As mentioned in the first line of my previous article on the topic, “Will the Real Victim Stand Up?”, the issue of standing in data-breach cases is mercurial. Unlike the alchemists of old, the Seventh Circuit Court of Appeals turned not lead, but mercury into gold with its ruling in Remijas v. Neiman Marcus Group, LLC. The Court did more to advance the cause of standing for victims of data breaches than any case before it. Between July and October of 2014 approximately 350,000 credit cards of Neiman Marcus customers were exposed to hackers. Of those 350,000 cards, 9,200 had been used fraudulently. Neiman Marcus notified all customers who shopped in the store between January 2013 and January 2014 and offered them free credit monitoring.

First on the docket were the allegations of future harm. Specifically the Court considered whether the risks of future fraudulent charges and identity theft were “certainly impending.” Chief Judge Wood quickly dismisses Neiman’s argument that the victims would be reimbursed for fraudulent charges because it is common practice. Instead, the Plaintiffs’ argument that reimbursement was not guaranteed won the day. Judge Wood noted that even monitoring their credit card statements would not be sufficient as “thieves might –and often do –acquire new credit cards unbeknownst to the victim.” She further notes that in other cases the courts have required the plaintiff to show standing based on a “’substantial risk’ that the harm will occur” and that “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing…”. The one failing in the Court’s ruling on future harm is that Judge Wood appears to use the subsequent remedial measure of offering one year of credit monitoring against Neiman Marcus.

The Court then turns its focus to the plaintiffs’ assertion that they have already experienced harm vis-à-vis lost time and money trying to protect their identities. Again, Judge Wood finds merit in this claim. She states that “[a]n affected customer….might think it necessary to subscribe to a service that offers monthly credit monitoring.” And that the cost of these services is not “de minimis”. Judge Wood uses the $19.95 monthly cost of one such service in order to prove her point.

The Court then shifts its focus “[f]or the sake of completeness”, to the Plaintiffs’ additional asserted injuries. Chief Judge Wood is quick to note that these claims are “dubious”. Specifically, the Plaintiffs argue that they were caused financial injury by overpaying for goods at Neiman Marcus, while the company was not adequately investing in data security. Although the Court notes that such a financial injury can create standing, it has generally only been allowed in cases involving “products liability claims against defective and dangerous products.” The Plaintiff’s did not have any issue with the actual products purchased from Neiman Marcus. Instead, they appear to take umbrage with the fact that “the company pocketed too much”. The Court, however, acknowledges the nebulous nature of this claim, but does not rule on it.

Judge Wood briefly raises the spectre of Plaintiffs having a property right in their identities. She refrains, however, from ruling on this topic as well for two reasons. The first being that the Plaintiffs site “no authority that would support such a finding” in federal law. Secondly, “the complaint does not suggest that the Plaintiffs could sell their personal information for value.” This thought creates a fascinating hypothetical. Companies such as Datacoup tout that they will help you “Unlock the Value of Your Personal Data” by creating a marketplace for it. Plaintiffs in the next data-breach class action should take due notice and govern themselves accordingly.

With this ruling, the price of data-breaches has increased exponentially. At one point it was a foregone conclusion that defendants would quash the proceedings before the horse had even left the gate. Now corporations would do well to consider prophylactic measures to prevent the loss of consumer data. As Gregory Funaro noted in his article “The Data Loss Prevention Market By the Numbers: A 451 Research Report”, “With the increase in high-profile breaches, including Sony, Anthem, JP Morgan Chase, Target, and Home Depot, the weaknesses and limitations of traditional security have been exposed. Corporations are now taking a closer look at data security strategies and proven methods for data protection, with data loss prevention leading the charge.” Like the first waft of a pomander after a long hard trudge through the muck and mire, the court has brought a fresh and refreshing view to the issue of standing in data breach cases. It will be curious to see if Neiman Marcus files for certiorari before the United States Supreme Court or if the Seventh Circuits ruling will be the catalyst for settlement.