Recent Developments in Data Security Class Actions
In recent weeks, there have been several developments in some of the major data security class action suits.
The Spokeo Effect
The Supreme Court’s decision in Spokeo, Inc. v. Robins—which will determine whether a plaintiff in a suit under the Fair Credit Reporting Act (“FCRA”) can recover damages without suffering actual harm—continues to be anxiously anticipated by the lower courts.
In light of the expected impact of the Spokeo decision, some district courts have been staying class actions that implicate similar issues. Last week, for example, the Northern District of California granted a stay in a class action, Patel v. Trans Union, LLC, filed under the FCRA against Trans Union LLC over consumers’ ability to contest the accuracy of information posted on their credit reports. In granting the stay, the Northern District concluded that a stay was necessary because the issues in that appeal “hover in the background of all statutory damages cases.” The Northern District of California has stayed several other similar suits in recent months based on the pendency of Spokeo.
Target Data Breach Litigation
While Target continues to make progress in resolving claims arising out of its November 2013 data breach, which exposed information from approximately 40,000,000 debit and credit card accounts, some of the class action claims against the company continue to be fiercely litigated.
Last month Target announced that it had agreed to a $67 million settlement to resolve claims with Visa (along with card-issuing financial institutions, Fifth Third Bancorp and Bank of America) arising out of the data breach. Earlier this year, Target also agreed to a $10 million settlement to resolve consumer class action claims relating to the breach; a settlement approval hearing is scheduled for November.
Despite these settlements, other financial institutions continue to charge ahead in their claims against Target. Target’s proposed $19 million settlement with MasterCard was scuttled by three of the largest card-issuing banks, who felt the settlement did not compensate them for their losses. Separately, the banks in In re Target Corporation Consumer Data Security Breach Litigation have sought class certification on behalf of financial entities that issued payment cards that were compromised in the Target breach. They argued that the case warrants class adjudication because all of the banks suffered common harms arising from the data breach.
Petition for Rehearing En Banc in Remijas v. Neiman Marcus
As we covered in this client alert, in July the United States Court of Appeals for the Seventh Circuit issued a noteworthy decision in Remijas v. Neiman Marcus, holding that consumers whose personal information is compromised in a data breach, but who have not actually incurred any fraudulent charges or suffered identity theft, have standing under Article III. That case concerned a 2013 data breach, in which hackers had apparently gained access to the credit card numbers of approximately 350,000 customers of Neiman Marcus. A three-judge panel of the Seventh Circuit concluded that consumers, including those who had not incurred fraudulent charges or had other out-of-pocket losses traceable to the data breach, could bring suit against the company.
Neiman Marcus has petitioned for rehearing en banc, arguing that the panel’s opinion is at odds with the Supreme Court’s 2013 holding in Clapper v. Amnesty International that Article III standing for possible future injuries exists only where the threatened injury is “certainly impending.” Neiman Marcus further argues that the Seventh Circuit’s decision creates a circuit split with the Third Circuit’s earlier ruling in Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011). The Seventh Circuit has not yet determined whether it will rehear the case before the full court.