification that is not express in Rule 23. As it has developed in federal courts, ascertainability has commonly been understood to require the class definition to be sufficiently definite and based on objective standards. See Manual for Complex Litigation (Fourth) § 21.222, at 270 (ascertainability requires that the class definition must “avoid subjective standards (e.g., a plaintiff’s state of mind) or terms that depend on resolution of the merits (e.g., persons who were discriminated against)”). Recently, the Third Circuit has adopted a more stringent ascertainability standard, additionally requiring that “whether someone is in the class must be ‘administratively feasible,’ [and that a] plaintiff does not satisfy the ascertainability requirement if individualized fact-finding or mini-trials will be required to prove class.” Carrera v. Bayer Corp., 727 F.3d 300 (3d Cir. 2013) (“Administrative feasibility means that identifying class members is a manageable process that does not require much, if any, individual factual inquiry.”) (citations omitted).
The Direct Digital lawsuit involves allegations that defendant Direct Digital, LLC fraudulently represented that there was scientific support behind its claim that its Instaflex Joint Support product relieves joint discomfort. The plaintiff brought a putative class action complaint under consumer fraud statutes in several states, including Illinois. In opposing class certification, Direct Digital argued that plaintiff failed present any evidence or proposed method by which to identify the class members who purchased Instaflex (citing Carrera), noting that even the plaintiff himself had no proof that he bought Instaflex. The plaintiff argued the identification of class members was not required, as the heightened ascertainability requirement of Carrera was not Seventh Circuit law, which requires only that class membership be determinable by objective means – namely, whether an individual purchased Instaflex during the class period. The Northern District of Illinois (J. Norgle) certified the class under Rule 23(b)(3), noting specifically that “Plaintiff’s class is ascertainable because it is objectively contained to all individuals who purchased Instaflex for personal use during the class period and the class period is finite.” Mullins v. Direct Digital, LLC, No. 13 CV 1829, 2014 WL 5461903, *2 (N.D. Ill. Sept. 30, 2014). The Seventh Circuit took the appeal under Rule 23(f) “primarily to address the developing law of ascertainability.”
With Judge Hamilton writing for the three-judge panel, the Seventh Circuit affirmed the district court and ruled that “[t]he Third Circuit’s approach in Carrera … goes much further than the established meaning of ascertainability and in our view misreads Rule 23.” Direct Digital, 2015 WL 4546159 at *7. In the Court’s view, a class is properly denied certification where the class is defined too vaguely (e.g., fails to “identify a particular group, harmed during a particular time frame, in a particular location, in a particular way”); is defined by subjective criteria (e.g., a person’s state of mind); or is defined in terms of success on the merits (e.g., so-called “fail-safe classes” where class members that would lose on liability are defined out of the class). Id. at *4.
Specifically, the Seventh Circuit refuted the policy reasons that the Third Circuit, and courts following it, have provided in support of the heightened requirement, finding instead that the established, and explicit, Rule 23 requirements already sufficiently address these considerations.
First, the heightened requirement is said to alleviate substantial administrative inconvenience to the court in managing a class identification process that would require extensive individualized inquiries or “mini-trials.” The Seventh Circuit rejected this view, holding instead that concerns with the administration and manageability of class member identification is better addressed by the superiority requirement of Rule 23(b)(3), where a class action must be superior to other available methods for adjudicating the controversy. The Seventh Circuit pointed particularly to Rule 23(b)(3)(D), which allows – as part of the superiority analysis – consideration of the “likely difficulties in managing a class action.” Not only are manageability concerns already addressed by Rule 23(b)(3)’s superiority requirement, but, the Seventh Circuit found, these concerns are best considered under the superiority analysis, rather than as an aspect of ascertainability, because superiority analysis is appropriately comparative – the costs of class treatment in a particular matter (which may include manageability problems) must be weighed against the benefits. This comparative analysis, the Seventh Circuit believes, works to keep manageability concerns from overwhelming the Rule 23 considerations, causing courts to “err systematically against certification.” Id. at *7-9.
Second, the heightened requirement is said to best protect absent class members. The reasoning here is that if individual class members cannot be specifically identified, then actual notice would not be possible for “absent” class members who would thereby lose their opt-out rights. The Seventh Circuit dismissed this concern, finding the heightened ascertainability requirement to be inconsistent with Rule 23(c)(2)(B)’s limited requirement that only the “best notice that is practicable under the circumstances” and commensurate with the stakes in the litigation must be provided, not actual notice to all class members. Id. at *9-10.
Third, the heightened requirement is said to protect the interests of class members whose recovery may be diluted by persons fraudulently making class claims through, for example, false affidavits of membership. The Seventh Circuit found little merit in this policy concern, stating that the valid claims are unlikely to suffer a reduction in recovery due to false or fraudulent claims, that the submission of false or fraudulent claims are likely uncommon, and, in any event, a reduced recovery is better than the alternative – no recovery for class members and no deterrence of “corporate misconduct” in the event certification is denied based on a concern with claim dilution. Id. at *11-13.
Fourth, the heightened requirement is said to ensure the defendant’s due process rights to challenge evidence of class membership by effectively disallowing the submission of self-identifying affidavits as evidence of class membership – a common method proposed by plaintiffs to identify class members. The Seventh Circuit rejected this policy basis, stating that a defendant’s due process right to challenge class-identifying evidence exists at “any stage of the case, including the claims [administration] or damages stage.” As such, a court’s reliance on such affidavits in certifying a class does not prejudice the defendant. Id. at *13-16.
In rejecting the heightened ascertainability requirement, the Direct Digital decision curtails what had been an increasingly effective defense in class action lawsuits – particularly in those involving consumer transactions where purchase or other customer records are often insufficient to specifically identify class members. The administrative feasibility concerns of the heightened standard will continue to factor in class certification analysis as a component of Rule 23(b)(3)’s superiority requirement. Courts in the Seventh Circuit will likely grapple with an increased focus on superiority analysis, as defendants argue that class administration and manageability problems, rooted in difficulties in identifying class members, will outweigh the benefits of the class device. Furthermore, it remains to be seen how other federal courts – some of which have adopted the reasoning of the Third Circuit’s approach to ascertainability – will weigh in on this important threshold class certification issue in light of the Seventh Circuit’s strong renunciation of the heightened ascertainability requirement.