The Seventh Circuit has reinstated a class action against Neiman Marcus alleging that thousands of customers incurred fraudulent charges and others had their credit card information exposed due to a cyberattack on the retailer in 2013. The decision marks the first time a federal appellate court has reviewed—and revived—a data breach class action after a lower court dismissed the case because the plaintiffs lacked Article III standing to bring their claims. (Remijas v. Neiman Marcus Grp., LLC, 2015 WL 4394814 (7th Cir. July 20, 2015).)
In December 2013, Neiman Marcus, a luxury department store, received reports that some credit card customers had incurred fraudulent charges. It discovered potential malware in its computer system on Jan. 1, 2014 but did not publicly disclose the data breach or notify the customers who incurred those charges until Jan. 10. The company confirmed that about 350,000 credit card numbers were potentially exposed to the malware, which attempted to collect credit card data between July 16 and Oct. 30, 2013; 9,200 of those cards were used fraudulently.
The retailer then notified all its customers who shopped at its stores nationwide between January 2013 and January 2014, and offered them one year of free credit monitoring and identity-theft protection. This cyberattack came in the wake of several other widespread data breaches involving customers’ debit and credit card information at large U.S. retailers during the 2013 holiday season, as Trial News previously reported.
Consumers filed several class actions against Neiman Marcus, which were consolidated in 2014. The plaintiffs, who represent themselves and the 350,000 customers whose data may have been hacked, sued the retailer for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.
Neiman Marcus moved to dismiss the case for lack of standing and for failure to state a claim. In September 2014, the Northern District of Illinois granted the motion exclusively on standing grounds, ruling that the individual plaintiffs and the class lacked standing under Article III of the Constitution, and dismissed the complaint without prejudice. The plaintiffs appealed.
To prove standing, the Seventh Circuit noted that the plaintiffs must allege that the data breach inflicted concrete, particular injuries; that Neiman Marcus caused those injuries; and that a judicial decision can provide redress. The plaintiffs alleged that class members have sustained concrete injuries: time and money resolving the fraudulent charges and protecting themselves against future identity theft, among others. They also alleged two imminent injuries: increased risk of future fraudulent charges and greater susceptibility to identity theft.
The Seventh Circuit evaluated the plaintiffs’ claims based on Clapper v. Amnesty International, USA, a U.S. Supreme Court decision that lower courts have used as a metric for Article III standing requirements. (133 S. Ct. 1138 (2013).) The court also compared this case to a similar lower court data breach decision. (In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).) “Like the Adobe plaintiffs, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” the Seventh Circuit wrote.
Distinguishing this case from Clapper, the Seventh Circuit held that there is no merit to the defendant’s claim that the 9,200 plaintiffs who incurred fraudulent charges don’t have standing: Those plaintiffs have identifiable costs as a result of the data breach. It also held that the plaintiffs’ future injury allegations were sufficient to survive a motion to dismiss.
The court cautioned against applying Clapper too broadly: “Clapper was addressing speculative harm based on something that may not even have happened to some or all of the plaintiffs. In our case, Neiman Marcus does not contest the fact that the initial breach took place.” It noted that the defendant must consider some of the injuries “concrete” because it offered one year of credit monitoring and identify-theft protection to all its customers.
As to the other standing requirements, the Seventh Circuit held that Neiman Marcus’s admissions and actions “adequately raise the plaintiffs’ right to relief above the speculative level,” and that at least the mitigation expenses and future injuries can be redressed by judicial action. The case was remanded to the district court for further proceedings.
“The monumental decision allows data breach victims to proceed with their claims even if they have not yet suffered fraud or identity theft,” said West Hollywood, Calif., attorney Tina Wolfson, who represents the plaintiffs. “It is an important victory for all consumer victims, because it rejects defendants’ attempts to close the courthouse doors to more consumer victims.”
Some district courts have greenlighted class actions against Target Corp. and Sony for similar data breaches, also concluding that the plaintiffs have Article III standing to sue. (In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522, 66 F. Supp. 3d 1154 (D. Minn. Dec. 18, 2014); and Corona v. Sony Pictures Entm’t, Inc., 2015 WL 3916744 (C.D. Cal. June 15, 2015).)