The Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group, LLC may have removed a substantial hurdle for data-breach class actions (as we previously discussed) by holding that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” were sufficient to confer Article III standing. But does that ruling remove all of the major obstacles to data-breach class actions? Absolutely not. There are still additional daunting hurdles in a plaintiff’s path to obtaining class certification such as proving Civil Rule 23(b)(3) predominance (i.e., that questions of law or fact predominate over any questions affecting individual class members), which has plagued other data-security class actions.
In Remijas, Neiman Marcus argued that the plaintiffs could not show that the Neiman Marcus breach caused their injuries. Specifically, Neiman Marcus argued that the plaintiffs could not show that their injuries were fairly traceable to the Neiman Marcus breach rather than the data breach at Target (which occurred around the same time) or some other store. In response, the court cited Summers v. Tice, a 1948 California Supreme Court case involving a plaintiff shot while quail hunting who did not know which of the defendants had shot him (insert Dick Cheney joke here). In Summers, the court held that under those circumstances, the defendants had the burden of showing who was responsible. The Seventh Circuit seemed to adopt this reasoning in Remijas, stating: “If there are multiple companies that could have exposed the plaintiffs’ private information to hackers, then the common law of torts has long shifted the burden of proof to defendants to prove that their negligent actions were not the ‘but for’ cause of the plaintiff’s injury.”
The discussion of causation raises another substantial hurdle to data-breach class actions, namely establishing Civil Rule 23(b)(3) predominance for class certification (i.e., that questions of law or fact predominate over any questions affecting individual class members). In Remijas, the Seventh Circuit cited the First Circuit’s decision in Anderson v. Hannaford Bros. Co., which similarly held that card-replacement fees and identity-protection services were sufficient to confer standing. On remand in Anderson, however, the district court held that the plaintiff’s had not shown predominance because a trial would require determining causation of damages, which would involve “individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”
Consider how you would answer those questions in connection with the Neiman Marcus breach in light of this timeline, particularly the following facts:
- The Neiman Marcus breach involved around 350,000 customers (although initial reports were as many as 1.1 million credit and debit cards).
- The Neiman Marcus breach was disclosed approximately one month after Target disclosed its data breach, which involved as many as 110 million payment cards.
- Two days after the Neiman Marcus breach was disclosed, Michaels Stores indicated that it was investigating a data-security breach.
In addition, factor in the potential effects from one of the other myriad breaches that have occurred such as those depicted in this visual. For example, how do you account for a potential class member who received credit-monitoring services as a result of one or many of the previous data breaches?
TAKE AWAY: Summers v. Tice does not remove issues of causation; it just shifts the burden. As a result, even if courts start applying Summers v. Tice to data-breach claims, courts would still need to resolve the question of what happened to the class members’ respective accounts, which under Anderson, raises whether predominance can be satisfied. This determination of causation may be particularly problematic when multiple breaches occur around the same time, like the Neiman Marcus and Target breaches, and it remains to be seen whether that causation determination can be resolved on a class-wide basis.