Neiman Marcus cyber security ruling could have wide influenceReprints
A federal appeals court ruling involving retailer Neiman Marcus that permits consumer data breach victims to pursue their putative class action litigation is likely to be influential with other appellate courts, and may even be ultimately heard by the U.S. Supreme Court.
“There's no question it's a highly significant decision,” Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh, who was not involved in the case, said of Monday's ruling by the 7th U.S. Circuit Court of Appeals in Chicago in Hilary Remijas et al. v. Neiman Marcus Group L.L.C.
Dallas-based Neiman Marcus Group learned in mid-December 2013 that fraudulent charges had shown up on the credit cards of some of its customers, according to the ruling. It discovered potential malware in its computer systems on Jan. 1, 2014, and sent notices to customers who had incurred fraudulent charges nine days later, according to the ruling.
Complaints seeking class action status were filed and consolidated in June 2014. In September 2014, the U.S. District Court in Chicago dismissed the case on the grounds the plaintiffs did not have grounds to sue.
Plaintiffs in the case pointed to several kinds of injury they allegedly suffered, including lost time and money resolving the fraudulent charges and protecting themselves against future identity theft; the financial loss of buying items at Neiman Marcus they would not have purchased “had they known of the store's careless approach to cybersecurity;” and lost control over the value of their personal information.
To pursue the case, the plaintiffs' complaints must satisfy the requirements established in the U.S Supreme Court's 2013 ruling in Clapper v. Amnesty International USA, in which the high court held that alleged injuries must be “concrete, particularized and actual or imminent,” according to the ruling.
“The question is whether (plaintiffs') allegations satisfy Clapper's requirement that injury either already have occurred or be 'certainly impending,'” said the ruling.
A three-judge panel held plaintiffs have met this standard. “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store's database and steal consumers' private information?” said the ruling.
The ruling also pointed to Neiman Marcus offering one year of credit monitoring and identity-theft protection to customers. “It is unlikely they did so because the risk is so ephemeral that it can safely be disregarded,” said the ruling, in remanding the case for further action.
“This is certainly the first major data breach case where this kind of result has been reached,” said Thomas B. Alleman, a partner with law firm Dykema Gossett P.L.L.C. in Dallas, who was not involved in the case.
In comparable cases, courts have held plaintiffs did not have standing to sue because they had not yet suffered injury, and defendants have sought dismissal on that basis.
K&L Gates' Ms. Anderson said it is the first time an appellate court has considered the application of Clapper in this context.
The court is well-respected, she said, “and so it may well be persuasive to other courts outside the 7th Circuit. That said, there is a split among the lower courts” on this issue, “although these cases are gaining traction more and more,” she said.
“It can't help but be (influential), because the minute that there is a dispute over such a fundamental issue, it will generate opinions within the 7th Circuit and then cascade outwards,” Mr. Alleman said.
Furthermore, the case may also reach the U.S. Supreme Court, he said. Mr. Alleman pointed to the protective measures Neiman Marcus consumers took to avoid being affected by the breach.
“This would seem to me to be a candidate to go up on this very issue of how much prophylactic remedy constitutes an actual injury in fact,” Mr. Alleman said. “It moves the goalpost” over the issue of damages, he added.