Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Neiman Marcus hack victims cleared to pursue class action

Reprints

In what is being described as a significant ruling, a federal appeals court says injuries that victims of a data breach at Neiman Marcus allegedly sustained are sufficient to entitle them to pursue their putative class action lawsuit against the retailer.

Dallas-based Neiman Marcus Group L.L.C. learned in mid-December 2013 that fraudulent charges had shown up on the credit cards of some of its customers, according to Monday's ruling by the 7th U.S. Circuit Court of Appeals in Chicago in Hilary Remijas et al. v. Neiman Marcus Group L.L.C.

It discovered potential malware in its computer systems on Jan. 1, 2014, and sent notices to customers who had incurred fraudulent charges nine days later, according to the ruling.

Complaints seeking class action status were filed and consolidated in June 2014. In September 2014, the U.S. District Court in Chicago dismissed the case on the grounds the plaintiffs did not have grounds to sue.

To pursue the case, the plaintiffs' complaints must satisfy the requirements established in the U.S Supreme Court's 2013 ruling in Clapper v. Amnesty International USA, in which the high court held that alleged injuries must be “concrete, particularized and actual or imminent,” according to the ruling.

“The question is whether (plaintiffs') allegations satisfy Clapper's requirement that injury either already have occurred or be 'certainly impending,'” said the ruling.

A three-judge panel held plaintiffs have met this standard. “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neman Marcus data breach. Why else would hackers break into a store's database and steal consumers' private information?” said the ruling.

The ruling also pointed to Neiman Marcus offering one year of credit monitoring and dignity-theft protection to customers. “It is unlikely they did so because the risk is so ephemeral that it can safely be disregarded,” said the ruling, in remanding the case for further action.

Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh, who was not involved in the case, said the ruling is highly significant. It is the first time an appellate court has considered the application of Clapper in this context, she said.

The court is well respected, “and so it may well be persuasive to other courts outside the 7th Circuit. That said, there is a split among the lower courts” on this issue, “although these cases are gaining traction more and more,” she said.

In comparable other cases, courts have held plaintiffs did not have standing to sue because they had not yet suffered injury, and defendants have sought dismissal on that basis.

Read Next