Sometime in 2013, hackers attacked Nei-man Marcus, a luxury department store, and stole the credit card numbers of its customers. In December 2013, the compa
I
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. Keeping this information confidential at first (according to plaintiffs, so that the breach would not disrupt the lucrative holiday shopping season), it promptly investigated the reports. It discovered potential malware in its computer systems on January 1, 2014. Nine days later, it publicly disclosed the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company also posted updates on its website. Those messages confirmed several aspects of the attack: some card numbers had been exposed to the malware, but other sensitive information such as social security numbers and birth dates had not been compromised; the mal-ware attempted to collect card data between July 16, 2013, and October 30, 2013; 350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently. Notably, other companies had also suffered cyberattacks during that holiday season.
At that point, Neiman Marcus notified all customers who had shopped at its stores between January 2013 and January 2014 and for whom the company had physical or email addresses, offering them one year of free credit monitoring and identity-theft protection. On February 4, 2014, Michael Kingston, the Senior Vice President and Chief Information Officer for the Neiman Marcus Group, testified before the United States Senate Judiciary Committee. He represented that “the customer information that was potentially exposed to the malware was payment card account information” and that “there is no indication that social security numbers or other personal information were exposed in any way.”
These disclosures prompted the filing of a number of class-action complaints. They were consolidated in a First Amended Complaint filed on June 2, 2014, by Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao. They sought to represent themselves and the approximately 350,000 other customers whose data may have been hacked. The complaint relies on a number of theories for relief: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of pri
Remijas alleged that she made purchases using a Neiman Marcus credit card at the department store in Oak Brook, Illinois, in August and December 2013. Frank alleged that' she and her husband used a joint debit card account to make purchases at a Neiman Marcus store on Long Island, New York, in December 2013; that on January 9, 2014, fraudulent charges appeared on her debit card account; that, several weeks later, she was the target of a scam through her cell phone; and that her husband received a notice letter from Neiman Marcus about the breach. Farnoush alleged that she also incurred fraudulent charges on her credit card after she used it at Neiman Marcus in 2013. Finally, Kao made purchases on ten separate occasions at a Nei-man Marcus store in San Francisco in 2013 and received notifications in January 2014 from her bank as well as Neiman Marcus that her debit card had been compromised.
Citing Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. On September 16, 2014, the district judge granted the motion exclusively on standing grounds, and the plaintiffs filed their notice of appeal nine days later. This created a slight problem with appellate jurisdiction, because the district judge never set out his judgment in a separate document as required by Rule 58(a). Nonetheless, we have confirmed that there is a final judgment for purposes of 28 U.S.C. § 1291 and our jurisdiction is secure. (This step would not be necessary if the district court had taken the simple additional step described in Rule 58(a); we once again urge the district courts to do so, for the sake of both the parties and the appellate court;) Here, the district court clearly evidenced its intent in its opinion that this was the final decision in the case, and the clerk recorded the dismissal in the docket.
Bankers Trust Co. v. Mallis,
II
We review a district court’s dismissal for lack of Article III standing
de novo. Reid L. v. Ill. State Bd. of Educ.,
These plaintiffs must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them. We first address these requirements of Article III standing, and then briefly comment on Neiman Marcus’s argument that, alternatively, the complaint should be dismissed for failure to state a claim.
A
The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3). the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information. (We note that these allegations go far beyond the complaint about a website’s publication of inaccurate information, in violation of the Fair Credit Reporting Act, that is before the Supreme Court in
Spokeo, Inc. v. Robins,
No. 13-1339,
cert. granted
— U.S. -,
Allegations of future harm can establish Article III standing if that harm is “certainly impending,” but “allegations of possible future injury are not sufficient.”
Clapper v. Amnesty Int’l USA
— U.S. -,
As for the 9,200 (including Frank and Farnoush), the plaintiffs concede that they were later reimbursed and that the evidence does not yet indicate that their identities (as opposed to the data) have been stolen. But as we already have noted, there are identifiable costs associated with the process of sorting things out. Neiman Marcus challenges the standing of these class members, but we see no merit in that point. What about the class members who contend that un-reimbursed fraudulent charges and identity theft may happen in the future, and that these injuries are likely enough that immediate preventive measures are necessary? Neiman Marcus contends that this is too speculative to serve as injury-in-fact. It argues that all of the plaintiffs would be reimbursed for fraudulent charges because (it asserts) that is the common practice of major credit card companies. The plaintiffs disagree with the latter proposition; they contend that they, like all consumers subject to fraudulent charges, must spend time and money replacing cards and monitoring their credit score, and that full reimbursement is not guaranteed. (It would not be enough to
Clapper
does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing. In
Clapper,
the Supreme Court decided that human rights organizations did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications with suspected terrorists were intercepted by the government. The plaintiffs only suspected that such interceptions might have occurred. This, the Court held, was too speculative to support standing. In so ruling, however, it did not jettison the “substantial risk” standard. To the contrary, it stated that “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”
In a data breach case similar to ours, a district court persuasively applied these principles, including
Clapper’s
recognition that a substantial risk will sometimes suffice to support Article III standing. “Unlike in
Clapper,
where respondents’ claim that they would suffer future harm rested on a chain of events that was both ‘highly attenuated’ and ‘highly speculative,’ the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real.”
In re Adobe Sys., Inc. Privacy Litig.,
Requiring the plaintiffs “to wait for the threatened harm to materialize in order to sue” would create a different problem: “the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not ‘fairly traceable’ to the defendant’s data breach.”
In re Adobe Sys.,
At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal co.nsum.ers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities. The plaintiffs are also careful to say that only 9,200 cards have experienced
In addition to the alleged future injuries, the plaintiffs assert that they have already lost time and money protecting themselves against future identity theft and fraudulent charges. Mitigation expenses do not qualify as actual injuries where the harm is not imminent.
Clapper,
Once again, however, it is important not to overread
Clapper. Clapper
was addressing speculative harm based on something that may not even have happened to some or all of the plaintiffs. In our case, Neiman Marcus does not contest the fact that the initial breach took place. An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service that offers monthly credit monitoring. It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded. These credit-monitoring services come at a price that is more than
de minimis.
For instance, Experian offers credit monitoring for $4.95 a month for the first month, and then $19.95 per month thereafter. See http://www. experian.com/consumer-produets/eredit-monitoring.html. That easily qualifies as a concrete injury. It is also worth noting that our analysis is consistent with that in
Anderson v. Hannaford Bros. Co.,
where the First Circuit held before
Clapper
that the plaintiffs sufficiently alleged mitigation expenses — namely, the fees for replacement cards and monitoring expenses — because under Maine law, a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate, regardless of whether the harm is nonphysical.”
For the sake of completeness, we comment briefly on the other asserted injuries. They are more problematic. We need not decide whether they would have sufficed for standing on their own, but we are dubious. The plaintiffs argue, for example, that they overpaid for the products at Neiman Marcus because the store failed to invest in an adequate security system. In some situations, we have held that financial injury in the form of an overcharge
Importantly, many of those cases involve products liability claims against defective or dangerous products. See,
e.g., Lipton v. Chattem, Inc.
No. 11 C 2952,
The plaintiffs also allege that they have a concrete injury in the loss of their private information, which they characterize as an intangible commodity. Under this theory, persons who had unauthorized credit charges would have standing even if they were automatically reimbursed, their identities were not stolen, and they could not show that there was a substantial risk of lack of reimbursement or further use of their information. This assumes that federal law recognizes such a property right. Plaintiffs refer us to no authority that would support such a finding. We thus refrain from supporting standing on such an abstract injury, particularly since the complaint does not suggest that the plaintiffs could sell their personal information for value.
The plaintiffs counter that recently-enacted state statutes 'make this right to personal information concrete enough for standing. They are correct to the extent they suggest that “the actual or threatened injury required under Article III can be satisfied solely by virtue of an invasion of a recognized state-law right.”
Scanlan v. Eisenberg,
To sum up, we refrain from deciding whether the overpayment for Neiman Marcus 'products and the right to one’s personal information might suffice as injuries under Article III. The injuries associated with resolving fraudulent charges and protecting oneself against future identity theft do. These injuries are sufficient to satisfy the first requirement of Article III standing.
B
Injury-in-fact is only one of the three requirements for Article III standing. Plaintiffs must also allege enough in their complaint to support the other two prerequisites: causation and redressability. As the Supreme Court put it in
Clapper,
plaintiffs must “show[] that the defendant’s actual action has caused the substantial risk of harm.”
The fact that Target or some other store
might
have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue. It is certainly plausible for pleading purposes that their injuries are “fairly traceable” to the data breach at Neiman Marcus. See
In re Target Corp. Data Sec. Breach Litig.,
With respect to standing, Neiman Marcus finally argues that the plaintiffs’ injuries cannot be redressed by a judicial decision because they already have been reimbursed for the fraudulent charges. That may be true for the fraudulent charges (the plaintiffs do not allege that any of those charges went unreim-
C
Neiman Marcus attempts to argue in the alternative that the plaintiffs failed to state a claim upon which relief can be granted. Fed.R.CivP. 12(b)(6). Their problem is that the district court did not reach this ground, and that the ground on which it resolved the case (Article III standing) necessarily resulted in a dismissal without prejudice. A dismissal under Rule 12(b)(6), in contrast, is a dismissal with prejudice. If Neiman Marcus had wanted this additional relief, it needed to file a cross-appeal. See
Jennings v. Stephens,
— U.S. -,
We therefore conclude that the plaintiffs have adequately alleged standing under Article III. The district court’s judgment is Reveksed and the case is Remanded for further proceedings consistent with this opinion.