(Reuters) - The year 2015 was a dicey time for data breach class actions attempting to hold companies accountable for leaving customers’ personal information vulnerable to computer hackers. Data breach defendants, as you may recall, had seized upon the U.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International (133 S.Ct. 1138), which tightened the test for whether plaintiffs have constitutional standing to sue in federal court. Trial courts overwhelmingly agreed with defense arguments that data breach plaintiffs don’t have standing to sue just because their confidential information was stolen.
Then the 7th U.S. Circuit Court of Appeals issued its decision in Remijas v. Neiman Marcus (794 F.3d 688).
The 7th Circuit said the mere threat of identity theft was a sufficiently concrete injury to give data breach victims a constitutional right to sue. “The Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the appeals court wrote, quoting from the Clapper decision.
After the 7th Circuit’s Neiman Marcus decision, several other appellate circuits similarly ruled that the threat of identity theft is a concrete injury. The 4th and 8th Circuits haven’t adopted as broad a view of standing in data breach class actions, but it’s fair to say the emerging appellate consensus is that when your personal information is stolen, you’ve been injured. The Neiman Marcus case broke the dam on data breach standing.
But now the case looks like a harbinger for completely different reasons. On Monday, U.S. District Judge Sharon Johnson Coleman of Chicago rejected a proposed $1.6 million settlement of the case, decertifying a class of Neiman Marcus customers who used their credit cards when the department store chain was infected with malware. The judge ruled that the proposed settlement – in which certain customers would be eligible for as much as $100 in cash but others were entitled to no cash recovery – created a conflict among class members.
It turns out that the Neiman Marcus hack wasn’t as straightforward as the department store originally thought. Not every store was infected by hackers’ malware, and even at stores that were affected, the malware operated intermittently. The personal data of some Neiman Marcus cardholders, in other words, wasn’t compromised at all.
Class lawyers at Siprut, Morgan & Morgan and Ahdoot & Wolfson tried to get around that problem by “blinding” the named plaintiffs, Judge Coleman said. Like all other Neiman Marcus cardholders, the named plaintiffs were blocked from finding out whether they were exposed to the malware – and thus entitled to a cash payment – until they submitted a claim. Class counsel contended that by keeping the named plaintiffs in the dark about their own eligibility for a cash recovery, they protected the interests of all cardholders.
Judge Coleman wasn’t crazy about that argument. “The refusal to inform class members of how they were situated until after they opted into the settlement,” she wrote, “creates an appearance of manipulation or dishonesty, undermining the integrity of the class action mechanism.” But she said that under 7th Circuit precedent in Uhl v. Thoroughbred Technology (309 F.3d 978), class representatives “cloaked in a veil of ignorance” can adequately represent the interests of class members who might otherwise have divergent interests.
What Judge Coleman couldn’t abide, however, was the proposed settlement’s resolution of claims by cardholders whose purchases fell entirely outside of the timeframe of the malware attack. Those class members, she said, could not possibly be entitled to cash, since they were not affected by the attack. The only benefit they would derive from the settlement was what Judge Coleman called “lackluster non-monetary relief” – and Neiman Marcus had already promised remedies like credit monitoring outside of the proposed class deal. The judge said the conflict between class members who stood a chance of recovering cash and those who were excluded from money damages was fundamental and unresolvable.
She also highlighted the troublingly low claims rate of less than one percent, after a notice program in which only about 775,000 potential class members out of a pool of 2 million cardholders were contacted directly. “In implementing the notice plan, the parties radically departed from their representation that each settlement class member would receive direct notice of the settlement,” Judge Coleman wrote. “By any measure, this is an exceedingly low claims rate, befitting a settlement that sells out the class in order to enrich class counsel.”
Jay Edelson of the Edelson firm represented objectors to the Neiman Marcus settlement. He told me in an email that Judge Coleman’s ruling exemplifies a new trend of courts paying close attention to data breach settlement proposals. The proposed deal in the Neiman Marcus case, he said, “followed a 1980s mindset of settling cases where class members were little more than an afterthought,” Edelson wrote. “As lawyers are increasingly learning, modern courts are carefully scrutinizing privacy settlements to make sure that they are fair, transparent and benefit the class. We are hopeful this decision, along with other similar decisions, sends a clear message to the plaintiff’s bar as to what decade we are all practicing in.”
I emailed class counsel from Morgan & Morgan and Siprut about Judge Coleman’s ruling but didn’t hear back.
The views expressed in this article are not those of Reuters News.