Fraudulent Charges and Standing in Credit Card Litigation

Sarah Condor, Esq., LL.M.

The Seventh Circuit has reinstated a class action against Neiman Marcus alleging that thousands of customers incurred fraudulent charges and others had their credit card information exposed due to a cyberattack on the retailer in 2013. The decision marks the first time a federal appellate court has reviewed—and revived—a data breach class action after a lower court dismissed the case because the plaintiffs lacked Article III standing to bring their claims. (Remijas v. Neiman Marcus Grp., LLC, 2015 WL 4394814 (7th Cir. July 20, 2015).)

In December 2013, Neiman Marcus, a luxury department store, received reports that some credit card customers had incurred fraudulent charges. It discovered potential malware in its computer system on Jan. 1, 2014 but did not publicly disclose the data breach or notify the customers who incurred those charges until Jan. 10. The company confirmed that about 350,000 credit card numbers were potentially exposed…

View original post 700 more words

Fraudulent Charges and Standing in Credit Card Litigation

The Seventh Circuit has reinstated a class action against Neiman Marcus alleging that thousands of customers incurred fraudulent charges and others had their credit card information exposed due to a cyberattack on the retailer in 2013. The decision marks the first time a federal appellate court has reviewed—and revived—a data breach class action after a lower court dismissed the case because the plaintiffs lacked Article III standing to bring their claims. (Remijas v. Neiman Marcus Grp., LLC, 2015 WL 4394814 (7th Cir. July 20, 2015).)

In December 2013, Neiman Marcus, a luxury department store, received reports that some credit card customers had incurred fraudulent charges. It discovered potential malware in its computer system on Jan. 1, 2014 but did not publicly disclose the data breach or notify the customers who incurred those charges until Jan. 10. The company confirmed that about 350,000 credit card numbers were potentially exposed to the malware, which attempted to collect credit card data between July 16 and Oct. 30, 2013; 9,200 of those cards were used fraudulently.

The retailer then notified all its customers who shopped at its stores nationwide between January 2013 and January 2014, and offered them one year of free credit monitoring and identity-theft protection. This cyberattack came in the wake of several other widespread data breaches involving customers’ debit and credit card information at large U.S. retailers during the 2013 holiday season, as Trial News previously reported.

Consumers filed several class actions against Neiman Marcus, which were consolidated in 2014. The plaintiffs, who represent themselves and the 350,000 customers whose data may have been hacked, sued the retailer for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

Neiman Marcus moved to dismiss the case for lack of standing and for failure to state a claim. In September 2014, the Northern District of Illinois granted the motion exclusively on standing grounds, ruling that the individual plaintiffs and the class lacked standing under Article III of the Constitution, and dismissed the complaint without prejudice. The plaintiffs appealed.

To prove standing, the Seventh Circuit noted that the plaintiffs must allege that the data breach inflicted concrete, particular injuries; that Neiman Marcus caused those injuries; and that a judicial decision can provide redress. The plaintiffs alleged that class members have sustained concrete injuries: time and money resolving the fraudulent charges and protecting themselves against future identity theft, among others. They also alleged two imminent injuries: increased risk of future fraudulent charges and greater susceptibility to identity theft.

The Seventh Circuit evaluated the plaintiffs’ claims based on Clapper v. Amnesty International, USA, a U.S. Supreme Court decision that lower courts have used as a metric for Article III standing requirements. (133 S. Ct. 1138 (2013).) The court also compared this case to a similar lower court data breach decision. (In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).) “Like the Adobe plaintiffs, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the Seventh Circuit wrote.

Distinguishing this case from Clapper, the Seventh Circuit held that there is no merit to the defendant’s claim that the 9,200 plaintiffs who incurred fraudulent charges don’t have standing: Those plaintiffs have identifiable costs as a result of the data breach. It also held that the plaintiffs’ future injury allegations were sufficient to survive a motion to dismiss.

The court cautioned against applying Clapper too broadly: “Clapper was addressing speculative harm based on something that may not even have happened to some or all of the plaintiffs. In our case, Neiman Marcus does not contest the fact that the initial breach took place.” It noted that the defendant must consider some of the injuries “concrete” because it offered one year of credit monitoring and identify-theft protection to all its customers.

As to the other standing requirements, the Seventh Circuit held that Neiman Marcus’s admissions and actions “adequately raise the plaintiffs’ right to relief above the speculative level,” and that at least the mitigation expenses and future injuries can be redressed by judicial action. The case was remanded to the district court for further proceedings.

“The monumental decision allows data breach victims to proceed with their claims even if they have not yet suffered fraud or identity theft,” said West Hollywood, Calif., attorney Tina Wolfson, who represents the plaintiffs. “It is an important victory for all consumer victims, because it rejects defendants’ attempts to close the courthouse doors to more consumer victims.”

Some district courts have greenlighted class actions against Target Corp. and Sony for similar data breaches, also concluding that the plaintiffs have Article III standing to sue. (In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 66 F. Supp. 3d 1154 (D. Minn. Dec. 18, 2014); and Corona v. Sony Pictures Entm’t, Inc., 2015 WL 3916744 (C.D. Cal. June 15, 2015).)

Work Permit for Spouse

An important recent change in the immigration regulations allows spouses of certain individuals in H-1B temporary work permit status to work in the United States.

The H-1B is one of the most common types of U.S. temporary work permits. Historically, the immigration status issued to spouses of H-1B work permit holders (known as an H-4) did not allow for work permission, thus restricting the spouse’s ability to work in the United States. The U.S. Citizenship and Immigration Services (“USCIS”), though, now allows work permission for H-4 spouses of certain H-1B work permit holders who have started the green card process. While the green card allows permanent residence and work permission in the U.S., it can often take longer to obtain than a temporary work permit. Therefore, many individuals first obtain a temporary work permit (such as the H-1B) while also pursuing the green card.

Those individuals eligible for work permission while in H-4 status include H-4 spouses whose H-1B work permit holding spouse:

  • has an approved Form I-140 (which is typically the second step of the green card process); or
  • has extended the H-1B beyond the six-year limit based on the first step of the green card being on file for at least 365 days (it does not require that any step of the green card be approved).

Work permission while in H-4 status is not granted automatically. The H-4 spouse must file to obtain the work permission with USCIS, and authorization typically takes a period of approximately two to three months to obtain. Once granted, though, the work permission that the H-4 spouse obtains is unrestricted, meaning the spouse is not limited to a specific employer, nor is self-employment or starting one’s own business prohibited.

This recent change provides an additional incentive to file for the green card case as soon as possible as even filing the green card case can expedite a spouse’s ability to obtain work permission.

Knee Pain and Medical Malpractice

ImageKnee pain with no obvious x-ray or physical exam findings should bring up a red flag to automatically check the hip. It is well known and taught in medical schools, that the same nerve-the obturator nerve-innervates both joints. Therefore, an elderly patient commonly can present to an emergency room complaining of knee pain after a fall. Then after emergency room physician review of x-rays showing a knee without any acute fractures, the patient is sent home only to return the next day with complaints of hip pain with x-rays showing a displaced hip fracture requiring a major operation.

The standard of care in this situation would be to both examine the hip and to x-ray the hip at the first presentation.

Additionally, there are known cases of patients having total knees performed in patients who were complaining of vague knee pain and having mild to moderate arthritis on x-rays, only to discover that afterwards the patient still had knee pain and then hip x-rays revealed severe end stage arthritis. The patient then required a total hip arthroplasty. The standard of care here also would be to take a detailed history of the pain pattern and to x-ray the hip on the same side.

Not adhering to the standard of care for evaluating these two examples of hip conditions would clearly indicate negligence and malpractice.