Seventh Circuit Revives Neiman Marcus Data Breach Case
On July 20, 2015, the Seventh Circuit issued a precedential ruling reviving claims against Neiman Marcus brought by a proposed class action that alleges the high-end retailer failed to protect customer data and debit card information that was stolen by hackers. The decision in Remijas v. Neiman Marcus Group, LLC1 expands the types of alleged injury that can satisfy Article III standing requirements in cases that result from data breaches. Specifically, the Court held that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient for standing in these matters.2
Remijas arose from the 2013 breach of Neiman Marcus’s consumer credit card database, in which hackers obtained close to 350,000 credit card numbers. Neiman Marcus discovered evidence of the breach in January 2014, after customers complained about fraudulent charges. Nine days later, Neiman Marcus began notifying both the public, generally, and affected consumers, individually. According to a Neiman Marcus press release, the breach was caused by malicious software that was “clandestinely installed” on the company’s system. Through these notifications, Neiman Marcus admitted that at least 9,200 cards had been used fraudulently. In an attempt to mitigate the damage done by the breach, the company offered a year of free credit monitoring and identity theft protection to all customers who had shopped at a Neiman Marcus store between January 2013 and January 2014.
As a result of the breach, multiple class-action lawsuits were filed and subsequently consolidated into Remijas. The four leading plaintiffs alleged six different injuries in support of standing, four of which were already suffered: i) lost time and money resolving the fraudulent charges; ii) lost time and money protecting themselves from future identity theft; iii) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity; and iv) lost control over the value of their personal information. The two remaining injuries, were not yet sustained but deemed imminent: i) the increased risk to future fraudulent charges; and ii) greater susceptibility to identity theft. U.S. District Judge James B. Zagel initially dismissed the claims, as he did not find any of the six alleged injuries sufficient to allow for standing. The plaintiffs appealed.
The Appellate Court’s three-judge panel first considered the two alleged imminent injuries, looking to the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA3, often cited by defendant’s in data-breach cases.
Under Clapper, alleged future harm can be sufficient to establish standing if the harm is “certainly impending.”4 In Remijas, the court found the injuries asserted by the plaintiffs in this case fit that description because, considering the fact that 9,200 cards had already been used fraudulently at the time of suit, there is a serious risk of both future fraudulent use and future identity theft; there is no guarantee that the plaintiffs will be fully reimbursed.5 The Court explained: “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”6 In holding that there was an objectively reasonable likelihood of future injury, the Court noted that the plaintiffs had cited a government report which found that hackers may wait more than a year before using data acquired from a breach.
The Court further found that the plaintiffs had asserted an injury-in-fact through time and money spent on protecting against future harm. While the Clapper court held that mitigation expenses are not sufficient for standing, the Clapper plaintiffs alleged harm based on a speculative incident.7 In Remijas, the defendant admitted that a breach occurred and that the plaintiffs were all affected by that breach. Neiman Marcus even provided a year of credit monitoring and identity theft protection for the plaintiffs. According to the Court, “[it] is unlikely that it did so because the risk… can be safely disregarded.”8
In addressing the four allegedly sustained injuries, the Court held that that injuries associated with resolving fraudulent charges and protecting oneself against future identity theft do satisfy the standing requirements of Article III. The court refrained, however, from deciding whether the overpayment for Neiman Marcus products and the right to one’s personal information might suffice as injuries under Article III.9
Finally, although Neiman Marcus reimbursed impacted customers for fraudulent charges already made, the Court found they had not done so for the mitigation expenses or the alleged future injuries.10 While most credit card companies fully reimburse customers for fraudulent charges under zero liability policies, the Court noted that because the “’zero liability” feature is a business practice, not a federal requirement,” there is no guarantee that the plaintiffs will be fully reimbursed.11 It is thus not unreasonable for the plaintiffs to seek relief from the judicial system instead.12
With this decision, the Seventh Circuit has made it much easier for victims of data breaches to have their day in Court. It is more imperative than ever that companies understand that the exposure from a cyber-breach extends beyond a failure of their respective systems. Post-breach public statements and post-breach disclosures concerning the company’s systems and security should be carefully drafted. How the company responds to a cyber breach and a company’s lack of oversight may now provide a basis for injuries sufficient to sustain class actions by impacted customers. Clients should remain vigilant in protecting themselves and their customers against breaches in order to avoid rapidly expanding liability.
1 Remijas v. Neiman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487, *18 (7th Cir. 2015).
2 Id. at *2
3 133 S. Ct. 1138 (2013).
4 Id. at *8 (quoting Clapper, 133 S. Ct. at 1147).
5 Id. at *9-*10.
6 Id. at *11-*12.
7 Id. at *13-*14.
8 Id. at *14.10 Id. at *21.
9 Id. at *15.11 Id. at *21-*22.
10 Id. at *21.12 Id. at *22.
11 Id. at *21-*22.
12 Id. at *22.