Seventh Circuit Holds Neiman Marcus Data Breach Plaintiffs Have Standing | Practical Law

Seventh Circuit Holds Neiman Marcus Data Breach Plaintiffs Have Standing | Practical Law

In Remijas v. Neiman Marcus Group, LLC, the US Court of Appeals for the Seventh Circuit reversed the district court's dismissal of the plaintiffs' claims in the Neiman Marcus credit card data breach litigation for lack of standing. The court held that future harm and mitigation damages support standing to sue and distinguished the case from the US Supreme Court's 2013 opinion in Clapper v. Amnesty International.

Seventh Circuit Holds Neiman Marcus Data Breach Plaintiffs Have Standing

Practical Law Legal Update 0-617-5927 (Approx. 6 pages)

Seventh Circuit Holds Neiman Marcus Data Breach Plaintiffs Have Standing

by Practical Law Intellectual Property & Technology
Published on 22 Jul 2015USA (National/Federal)
In Remijas v. Neiman Marcus Group, LLC, the US Court of Appeals for the Seventh Circuit reversed the district court's dismissal of the plaintiffs' claims in the Neiman Marcus credit card data breach litigation for lack of standing. The court held that future harm and mitigation damages support standing to sue and distinguished the case from the US Supreme Court's 2013 opinion in Clapper v. Amnesty International.
On July 20, 2015, the US Court of Appeals for the Seventh Circuit issued an opinion in Remijas v. Neiman Marcus Group, LLC reversing the US District Court for the Northern District of Illinois's dismissal of the plaintiffs' claims arising out of a 2013 data breach for lack of standing (No. 14–3122, (7th Cir. July 20, 2015)).

Background

In December 2013, Neiman Marcus Group, LLC learned that some of its customers had fraudulent charges on their cards and began investigating the issue. On January 1, 2014, it discovered potential malware on its systems. On January 10, 2014, Neiman Marcus publicly disclosed the breach, posted information about the breach on its website and sent individual notification letters to customers who had incurred fraudulent charges. At that time, Neiman Marcus disclosed that:
  • The malware had attempted to collect card data between July 16, 2013 and October 30, 2013.
  • Potentially 350,000 credit card numbers of Neiman Marcus's customers had been exposed to the malware.
  • Other sensitive information such as social security numbers and birth dates had not been compromised.
  • Of the potentially affected cards, 9,200 were known to have been used fraudulently.
Neiman Marcus then sent notifications of the breach to those customers who had shopped at its stores from January 2013 to January 2014 and for whom it had e-mail or physical addresses of the breach. Additionally, it offered them one year of free credit monitoring and identity theft protection.
The breach prompted a number of class action lawsuits, which were consolidated on June 2, 2014 into a first amended complaint brought by the named plaintiffs, each of whom had made credit or debit card purchases at a Neiman Marcus store during the time period of the breach. The named plaintiffs sought to represent themselves and a class of the approximately 350,000 Neiman Marcus customers affected by the breach and alleged claims for:
  • Negligence.
  • Breach of implied contract.
  • Unjust enrichment.
  • Unfair and deceptive business practices.
  • Invasion of privacy.
  • Violation of state data breach laws.
Several of the named plaintiffs alleged that they had incurred fraudulent charges on the cards that they used at Neiman Marcus. One named plaintiff additionally alleged that she was the target of a scam through her cell phone. Notably, two of the named plaintiffs did not allege that they incurred any fraudulent charges or suffer any other form of identity theft.
Neiman Marcus moved to dismiss the complaint for lack of standing and failure to state a claim under FRCP 12(b), and on September 16, 2014, the district court dismissed the complaint exclusively on standing grounds.

Article III Standing

In order to maintain an action in federal court, a plaintiff must establish standing under the case-or-controversy requirement of Article III of the Constitution. On appeal, dismissals for lack of standing are reviewed de novo. To establish standing the plaintiff must prove all of the following:
  • He has suffered a concrete, particularized injury.
  • The injury is fairly traceable to the defendant's challenged conduct.
  • The injury is redressable by judicial decision.
(See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992).)
Citing the US Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147 (2013), the court noted that allegations of future harm can establish standing if that harm is certainly impending, though allegations of possible future injury are not sufficient.

Actual Injury

As the basis for standing, the Neiman Marcus plaintiffs alleged:
  • Several actual injuries:
    • lost time and money resolving the fraudulent charges;
    • lost time and money protecting themselves from future identity theft;
    • the financial loss of buying items at Neiman Marcus they would not have purchased if they had known of Neiman Marcus's approach to cybersecurity; and
    • lost control over the value of their personal information.
  • Two imminent injuries:
    • increased risk of future fraudulent charges; and
    • increased risk of future identity theft.
The plaintiffs conceded that:
  • They were reimbursed for fraudulent charges.
  • The evidence did not yet indicate that their identities had been stolen.
The court characterized the plaintiffs' alleged harms as falling into two categories for purposes of its analysis:
  • The 9,200 customers who experienced fraudulent charges and therefore incurred aggravation and loss of the value of time needed to "set things straight," such as to reset payment associations after card numbers were changed and to pursue relief for unauthorized charges.
  • An increased risk of harm to the rest of the 350,000 putative class members.
The court held without any analysis that aggravation and loss of time was sufficient injury with respect to the 9,200 customers who incurred fraudulent charges. In response to the argument that the other putative class members were at risk of future injury, Neiman Marcus argued that the plaintiffs' allegations were insufficient because, as a matter of policy, card companies reimburse fraudulent charges and therefore all future fraud that any plaintiff incurred would be reimbursed. The court rejected this argument, noting that it revealed a potential factual dispute over the universality of bank reimbursement policies.
The court then distinguished Clapper, under which the district court dismissed the case, from the case at hand. In Clapper, the Supreme Court held that the plaintiffs did not have standing to challenge certain provisions of the Foreign Surveillance Intelligence Act (FSIA) because they could not show that their communications with suspected terrorists were actually intercepted by the government. The court noted that although the Clapper plaintiffs' suspicions that their communications were being intercepted were too speculative to support standing, Clapper did not reject the premise that substantial risk of injury was sufficient to support standing.
In distinguishing Clapper, the court cited with approval the decision in In re Adobe Sys., Inc. Privacy Litig., No. 66 F.Supp.3d 1197 (N.D. Cal. Sept. 4, 2014), a case in which the US District Court for the Northern District of California found that under similar circumstances Clapper did not foreclose standing in a data breach case. The court noted that the plaintiffs alleged that the hackers deliberately targeted Neiman Marcus to obtain their credit card information, while in Clapper there was no evidence that any of respondents' communications either had been or would be monitored. Thus, unlike in Clapper, the court noted, there is “no need to speculate as to whether [the Neiman Marcus customers'] information has been stolen and what information was taken" (quoting In re Adobe Sys., 66 F.Supp.3d at 1215 (citing Clapper, 133 S.Ct. at 1148). As in Adobe, the court noted, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud to sue because there is an objectively reasonable likelihood that the injury will occur, in part because waiting for the threatened harm to materialize would make it harder for the plaintiffs to argue that the injury was fairly traceable to the defendant's conduct.
The court also noted that the plaintiffs had alleged a plausible risk of harm because:
  • Presumably the purpose of the hack was to later make fraudulent charges or steal customers' identities.
  • The plaintiffs cited a Government Accountability Office Report that found that stolen data may be held for a year or more before being used, and further, that once stolen data is sold or posted on the internet, fraudulent use of the data may continue for years.
The court went on to note that while the plaintiffs may not ultimately be able to provide a factual basis for their injuries, they are not required to do so at the pleading stage.
With respect to mitigation damages, expenses the plaintiffs alleged they incurred in purchasing identity theft protection, the court once again distinguished Clapper, which held that the costs the plaintiffs incurred to avoid injury were insufficient to confer standing. The court noted that Clapper dealt with speculative harm arising out of conduct that may not have even happened to the plaintiffs. In contrast, in the case at hand, an affected customer who was notified that her card was at risk might think it necessary to subscribe to a credit monitoring service. The court went on to note that it was "telling" that Neiman Marcus itself offered one year of credit monitoring and identity theft protection to its customers in the wake of the breach and that it was unlikely to do so if the risk could be safely disregarded. These costs, the court held, "easily" qualified as a concrete injury.
The court refrained from deciding whether the plaintiffs' allegations of overpayment for products and the right to the value of one's personal information might suffice as Article III injuries.

Causation and Redressability

Neiman Marcus argued that the plaintiffs could not show that their injuries were traceable to the data breach rather than to one of several other large breaches that took place around the same time. The court rejected this argument, noting that just because a breach at some other store might have caused the plaintiffs' private information to be exposed does nothing to negate the plaintiffs' standing to sue. Rather, that issue would be one of allocating responsibility under traditional tort doctrines. The court went further, finding that at the pleading stage, it was sufficient for standing purposes that Neiman Marcus admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk.
Finally, as to redressability, Neiman Marcus argued that the plaintiffs' injuries cannot be redressed by a judicial decision because they have already been reimbursed for the fraudulent charges. The court found that while that may be true for the actual fraudulent charges alleged, it was not true for the alleged mitigation expenses or the future injuries. The court found it important that although some credit card companies offer zero liability policies under which the customer is not held responsible for any fraudulent charges, those policies do not defeat a finding of injury-in-fact because they are a business practice, not a federal requirement.

Failure to State a Claim

Neiman Marcus argued, in the alternative, that the court should affirm the district court's decision to dismiss on the basis that the plaintiffs' claims failed to state a claim for relief under FRCP 12(b)(6). The court declined to do so, however, because the district court failed to reach this ground, and the ground upon which the court dismissed (standing) necessarily resulted in dismissal without prejudice. The court noted that a dismissal under FRCP 12(b)(6) is a dismissal with prejudice and that because Neiman Marcus did not file a cross-appeal, the issue of whether the complaint stated a claim for relief was not properly before the court.