Dismissal of Neiman Marcus Customer Card Data Breach Suit Reversed by Seventh Circuit

POSTED JULY 24, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

Neiman Marcus credit card holders whose accounts were hacked will be able to proceed with a federal class-action lawsuit against the retailer. On July 20, 2015, the Seventh Circuit reversed the district court’s dismissal in the matter entitled Remijas v. Neiman Marcus Group, LLC, finding that the plaintiffs sufficiently alleged they were harmed by a data breach that exposed 350,000 credit cards, and where at least 9,500 accounts showed fraudulent transactions.

By way of background, the data breach occurred in 2013. Although the store was aware of fraudulent charges in December 2013, it did not discover potential malware until January 1, 2014. Nine days later, Neiman Marcus publicly disclosed the data breach, sent individual notifications to the customers who had incurred fraudulent charges, and posted updates on its website. Those messages confirmed several aspects of the attack: some card numbers had been exposed to the malware, but other sensitive information such as social security numbers and birth dates had not been compromised; the malware attempted to collect card data between July 16, 2013, and October 30, 2013; 350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently. At that point, Neiman Marcus notified all customers who had shopped at its stores between January 2013 and January 2014 and for whom the company had physical or email addresses, offering them one year of free credit monitoring and identity-theft protection.

The customers whose credit cards were exposed commenced a class action lawsuit against Neiman Marcus. In response, Neiman Marcus filed a Motion to Dismiss contending that, until the plaintiffs showed an actual injury from the data breach, the court lacked the authority to hear the case under Article III, which was granted by the district court. However, the Seventh Circuit disagreed holding that customers should not have to wait to have standing to sue until hackers commit identity theft or credit-card fraud. In support of same, the Seventh Circuit held that at this stage in the litigation, it was plausible to infer that the plaintiffs demonstrated a substantial risk of harm from the Neiman Marcus data breach. The Court noted that, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” The Seventh Circuit also observed that Neiman Marcus did not contest the fact that the data breach occurred, and found it “telling” that the retailer offered one year of credit monitoring and identity-theft protection to customers who had shopped at their stores between January 2013 and January 2014.

The company also argued that the plaintiffs could not show that their injuries were traceable to the data breach at Neiman Marcus because other retailers had also suffered data breaches around the same time. However, the Seventh Circuit rejected this argument holding that it was up to Neiman Marcus to prove that their actions were not the cause of plaintiffs’ injuries. Moreover, it is enough at this stage of the litigation that Neiman Marcus admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk. Thus, these admissions and actions by the store adequately raised the plaintiffs’ right to relief above the speculative level.

This decision reflects that there appears to be a circuit split as to whether or not a plaintiff who is the victim of a data breach for potential future injuries arising out of this stolen data has standing under Article III of the Constitution to bring a claim. On April 27, 2015, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act are sufficient to establish standing irrespective of any tangible injury. The ramifications of this determination will be significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.

Designed & Developed by Peak Seven