5 Big Developments In Privacy Class Actions In 2015, And 3 To Look For In 2016

The burgeoning area of privacy class action litigation showed no signs of slowing down in 2015. Here are some of the most significant developments from the past year, as well as some things to watch for in the coming year. For purposes of this article, we include in the definition of "privacy" class action litigation class actions arising out of data security breaches; litigation involving the collection, use, or transfer of consumer information; and litigation involving alleged intrusions upon privacy interests.

Five Significant Developments in 2015

The Seventh Circuit Court of Appeals Chips Away at Article III Standing as a First Line of Defense Immediately after the Supreme Court issued its decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), defense lawyers began to cite it in data breach cases for the proposition that the mere risk of future identity theft was never an injury in fact sufficient to give rise to Article III standing. Several early lower court decisions accepted this argument, but more recently, lower courts have begun to find ways to distinguish Clapper, resulting in a trend toward pre-Clapper jurisprudence that, at least in some instances, the risk of future harm is an injury in fact. The most prominent of these decisions was the Seventh Circuit's decision in Remijas v. Neiman Marcus Group, LLC, 794 F. 3d 688 (7th Cir. 2015), where the panel held that the alleged facts supported the conclusion that the risk of harm in the form of identity theft was not just possible but was actually "certainly impending," distinguishing it from the facts at issue in Clapper.

While certainly a victory for data breach plaintiffs, the victory may ultimately turn out to be a hollow one. The Remijas panel refused to consider the related argument of whether the alleged future harm was a cognizable injury sufficient to satisfy the elements of the plaintiffs' claims on the merits, holding that the issue had been waived because the defendant had not cross-appealed. In the primary Seventh Circuit case decided before Clapper involving standing in the data breach context, Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 639-40 (7th Cir. 2007), the court had reached the second issue and had ruled that although the plaintiff had standing, he had not stated a claim for relief on the merits. A similar result had been reached in the Ninth Circuit's primary pre-Clapper standing decision, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). In light of these trends, look for the battleground to shift from standing to early attacks on plaintiffs' claims on the merits.

Class Certification Granted in Target Issuing Bank Litigation In September, U.S. District Judge Paul Magnuson granted class certification in the consolidated MDL proceeding brought on behalf of issuing banks claiming damages resulting from Target's 2013 payment card hacking incident. In re: Target Corporation Customer MDL, No. 14-2522 (D. Minn., Sept. 15, 2015). The decision was significant as one of the first to grant class certification in a...