Earlier this week the Seventh Circuit Court of Appeals, in Illinois, issued a momentous decision for those of us who keep tabs on data breach litigation nationwide. The decision in Remijas v. Neiman Marcus reinstated class action claims by thousands of shoppers who had their credit card data stolen. Reversing a trend in the case law driven by a 2013 Supreme Court decision (the Clapper decision), the Seventh Circuit held in effect that even if some class members had not yet experienced a loss of money due to their personal information being stolen, they still had standing to pursue claims for compensation, including for the time and aggravation of having to obtain replacement credit cards, put in place credit monitoring, and take other steps to protect themselves. It did not matter, said the court, that all of the consumers who had experienced fraudulent charges on their cards had been reimbursed by their banks, that Neiman Marcus had agreed to pay for credit monitoring, or that the consumers could not conclusively rule out that their credit card account information had been stolen in a different hack (e.g. Target).
This decision is only binding in the federal districts within the Seventh Circuit, but as Kevin LaCroix has pointed out in his blog, as a first-in-the-nation decision from an appellate court in this exact scenario, it is likely to be influential. That is even more true for claims brought in the Northwest, for two reasons.
First, the Seventh Circuit cited extensively to a decision from the Northern District of California in the Adobe Systems data breach case, In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–05226–LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014). (That decision is available here.) The Adobe decision relied on pre-Clapper case law from the Ninth Circuit, and has already been cited twice this year to support a finding of standing in a data breach/data privacy class action, the first brought by Sony employees, and the second by users of the Google Wallet. Those cases had already established the Ninth Circuit (and therefore the Northwest) as a favorable venue for data breach class actions.
Second, the Premera Blue Cross class action complaints involving the massive data breach at that company, and involving claims under Oregon and Washington law, have all been consolidated in the federal court in Oregon, and have been assigned to Judge Michael Simon. Judge Simon, a former Perkins Coie partner, is inclined toward issuing cerebral and thoroughly-reasoned decisions that often have a pro-consumer bent. I would not be surprised to see a lengthy decision from Judge Simon in the near future along the lines of the Seventh Circuit’s decision, giving plaintiff’s lawyers a road map for obtaining standing in data breach cases and how to properly bring claims under Oregon and Washington law.
What does any of this have to do with insurance? Well, if you are a non-Northwest company with operations in the Northwest looking at cyber insurance, and trying to assess company-wide risk, you cannot rely on decisions from courts in your “home” jurisdiction that have made it hard for these types of claims to go forward. If you are a Northwest business that handles a lot of consumer data, the risk of a class action in the event of a breach just went up a little but. Even if the claims are absolutely meritless, they will get past the motion to dismiss stage, which means that defense costs will be considerable. All of that should be fodder for your next conversation with your insurance and legal advisers about your company’s cyber-coverage, and particularly defense cost coverage and limits.
Certain cases reprinted from WestlawNext with permission of Thomson Reuters. If you wish to check the currency of this case by using KeyCite on WestlawNext, then you may do so by visiting www.next.westlaw.com.